[mirror_edk2.git] / SecurityPkg / Library / Tpm2CommandLib / Tpm2EnhancedAuthorization.c

/** @file\r
  Implement TPM2 EnhancedAuthorization related command.\r
\r
Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <IndustryStandard/UefiTcgPlatform.h>\r
#include <Library/Tpm2CommandLib.h>\r
#include <Library/Tpm2DeviceLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/BaseLib.h>\r
#include <Library/DebugLib.h>\r
\r
#pragma pack(1)\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER    Header;\r
  TPMI_DH_ENTITY         AuthHandle;\r
  TPMI_SH_POLICY         PolicySession;\r
  UINT32                 AuthSessionSize;\r
  TPMS_AUTH_COMMAND      AuthSession;\r
  TPM2B_NONCE            NonceTPM;\r
  TPM2B_DIGEST           CpHashA;\r
  TPM2B_NONCE            PolicyRef;\r
  INT32                  Expiration;\r
} TPM2_POLICY_SECRET_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER    Header;\r
  UINT32                  AuthSessionSize;\r
  TPM2B_TIMEOUT           Timeout;\r
  TPMT_TK_AUTH            PolicyTicket;\r
  TPMS_AUTH_RESPONSE      AuthSession;\r
} TPM2_POLICY_SECRET_RESPONSE;\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER    Header;\r
  TPMI_SH_POLICY         PolicySession;\r
  TPML_DIGEST            HashList;\r
} TPM2_POLICY_OR_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER    Header;\r
} TPM2_POLICY_OR_RESPONSE;\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER    Header;\r
  TPMI_SH_POLICY         PolicySession;\r
  TPM_CC                 Code;\r
} TPM2_POLICY_COMMAND_CODE_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER    Header;\r
} TPM2_POLICY_COMMAND_CODE_RESPONSE;\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER    Header;\r
  TPMI_SH_POLICY         PolicySession;\r
} TPM2_POLICY_GET_DIGEST_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER    Header;\r
  TPM2B_DIGEST            PolicyHash;\r
} TPM2_POLICY_GET_DIGEST_RESPONSE;\r
\r
#pragma pack()\r
\r
/**\r
  This command includes a secret-based authorization to a policy.\r
  The caller proves knowledge of the secret value using an authorization\r
  session using the authValue associated with authHandle.\r
\r
  @param[in]  AuthHandle         Handle for an entity providing the authorization\r
  @param[in]  PolicySession      Handle for the policy session being extended.\r
  @param[in]  AuthSession        Auth Session context\r
  @param[in]  NonceTPM           The policy nonce for the session.\r
  @param[in]  CpHashA            Digest of the command parameters to which this authorization is limited.\r
  @param[in]  PolicyRef          A reference to a policy relating to the authorization.\r
  @param[in]  Expiration         Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.\r
  @param[out] Timeout            Time value used to indicate to the TPM when the ticket expires.\r
  @param[out] PolicyTicket       A ticket that includes a value indicating when the authorization expires.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicySecret (\r
  IN      TPMI_DH_ENTITY     AuthHandle,\r
  IN      TPMI_SH_POLICY     PolicySession,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession  OPTIONAL,\r
  IN      TPM2B_NONCE        *NonceTPM,\r
  IN      TPM2B_DIGEST       *CpHashA,\r
  IN      TPM2B_NONCE        *PolicyRef,\r
  IN      INT32              Expiration,\r
  OUT     TPM2B_TIMEOUT      *Timeout,\r
  OUT     TPMT_TK_AUTH       *PolicyTicket\r
  )\r
{\r
  EFI_STATUS                   Status;\r
  TPM2_POLICY_SECRET_COMMAND   SendBuffer;\r
  TPM2_POLICY_SECRET_RESPONSE  RecvBuffer;\r
  UINT32                       SendBufferSize;\r
  UINT32                       RecvBufferSize;\r
  UINT8                        *Buffer;\r
  UINT32                       SessionInfoSize;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag         = SwapBytes16 (TPM_ST_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicySecret);\r
  SendBuffer.AuthHandle         = SwapBytes32 (AuthHandle);\r
  SendBuffer.PolicySession      = SwapBytes32 (PolicySession);\r
\r
  //\r
  // Add in Auth session\r
  //\r
  Buffer = (UINT8 *)&SendBuffer.AuthSession;\r
\r
  // sessionInfoSize\r
  SessionInfoSize            = CopyAuthSessionCommand (AuthSession, Buffer);\r
  Buffer                    += SessionInfoSize;\r
  SendBuffer.AuthSessionSize = SwapBytes32 (SessionInfoSize);\r
\r
  //\r
  // Real data\r
  //\r
  WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (NonceTPM->size));\r
  Buffer += sizeof (UINT16);\r
  CopyMem (Buffer, NonceTPM->buffer, NonceTPM->size);\r
  Buffer += NonceTPM->size;\r
\r
  WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (CpHashA->size));\r
  Buffer += sizeof (UINT16);\r
  CopyMem (Buffer, CpHashA->buffer, CpHashA->size);\r
  Buffer += CpHashA->size;\r
\r
  WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (PolicyRef->size));\r
  Buffer += sizeof (UINT16);\r
  CopyMem (Buffer, PolicyRef->buffer, PolicyRef->size);\r
  Buffer += PolicyRef->size;\r
\r
  WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 ((UINT32)Expiration));\r
  Buffer += sizeof (UINT32);\r
\r
  SendBufferSize              = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status         = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    goto Done;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    Status = EFI_DEVICE_ERROR;\r
    goto Done;\r
  }\r
\r
  if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
    Status = EFI_DEVICE_ERROR;\r
    goto Done;\r
  }\r
\r
  //\r
  // Return the response\r
  //\r
  Buffer        = (UINT8 *)&RecvBuffer.Timeout;\r
  Timeout->size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));\r
  if (Timeout->size > sizeof (UINT64)) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - Timeout->size error %x\n", Timeout->size));\r
    Status = EFI_DEVICE_ERROR;\r
    goto Done;\r
  }\r
\r
  Buffer += sizeof (UINT16);\r
  CopyMem (Timeout->buffer, Buffer, Timeout->size);\r
\r
  PolicyTicket->tag         = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));\r
  Buffer                   += sizeof (UINT16);\r
  PolicyTicket->hierarchy   = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));\r
  Buffer                   += sizeof (UINT32);\r
  PolicyTicket->digest.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));\r
  Buffer                   += sizeof (UINT16);\r
  if (PolicyTicket->digest.size > sizeof (TPMU_HA)) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - digest.size error %x\n", PolicyTicket->digest.size));\r
    Status = EFI_DEVICE_ERROR;\r
    goto Done;\r
  }\r
\r
  CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);\r
\r
Done:\r
  //\r
  // Clear AuthSession Content\r
  //\r
  ZeroMem (&SendBuffer, sizeof (SendBuffer));\r
  ZeroMem (&RecvBuffer, sizeof (RecvBuffer));\r
  return Status;\r
}\r
\r
/**\r
  This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r
  If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r
  satisfies the policy. This command will indicate that one of the required sets of conditions has been\r
  satisfied.\r
\r
  @param[in] PolicySession      Handle for the policy session being extended.\r
  @param[in] HashList           the list of hashes to check for a match.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyOR (\r
  IN TPMI_SH_POLICY  PolicySession,\r
  IN TPML_DIGEST     *HashList\r
  )\r
{\r
  EFI_STATUS               Status;\r
  TPM2_POLICY_OR_COMMAND   SendBuffer;\r
  TPM2_POLICY_OR_RESPONSE  RecvBuffer;\r
  UINT32                   SendBufferSize;\r
  UINT32                   RecvBufferSize;\r
  UINT8                    *Buffer;\r
  UINTN                    Index;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag         = SwapBytes16 (TPM_ST_NO_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicyOR);\r
\r
  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
  Buffer                   = (UINT8 *)&SendBuffer.HashList;\r
  WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 (HashList->count));\r
  Buffer += sizeof (UINT32);\r
  for (Index = 0; Index < HashList->count; Index++) {\r
    WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (HashList->digests[Index].size));\r
    Buffer += sizeof (UINT16);\r
    CopyMem (Buffer, HashList->digests[Index].buffer, HashList->digests[Index].size);\r
    Buffer += HashList->digests[Index].size;\r
  }\r
\r
  SendBufferSize              = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status         = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicyOR - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicyOR - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  This command indicates that the authorization will be limited to a specific command code.\r
\r
  @param[in]  PolicySession      Handle for the policy session being extended.\r
  @param[in]  Code               The allowed commandCode.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyCommandCode (\r
  IN      TPMI_SH_POLICY  PolicySession,\r
  IN      TPM_CC          Code\r
  )\r
{\r
  EFI_STATUS                         Status;\r
  TPM2_POLICY_COMMAND_CODE_COMMAND   SendBuffer;\r
  TPM2_POLICY_COMMAND_CODE_RESPONSE  RecvBuffer;\r
  UINT32                             SendBufferSize;\r
  UINT32                             RecvBufferSize;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag         = SwapBytes16 (TPM_ST_NO_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicyCommandCode);\r
\r
  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
  SendBuffer.Code          = SwapBytes32 (Code);\r
\r
  SendBufferSize              = (UINT32)sizeof (SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status         = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicyCommandCode - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicyCommandCode - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  This command returns the current policyDigest of the session. This command allows the TPM\r
  to be used to perform the actions required to precompute the authPolicy for an object.\r
\r
  @param[in]  PolicySession      Handle for the policy session.\r
  @param[out] PolicyHash         the current value of the policyHash of policySession.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyGetDigest (\r
  IN      TPMI_SH_POLICY  PolicySession,\r
  OUT  TPM2B_DIGEST       *PolicyHash\r
  )\r
{\r
  EFI_STATUS                       Status;\r
  TPM2_POLICY_GET_DIGEST_COMMAND   SendBuffer;\r
  TPM2_POLICY_GET_DIGEST_RESPONSE  RecvBuffer;\r
  UINT32                           SendBufferSize;\r
  UINT32                           RecvBufferSize;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag         = SwapBytes16 (TPM_ST_NO_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicyGetDigest);\r
\r
  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
\r
  SendBufferSize              = (UINT32)sizeof (SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status         = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicyGetDigest - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicyGetDigest - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  //\r
  // Return the response\r
  //\r
  PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);\r
  if (PolicyHash->size > sizeof (TPMU_HA)) {\r
    DEBUG ((DEBUG_ERROR, "Tpm2PolicyGetDigest - PolicyHash->size error %x\n", PolicyHash->size));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);\r
\r
  return EFI_SUCCESS;\r
}\r
Commit	Line	Data
967eacca JY	1	/** @file\r
	2	Implement TPM2 EnhancedAuthorization related command.\r
	3	\r
dd577319	4	Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>\r
289b714b	5	SPDX-License-Identifier: BSD-2-Clause-Patent\r
967eacca JY	6	\r
	7	**/\r
	8	\r
	9	#include <IndustryStandard/UefiTcgPlatform.h>\r
	10	#include <Library/Tpm2CommandLib.h>\r
	11	#include <Library/Tpm2DeviceLib.h>\r
	12	#include <Library/BaseMemoryLib.h>\r
	13	#include <Library/BaseLib.h>\r
	14	#include <Library/DebugLib.h>\r
	15	\r
	16	#pragma pack(1)\r
	17	\r
	18	typedef struct {\r
c411b485 MK	19	TPM2_COMMAND_HEADER Header;\r
	20	TPMI_DH_ENTITY AuthHandle;\r
	21	TPMI_SH_POLICY PolicySession;\r
	22	UINT32 AuthSessionSize;\r
	23	TPMS_AUTH_COMMAND AuthSession;\r
	24	TPM2B_NONCE NonceTPM;\r
	25	TPM2B_DIGEST CpHashA;\r
	26	TPM2B_NONCE PolicyRef;\r
	27	INT32 Expiration;\r
967eacca JY	28	} TPM2_POLICY_SECRET_COMMAND;\r
	29	\r
	30	typedef struct {\r
c411b485 MK	31	TPM2_RESPONSE_HEADER Header;\r
	32	UINT32 AuthSessionSize;\r
	33	TPM2B_TIMEOUT Timeout;\r
	34	TPMT_TK_AUTH PolicyTicket;\r
	35	TPMS_AUTH_RESPONSE AuthSession;\r
967eacca JY	36	} TPM2_POLICY_SECRET_RESPONSE;\r
967eacca JY	37	\r
a50e58f4	38	typedef struct {\r
c411b485 MK	39	TPM2_COMMAND_HEADER Header;\r
	40	TPMI_SH_POLICY PolicySession;\r
	41	TPML_DIGEST HashList;\r
a50e58f4 JY	42	} TPM2_POLICY_OR_COMMAND;\r
	43	\r
	44	typedef struct {\r
c411b485	45	TPM2_RESPONSE_HEADER Header;\r
a50e58f4 JY	46	} TPM2_POLICY_OR_RESPONSE;\r
a50e58f4 JY	47	\r
967eacca	48	typedef struct {\r
c411b485 MK	49	TPM2_COMMAND_HEADER Header;\r
	50	TPMI_SH_POLICY PolicySession;\r
	51	TPM_CC Code;\r
967eacca JY	52	} TPM2_POLICY_COMMAND_CODE_COMMAND;\r
	53	\r
	54	typedef struct {\r
c411b485	55	TPM2_RESPONSE_HEADER Header;\r
967eacca JY	56	} TPM2_POLICY_COMMAND_CODE_RESPONSE;\r
	57	\r
	58	typedef struct {\r
c411b485 MK	59	TPM2_COMMAND_HEADER Header;\r
c411b485 MK	60	TPMI_SH_POLICY PolicySession;\r
967eacca JY	61	} TPM2_POLICY_GET_DIGEST_COMMAND;\r
	62	\r
	63	typedef struct {\r
c411b485 MK	64	TPM2_RESPONSE_HEADER Header;\r
c411b485 MK	65	TPM2B_DIGEST PolicyHash;\r
967eacca JY	66	} TPM2_POLICY_GET_DIGEST_RESPONSE;\r
	67	\r
	68	#pragma pack()\r
	69	\r
	70	/**\r
	71	This command includes a secret-based authorization to a policy.\r
	72	The caller proves knowledge of the secret value using an authorization\r
	73	session using the authValue associated with authHandle.\r
	74	\r
	75	@param[in] AuthHandle Handle for an entity providing the authorization\r
	76	@param[in] PolicySession Handle for the policy session being extended.\r
	77	@param[in] AuthSession Auth Session context\r
	78	@param[in] NonceTPM The policy nonce for the session.\r
	79	@param[in] CpHashA Digest of the command parameters to which this authorization is limited.\r
	80	@param[in] PolicyRef A reference to a policy relating to the authorization.\r
	81	@param[in] Expiration Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.\r
	82	@param[out] Timeout Time value used to indicate to the TPM when the ticket expires.\r
	83	@param[out] PolicyTicket A ticket that includes a value indicating when the authorization expires.\r
b3548d32	84	\r
967eacca JY	85	@retval EFI_SUCCESS Operation completed successfully.\r
	86	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
	87	**/\r
	88	EFI_STATUS\r
	89	EFIAPI\r
	90	Tpm2PolicySecret (\r
c411b485 MK	91	IN TPMI_DH_ENTITY AuthHandle,\r
	92	IN TPMI_SH_POLICY PolicySession,\r
	93	IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL,\r
	94	IN TPM2B_NONCE *NonceTPM,\r
	95	IN TPM2B_DIGEST *CpHashA,\r
	96	IN TPM2B_NONCE *PolicyRef,\r
	97	IN INT32 Expiration,\r
	98	OUT TPM2B_TIMEOUT *Timeout,\r
	99	OUT TPMT_TK_AUTH *PolicyTicket\r
967eacca JY	100	)\r
967eacca JY	101	{\r
c411b485 MK	102	EFI_STATUS Status;\r
	103	TPM2_POLICY_SECRET_COMMAND SendBuffer;\r
	104	TPM2_POLICY_SECRET_RESPONSE RecvBuffer;\r
	105	UINT32 SendBufferSize;\r
	106	UINT32 RecvBufferSize;\r
	107	UINT8 *Buffer;\r
	108	UINT32 SessionInfoSize;\r
967eacca JY	109	\r
	110	//\r
	111	// Construct command\r
	112	//\r
c411b485 MK	113	SendBuffer.Header.tag = SwapBytes16 (TPM_ST_SESSIONS);\r
	114	SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicySecret);\r
	115	SendBuffer.AuthHandle = SwapBytes32 (AuthHandle);\r
	116	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
b3548d32	117	\r
967eacca JY	118	//\r
	119	// Add in Auth session\r
	120	//\r
	121	Buffer = (UINT8 *)&SendBuffer.AuthSession;\r
	122	\r
	123	// sessionInfoSize\r
c411b485 MK	124	SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);\r
	125	Buffer += SessionInfoSize;\r
	126	SendBuffer.AuthSessionSize = SwapBytes32 (SessionInfoSize);\r
967eacca JY	127	\r
	128	//\r
	129	// Real data\r
	130	//\r
c411b485 MK	131	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (NonceTPM->size));\r
c411b485 MK	132	Buffer += sizeof (UINT16);\r
967eacca JY	133	CopyMem (Buffer, NonceTPM->buffer, NonceTPM->size);\r
	134	Buffer += NonceTPM->size;\r
	135	\r
c411b485 MK	136	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (CpHashA->size));\r
c411b485 MK	137	Buffer += sizeof (UINT16);\r
967eacca JY	138	CopyMem (Buffer, CpHashA->buffer, CpHashA->size);\r
	139	Buffer += CpHashA->size;\r
	140	\r
c411b485 MK	141	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (PolicyRef->size));\r
c411b485 MK	142	Buffer += sizeof (UINT16);\r
967eacca JY	143	CopyMem (Buffer, PolicyRef->buffer, PolicyRef->size);\r
967eacca JY	144	Buffer += PolicyRef->size;\r
b3548d32	145	\r
c411b485 MK	146	WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 ((UINT32)Expiration));\r
c411b485 MK	147	Buffer += sizeof (UINT32);\r
967eacca	148	\r
c411b485	149	SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
967eacca JY	150	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
	151	\r
	152	//\r
	153	// send Tpm command\r
	154	//\r
	155	RecvBufferSize = sizeof (RecvBuffer);\r
c411b485	156	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
967eacca	157	if (EFI_ERROR (Status)) {\r
7ae130da	158	goto Done;\r
967eacca JY	159	}\r
	160	\r
	161	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
e905fbb0	162	DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - RecvBufferSize Error - %x\n", RecvBufferSize));\r
7ae130da JY	163	Status = EFI_DEVICE_ERROR;\r
7ae130da JY	164	goto Done;\r
967eacca	165	}\r
c411b485 MK	166	\r
	167	if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
	168	DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
7ae130da JY	169	Status = EFI_DEVICE_ERROR;\r
7ae130da JY	170	goto Done;\r
967eacca JY	171	}\r
	172	\r
	173	//\r
	174	// Return the response\r
	175	//\r
c411b485 MK	176	Buffer = (UINT8 *)&RecvBuffer.Timeout;\r
	177	Timeout->size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));\r
	178	if (Timeout->size > sizeof (UINT64)) {\r
dd577319 ZC	179	DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - Timeout->size error %x\n", Timeout->size));\r
	180	Status = EFI_DEVICE_ERROR;\r
	181	goto Done;\r
	182	}\r
	183	\r
c411b485	184	Buffer += sizeof (UINT16);\r
967eacca JY	185	CopyMem (Timeout->buffer, Buffer, Timeout->size);\r
967eacca JY	186	\r
c411b485 MK	187	PolicyTicket->tag = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));\r
	188	Buffer += sizeof (UINT16);\r
	189	PolicyTicket->hierarchy = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));\r
	190	Buffer += sizeof (UINT32);\r
	191	PolicyTicket->digest.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));\r
	192	Buffer += sizeof (UINT16);\r
	193	if (PolicyTicket->digest.size > sizeof (TPMU_HA)) {\r
dd577319 ZC	194	DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - digest.size error %x\n", PolicyTicket->digest.size));\r
	195	Status = EFI_DEVICE_ERROR;\r
	196	goto Done;\r
	197	}\r
	198	\r
967eacca JY	199	CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);\r
967eacca JY	200	\r
7ae130da JY	201	Done:\r
	202	//\r
	203	// Clear AuthSession Content\r
	204	//\r
c411b485 MK	205	ZeroMem (&SendBuffer, sizeof (SendBuffer));\r
c411b485 MK	206	ZeroMem (&RecvBuffer, sizeof (RecvBuffer));\r
7ae130da	207	return Status;\r
967eacca JY	208	}\r
967eacca JY	209	\r
a50e58f4 JY	210	/**\r
	211	This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r
	212	If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r
	213	satisfies the policy. This command will indicate that one of the required sets of conditions has been\r
	214	satisfied.\r
	215	\r
	216	@param[in] PolicySession Handle for the policy session being extended.\r
	217	@param[in] HashList the list of hashes to check for a match.\r
b3548d32	218	\r
a50e58f4 JY	219	@retval EFI_SUCCESS Operation completed successfully.\r
	220	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
	221	**/\r
	222	EFI_STATUS\r
	223	EFIAPI\r
	224	Tpm2PolicyOR (\r
c411b485 MK	225	IN TPMI_SH_POLICY PolicySession,\r
c411b485 MK	226	IN TPML_DIGEST *HashList\r
a50e58f4 JY	227	)\r
a50e58f4 JY	228	{\r
c411b485 MK	229	EFI_STATUS Status;\r
	230	TPM2_POLICY_OR_COMMAND SendBuffer;\r
	231	TPM2_POLICY_OR_RESPONSE RecvBuffer;\r
	232	UINT32 SendBufferSize;\r
	233	UINT32 RecvBufferSize;\r
	234	UINT8 *Buffer;\r
	235	UINTN Index;\r
a50e58f4 JY	236	\r
	237	//\r
	238	// Construct command\r
	239	//\r
c411b485 MK	240	SendBuffer.Header.tag = SwapBytes16 (TPM_ST_NO_SESSIONS);\r
c411b485 MK	241	SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicyOR);\r
a50e58f4 JY	242	\r
a50e58f4 JY	243	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
c411b485	244	Buffer = (UINT8 *)&SendBuffer.HashList;\r
a50e58f4	245	WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 (HashList->count));\r
c411b485	246	Buffer += sizeof (UINT32);\r
a50e58f4 JY	247	for (Index = 0; Index < HashList->count; Index++) {\r
a50e58f4 JY	248	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (HashList->digests[Index].size));\r
c411b485	249	Buffer += sizeof (UINT16);\r
a50e58f4 JY	250	CopyMem (Buffer, HashList->digests[Index].buffer, HashList->digests[Index].size);\r
	251	Buffer += HashList->digests[Index].size;\r
	252	}\r
	253	\r
c411b485	254	SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
a50e58f4 JY	255	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
	256	\r
	257	//\r
	258	// send Tpm command\r
	259	//\r
	260	RecvBufferSize = sizeof (RecvBuffer);\r
c411b485	261	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
a50e58f4 JY	262	if (EFI_ERROR (Status)) {\r
	263	return Status;\r
	264	}\r
	265	\r
	266	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
e905fbb0	267	DEBUG ((DEBUG_ERROR, "Tpm2PolicyOR - RecvBufferSize Error - %x\n", RecvBufferSize));\r
a50e58f4 JY	268	return EFI_DEVICE_ERROR;\r
a50e58f4 JY	269	}\r
c411b485 MK	270	\r
	271	if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
	272	DEBUG ((DEBUG_ERROR, "Tpm2PolicyOR - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
a50e58f4 JY	273	return EFI_DEVICE_ERROR;\r
	274	}\r
	275	\r
	276	return EFI_SUCCESS;\r
	277	}\r
	278	\r
967eacca JY	279	/**\r
	280	This command indicates that the authorization will be limited to a specific command code.\r
	281	\r
	282	@param[in] PolicySession Handle for the policy session being extended.\r
	283	@param[in] Code The allowed commandCode.\r
b3548d32	284	\r
967eacca JY	285	@retval EFI_SUCCESS Operation completed successfully.\r
	286	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
	287	**/\r
	288	EFI_STATUS\r
	289	EFIAPI\r
	290	Tpm2PolicyCommandCode (\r
c411b485 MK	291	IN TPMI_SH_POLICY PolicySession,\r
c411b485 MK	292	IN TPM_CC Code\r
967eacca JY	293	)\r
967eacca JY	294	{\r
c411b485 MK	295	EFI_STATUS Status;\r
	296	TPM2_POLICY_COMMAND_CODE_COMMAND SendBuffer;\r
	297	TPM2_POLICY_COMMAND_CODE_RESPONSE RecvBuffer;\r
	298	UINT32 SendBufferSize;\r
	299	UINT32 RecvBufferSize;\r
967eacca JY	300	\r
	301	//\r
	302	// Construct command\r
	303	//\r
c411b485 MK	304	SendBuffer.Header.tag = SwapBytes16 (TPM_ST_NO_SESSIONS);\r
c411b485 MK	305	SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicyCommandCode);\r
967eacca JY	306	\r
967eacca JY	307	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
c411b485	308	SendBuffer.Code = SwapBytes32 (Code);\r
967eacca	309	\r
c411b485	310	SendBufferSize = (UINT32)sizeof (SendBuffer);\r
967eacca JY	311	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
	312	\r
	313	//\r
	314	// send Tpm command\r
	315	//\r
	316	RecvBufferSize = sizeof (RecvBuffer);\r
c411b485	317	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
967eacca JY	318	if (EFI_ERROR (Status)) {\r
	319	return Status;\r
	320	}\r
	321	\r
	322	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
e905fbb0	323	DEBUG ((DEBUG_ERROR, "Tpm2PolicyCommandCode - RecvBufferSize Error - %x\n", RecvBufferSize));\r
967eacca JY	324	return EFI_DEVICE_ERROR;\r
967eacca JY	325	}\r
c411b485 MK	326	\r
	327	if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
	328	DEBUG ((DEBUG_ERROR, "Tpm2PolicyCommandCode - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
967eacca JY	329	return EFI_DEVICE_ERROR;\r
	330	}\r
	331	\r
	332	return EFI_SUCCESS;\r
	333	}\r
	334	\r
	335	/**\r
	336	This command returns the current policyDigest of the session. This command allows the TPM\r
	337	to be used to perform the actions required to precompute the authPolicy for an object.\r
	338	\r
	339	@param[in] PolicySession Handle for the policy session.\r
	340	@param[out] PolicyHash the current value of the policyHash of policySession.\r
b3548d32	341	\r
967eacca JY	342	@retval EFI_SUCCESS Operation completed successfully.\r
	343	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
	344	**/\r
	345	EFI_STATUS\r
	346	EFIAPI\r
	347	Tpm2PolicyGetDigest (\r
c411b485 MK	348	IN TPMI_SH_POLICY PolicySession,\r
c411b485 MK	349	OUT TPM2B_DIGEST *PolicyHash\r
967eacca JY	350	)\r
967eacca JY	351	{\r
c411b485 MK	352	EFI_STATUS Status;\r
	353	TPM2_POLICY_GET_DIGEST_COMMAND SendBuffer;\r
	354	TPM2_POLICY_GET_DIGEST_RESPONSE RecvBuffer;\r
	355	UINT32 SendBufferSize;\r
	356	UINT32 RecvBufferSize;\r
967eacca JY	357	\r
	358	//\r
	359	// Construct command\r
	360	//\r
c411b485 MK	361	SendBuffer.Header.tag = SwapBytes16 (TPM_ST_NO_SESSIONS);\r
c411b485 MK	362	SendBuffer.Header.commandCode = SwapBytes32 (TPM_CC_PolicyGetDigest);\r
967eacca JY	363	\r
	364	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
	365	\r
c411b485	366	SendBufferSize = (UINT32)sizeof (SendBuffer);\r
967eacca JY	367	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
	368	\r
	369	//\r
	370	// send Tpm command\r
	371	//\r
	372	RecvBufferSize = sizeof (RecvBuffer);\r
c411b485	373	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
967eacca JY	374	if (EFI_ERROR (Status)) {\r
	375	return Status;\r
	376	}\r
	377	\r
	378	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
e905fbb0	379	DEBUG ((DEBUG_ERROR, "Tpm2PolicyGetDigest - RecvBufferSize Error - %x\n", RecvBufferSize));\r
967eacca JY	380	return EFI_DEVICE_ERROR;\r
967eacca JY	381	}\r
c411b485 MK	382	\r
	383	if (SwapBytes32 (RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
	384	DEBUG ((DEBUG_ERROR, "Tpm2PolicyGetDigest - responseCode - %x\n", SwapBytes32 (RecvBuffer.Header.responseCode)));\r
967eacca JY	385	return EFI_DEVICE_ERROR;\r
	386	}\r
	387	\r
	388	//\r
	389	// Return the response\r
	390	//\r
	391	PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);\r
c411b485	392	if (PolicyHash->size > sizeof (TPMU_HA)) {\r
dd577319 ZC	393	DEBUG ((DEBUG_ERROR, "Tpm2PolicyGetDigest - PolicyHash->size error %x\n", PolicyHash->size));\r
	394	return EFI_DEVICE_ERROR;\r
	395	}\r
	396	\r
967eacca JY	397	CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);\r
	398	\r
	399	return EFI_SUCCESS;\r
	400	}\r