2 Implement TPM2 EnhancedAuthorization related command.
4 Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
15 #include <IndustryStandard/UefiTcgPlatform.h>
16 #include <Library/Tpm2CommandLib.h>
17 #include <Library/Tpm2DeviceLib.h>
18 #include <Library/BaseMemoryLib.h>
19 #include <Library/BaseLib.h>
20 #include <Library/DebugLib.h>
25 TPM2_COMMAND_HEADER Header
;
26 TPMI_DH_ENTITY AuthHandle
;
27 TPMI_SH_POLICY PolicySession
;
28 UINT32 AuthSessionSize
;
29 TPMS_AUTH_COMMAND AuthSession
;
32 TPM2B_NONCE PolicyRef
;
34 } TPM2_POLICY_SECRET_COMMAND
;
37 TPM2_RESPONSE_HEADER Header
;
38 UINT32 AuthSessionSize
;
39 TPM2B_TIMEOUT Timeout
;
40 TPMT_TK_AUTH PolicyTicket
;
41 TPMS_AUTH_RESPONSE AuthSession
;
42 } TPM2_POLICY_SECRET_RESPONSE
;
45 TPM2_COMMAND_HEADER Header
;
46 TPMI_SH_POLICY PolicySession
;
48 } TPM2_POLICY_COMMAND_CODE_COMMAND
;
51 TPM2_RESPONSE_HEADER Header
;
52 } TPM2_POLICY_COMMAND_CODE_RESPONSE
;
55 TPM2_COMMAND_HEADER Header
;
56 TPMI_SH_POLICY PolicySession
;
57 } TPM2_POLICY_GET_DIGEST_COMMAND
;
60 TPM2_RESPONSE_HEADER Header
;
61 TPM2B_DIGEST PolicyHash
;
62 } TPM2_POLICY_GET_DIGEST_RESPONSE
;
67 This command includes a secret-based authorization to a policy.
68 The caller proves knowledge of the secret value using an authorization
69 session using the authValue associated with authHandle.
71 @param[in] AuthHandle Handle for an entity providing the authorization
72 @param[in] PolicySession Handle for the policy session being extended.
73 @param[in] AuthSession Auth Session context
74 @param[in] NonceTPM The policy nonce for the session.
75 @param[in] CpHashA Digest of the command parameters to which this authorization is limited.
76 @param[in] PolicyRef A reference to a policy relating to the authorization.
77 @param[in] Expiration Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.
78 @param[out] Timeout Time value used to indicate to the TPM when the ticket expires.
79 @param[out] PolicyTicket A ticket that includes a value indicating when the authorization expires.
81 @retval EFI_SUCCESS Operation completed successfully.
82 @retval EFI_DEVICE_ERROR The command was unsuccessful.
87 IN TPMI_DH_ENTITY AuthHandle
,
88 IN TPMI_SH_POLICY PolicySession
,
89 IN TPMS_AUTH_COMMAND
*AuthSession
, OPTIONAL
90 IN TPM2B_NONCE
*NonceTPM
,
91 IN TPM2B_DIGEST
*CpHashA
,
92 IN TPM2B_NONCE
*PolicyRef
,
94 OUT TPM2B_TIMEOUT
*Timeout
,
95 OUT TPMT_TK_AUTH
*PolicyTicket
99 TPM2_POLICY_SECRET_COMMAND SendBuffer
;
100 TPM2_POLICY_SECRET_RESPONSE RecvBuffer
;
101 UINT32 SendBufferSize
;
102 UINT32 RecvBufferSize
;
104 UINT32 SessionInfoSize
;
109 SendBuffer
.Header
.tag
= SwapBytes16(TPM_ST_SESSIONS
);
110 SendBuffer
.Header
.commandCode
= SwapBytes32(TPM_CC_PolicySecret
);
111 SendBuffer
.AuthHandle
= SwapBytes32 (AuthHandle
);
112 SendBuffer
.PolicySession
= SwapBytes32 (PolicySession
);
115 // Add in Auth session
117 Buffer
= (UINT8
*)&SendBuffer
.AuthSession
;
120 SessionInfoSize
= CopyAuthSessionCommand (AuthSession
, Buffer
);
121 Buffer
+= SessionInfoSize
;
122 SendBuffer
.AuthSessionSize
= SwapBytes32(SessionInfoSize
);
127 WriteUnaligned16 ((UINT16
*)Buffer
, SwapBytes16(NonceTPM
->size
));
128 Buffer
+= sizeof(UINT16
);
129 CopyMem (Buffer
, NonceTPM
->buffer
, NonceTPM
->size
);
130 Buffer
+= NonceTPM
->size
;
132 WriteUnaligned16 ((UINT16
*)Buffer
, SwapBytes16(CpHashA
->size
));
133 Buffer
+= sizeof(UINT16
);
134 CopyMem (Buffer
, CpHashA
->buffer
, CpHashA
->size
);
135 Buffer
+= CpHashA
->size
;
137 WriteUnaligned16 ((UINT16
*)Buffer
, SwapBytes16(PolicyRef
->size
));
138 Buffer
+= sizeof(UINT16
);
139 CopyMem (Buffer
, PolicyRef
->buffer
, PolicyRef
->size
);
140 Buffer
+= PolicyRef
->size
;
142 WriteUnaligned32 ((UINT32
*)Buffer
, SwapBytes32((UINT32
)Expiration
));
143 Buffer
+= sizeof(UINT32
);
145 SendBufferSize
= (UINT32
)((UINTN
)Buffer
- (UINTN
)&SendBuffer
);
146 SendBuffer
.Header
.paramSize
= SwapBytes32 (SendBufferSize
);
151 RecvBufferSize
= sizeof (RecvBuffer
);
152 Status
= Tpm2SubmitCommand (SendBufferSize
, (UINT8
*)&SendBuffer
, &RecvBufferSize
, (UINT8
*)&RecvBuffer
);
153 if (EFI_ERROR (Status
)) {
157 if (RecvBufferSize
< sizeof (TPM2_RESPONSE_HEADER
)) {
158 DEBUG ((EFI_D_ERROR
, "Tpm2PolicySecret - RecvBufferSize Error - %x\n", RecvBufferSize
));
159 return EFI_DEVICE_ERROR
;
161 if (SwapBytes32(RecvBuffer
.Header
.responseCode
) != TPM_RC_SUCCESS
) {
162 DEBUG ((EFI_D_ERROR
, "Tpm2PolicySecret - responseCode - %x\n", SwapBytes32(RecvBuffer
.Header
.responseCode
)));
163 return EFI_DEVICE_ERROR
;
167 // Return the response
169 Buffer
= (UINT8
*)&RecvBuffer
.Timeout
;
170 Timeout
->size
= SwapBytes16(ReadUnaligned16 ((UINT16
*)Buffer
));
171 Buffer
+= sizeof(UINT16
);
172 CopyMem (Timeout
->buffer
, Buffer
, Timeout
->size
);
174 PolicyTicket
->tag
= SwapBytes16(ReadUnaligned16 ((UINT16
*)Buffer
));
175 Buffer
+= sizeof(UINT16
);
176 PolicyTicket
->hierarchy
= SwapBytes32(ReadUnaligned32 ((UINT32
*)Buffer
));
177 Buffer
+= sizeof(UINT32
);
178 PolicyTicket
->digest
.size
= SwapBytes16(ReadUnaligned16 ((UINT16
*)Buffer
));
179 Buffer
+= sizeof(UINT16
);
180 CopyMem (PolicyTicket
->digest
.buffer
, Buffer
, PolicyTicket
->digest
.size
);
186 This command indicates that the authorization will be limited to a specific command code.
188 @param[in] PolicySession Handle for the policy session being extended.
189 @param[in] Code The allowed commandCode.
191 @retval EFI_SUCCESS Operation completed successfully.
192 @retval EFI_DEVICE_ERROR The command was unsuccessful.
196 Tpm2PolicyCommandCode (
197 IN TPMI_SH_POLICY PolicySession
,
202 TPM2_POLICY_COMMAND_CODE_COMMAND SendBuffer
;
203 TPM2_POLICY_COMMAND_CODE_RESPONSE RecvBuffer
;
204 UINT32 SendBufferSize
;
205 UINT32 RecvBufferSize
;
210 SendBuffer
.Header
.tag
= SwapBytes16(TPM_ST_NO_SESSIONS
);
211 SendBuffer
.Header
.commandCode
= SwapBytes32(TPM_CC_PolicyCommandCode
);
213 SendBuffer
.PolicySession
= SwapBytes32 (PolicySession
);
214 SendBuffer
.Code
= SwapBytes32 (Code
);
216 SendBufferSize
= (UINT32
) sizeof (SendBuffer
);
217 SendBuffer
.Header
.paramSize
= SwapBytes32 (SendBufferSize
);
222 RecvBufferSize
= sizeof (RecvBuffer
);
223 Status
= Tpm2SubmitCommand (SendBufferSize
, (UINT8
*)&SendBuffer
, &RecvBufferSize
, (UINT8
*)&RecvBuffer
);
224 if (EFI_ERROR (Status
)) {
228 if (RecvBufferSize
< sizeof (TPM2_RESPONSE_HEADER
)) {
229 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyCommandCode - RecvBufferSize Error - %x\n", RecvBufferSize
));
230 return EFI_DEVICE_ERROR
;
232 if (SwapBytes32(RecvBuffer
.Header
.responseCode
) != TPM_RC_SUCCESS
) {
233 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyCommandCode - responseCode - %x\n", SwapBytes32(RecvBuffer
.Header
.responseCode
)));
234 return EFI_DEVICE_ERROR
;
241 This command returns the current policyDigest of the session. This command allows the TPM
242 to be used to perform the actions required to precompute the authPolicy for an object.
244 @param[in] PolicySession Handle for the policy session.
245 @param[out] PolicyHash the current value of the policyHash of policySession.
247 @retval EFI_SUCCESS Operation completed successfully.
248 @retval EFI_DEVICE_ERROR The command was unsuccessful.
252 Tpm2PolicyGetDigest (
253 IN TPMI_SH_POLICY PolicySession
,
254 OUT TPM2B_DIGEST
*PolicyHash
258 TPM2_POLICY_GET_DIGEST_COMMAND SendBuffer
;
259 TPM2_POLICY_GET_DIGEST_RESPONSE RecvBuffer
;
260 UINT32 SendBufferSize
;
261 UINT32 RecvBufferSize
;
266 SendBuffer
.Header
.tag
= SwapBytes16(TPM_ST_NO_SESSIONS
);
267 SendBuffer
.Header
.commandCode
= SwapBytes32(TPM_CC_PolicyGetDigest
);
269 SendBuffer
.PolicySession
= SwapBytes32 (PolicySession
);
271 SendBufferSize
= (UINT32
) sizeof (SendBuffer
);
272 SendBuffer
.Header
.paramSize
= SwapBytes32 (SendBufferSize
);
277 RecvBufferSize
= sizeof (RecvBuffer
);
278 Status
= Tpm2SubmitCommand (SendBufferSize
, (UINT8
*)&SendBuffer
, &RecvBufferSize
, (UINT8
*)&RecvBuffer
);
279 if (EFI_ERROR (Status
)) {
283 if (RecvBufferSize
< sizeof (TPM2_RESPONSE_HEADER
)) {
284 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyGetDigest - RecvBufferSize Error - %x\n", RecvBufferSize
));
285 return EFI_DEVICE_ERROR
;
287 if (SwapBytes32(RecvBuffer
.Header
.responseCode
) != TPM_RC_SUCCESS
) {
288 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyGetDigest - responseCode - %x\n", SwapBytes32(RecvBuffer
.Header
.responseCode
)));
289 return EFI_DEVICE_ERROR
;
293 // Return the response
295 PolicyHash
->size
= SwapBytes16 (RecvBuffer
.PolicyHash
.size
);
296 CopyMem (PolicyHash
->buffer
, &RecvBuffer
.PolicyHash
.buffer
, PolicyHash
->size
);