Add TPM2 commands which might be used in provision.
authorYao, Jiewen <jiewen.yao@intel.com>
Tue, 23 Dec 2014 04:03:32 +0000 (04:03 +0000)
committerjyao1 <jyao1@Edk2>
Tue, 23 Dec 2014 04:03:32 +0000 (04:03 +0000)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: "Dong, Guo" <guo.dong@intel.com>
Reviewed-by: "Long, Qin" <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16548 6f19259b-4bc3-4df7-8a09-765794883524

SecurityPkg/Include/Library/Tpm2CommandLib.h
SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c

index 6e406fd..c491549 100644 (file)
@@ -872,6 +872,25 @@ Tpm2PolicySecret (
   OUT     TPMT_TK_AUTH              *PolicyTicket\r
   );\r
 \r
+/**\r
+  This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r
+  If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r
+  satisfies the policy. This command will indicate that one of the required sets of conditions has been\r
+  satisfied.\r
+\r
+  @param[in] PolicySession      Handle for the policy session being extended.\r
+  @param[in] HashList           the list of hashes to check for a match.\r
+  \r
+  @retval EFI_SUCCESS            Operation completed successfully.\r
+  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+Tpm2PolicyOR (\r
+  IN TPMI_SH_POLICY           PolicySession,\r
+  IN TPML_DIGEST              *HashList\r
+  );\r
+\r
 /**\r
   This command indicates that the authorization will be limited to a specific command code.\r
 \r
index e302d53..d11f543 100644 (file)
@@ -41,6 +41,16 @@ typedef struct {
   TPMS_AUTH_RESPONSE        AuthSession;\r
 } TPM2_POLICY_SECRET_RESPONSE;\r
 \r
+typedef struct {\r
+  TPM2_COMMAND_HEADER       Header;\r
+  TPMI_SH_POLICY            PolicySession;\r
+  TPML_DIGEST               HashList;\r
+} TPM2_POLICY_OR_COMMAND;\r
+\r
+typedef struct {\r
+  TPM2_RESPONSE_HEADER      Header;\r
+} TPM2_POLICY_OR_RESPONSE;\r
+\r
 typedef struct {\r
   TPM2_COMMAND_HEADER       Header;\r
   TPMI_SH_POLICY            PolicySession;\r
@@ -182,6 +192,74 @@ Tpm2PolicySecret (
   return EFI_SUCCESS;\r
 }\r
 \r
+/**\r
+  This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r
+  If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r
+  satisfies the policy. This command will indicate that one of the required sets of conditions has been\r
+  satisfied.\r
+\r
+  @param[in] PolicySession      Handle for the policy session being extended.\r
+  @param[in] HashList           the list of hashes to check for a match.\r
+  \r
+  @retval EFI_SUCCESS            Operation completed successfully.\r
+  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+Tpm2PolicyOR (\r
+  IN TPMI_SH_POLICY           PolicySession,\r
+  IN TPML_DIGEST              *HashList\r
+  )\r
+{\r
+  EFI_STATUS                        Status;\r
+  TPM2_POLICY_OR_COMMAND            SendBuffer;\r
+  TPM2_POLICY_OR_RESPONSE           RecvBuffer;\r
+  UINT32                            SendBufferSize;\r
+  UINT32                            RecvBufferSize;\r
+  UINT8                             *Buffer;\r
+  UINTN                             Index;\r
+\r
+  //\r
+  // Construct command\r
+  //\r
+  SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r
+  SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyOR);\r
+\r
+  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
+  Buffer = (UINT8 *)&SendBuffer.HashList;\r
+  WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 (HashList->count));\r
+  Buffer += sizeof(UINT32);\r
+  for (Index = 0; Index < HashList->count; Index++) {\r
+    WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (HashList->digests[Index].size));\r
+    Buffer += sizeof(UINT16);\r
+    CopyMem (Buffer, HashList->digests[Index].buffer, HashList->digests[Index].size);\r
+    Buffer += HashList->digests[Index].size;\r
+  }\r
+\r
+  SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
+  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
+\r
+  //\r
+  // send Tpm command\r
+  //\r
+  RecvBufferSize = sizeof (RecvBuffer);\r
+  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
+  if (EFI_ERROR (Status)) {\r
+    return Status;\r
+  }\r
+\r
+  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
+    DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - RecvBufferSize Error - %x\n", RecvBufferSize));\r
+    return EFI_DEVICE_ERROR;\r
+  }\r
+  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
+    DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
+    return EFI_DEVICE_ERROR;\r
+  }\r
+\r
+  return EFI_SUCCESS;\r
+}\r
+\r
 /**\r
   This command indicates that the authorization will be limited to a specific command code.\r
 \r