| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
 | /* SPDX-License-Identifier: GPL-2.0+ */
/*
 * Defines APIs and structures that allow software to interact with a
 * TPM2 device
 *
 * Copyright (c) 2020 Linaro
 * Copyright (c) 2018 Bootlin
 *
 * The structures are described in
 * Trusted Platform Module Library Part 2: Structures
 * http://tcg.tjn.chef.causewaynow.com/resource/tpm-library-specification/
 *
 * C header files are listed in
 * https://trustedcomputinggroup.org/resource/tss-overview-common-structures-specification/
 *
 * Author: Miquel Raynal <miquel.raynal@bootlin.com>
 */
#ifndef __TPM_V2_H
#define __TPM_V2_H
#include <tpm-common.h>
struct udevice;
#define TPM2_DIGEST_LEN		32
#define TPM2_SHA1_DIGEST_SIZE 20
#define TPM2_SHA256_DIGEST_SIZE	32
#define TPM2_SHA384_DIGEST_SIZE	48
#define TPM2_SHA512_DIGEST_SIZE	64
#define TPM2_SM3_256_DIGEST_SIZE 32
#define TPM2_MAX_PCRS 32
#define TPM2_PCR_SELECT_MAX ((TPM2_MAX_PCRS + 7) / 8)
#define TPM2_MAX_CAP_BUFFER 1024
#define TPM2_MAX_TPM_PROPERTIES ((TPM2_MAX_CAP_BUFFER - sizeof(u32) /* TPM2_CAP */ - \
				 sizeof(u32)) / sizeof(struct tpms_tagged_property))
#define TPM2_HDR_LEN		10
#define TPM2_CAP_PCRS 0x00000005U
#define TPM2_CAP_TPM_PROPERTIES 0x00000006U
/* Definition of (UINT32) TPM2_PT Constants */
#define TPM2_PT_GROUP			(u32)(0x00000100)
#define TPM2_PT_FIXED			(u32)(TPM2_PT_GROUP * 1)
#define TPM2_PT_MANUFACTURER		(u32)(TPM2_PT_FIXED + 5)
#define TPM2_PT_PCR_COUNT		(u32)(TPM2_PT_FIXED + 18)
#define TPM2_PT_MAX_COMMAND_SIZE	(u32)(TPM2_PT_FIXED + 30)
#define TPM2_PT_MAX_RESPONSE_SIZE	(u32)(TPM2_PT_FIXED + 31)
/**
 * struct tpms_tagged_property - TPMS_TAGGED_PROPERTY structure
 *
 * This structure is returned by TPM2_GetCapability() to report
 * a u32 property value.
 *
 * @property:	property identifier
 * @value:	value of the property
 */
struct tpms_tagged_property {
	u32 property;
	u32 value;
} __packed;
/**
 * struct tpms_pcr_selection - TPMS_PCR_SELECTION structure
 *
 * This structure allows to specify a hash algorithm and a list of
 * selected PCRs. A PCR is selected by setting the related bit in
 * @pcr_select to 1.
 *
 * @hash:		hash algorithm associated with the selection
 * @size_of_select:	size in bytes of the @pcr_select array
 * @pcr_select:		bit map of selected PCRs
 */
struct tpms_pcr_selection {
	u16 hash;
	u8 size_of_select;
	u8 pcr_select[TPM2_PCR_SELECT_MAX];
} __packed;
/**
 * struct tpml_pcr_selection - TPML_PCR_SELECTION structure
 *
 * @count:	number of selection structures, may be zero
 * @selection:	list of selections
 */
struct tpml_pcr_selection {
	u32 count;
	struct tpms_pcr_selection selection[TPM2_NUM_PCR_BANKS];
} __packed;
/* TPML_TAGGED_TPM_PROPERTY Structure */
struct tpml_tagged_tpm_property {
	u32 count;
	struct tpms_tagged_property tpm_property[TPM2_MAX_TPM_PROPERTIES];
} __packed;
/* TPMU_CAPABILITIES Union */
union tpmu_capabilities {
	/*
	 * Non exhaustive. Only added the structs needed for our
	 * current code
	 */
	struct tpml_pcr_selection assigned_pcr;
	struct tpml_tagged_tpm_property tpm_properties;
} __packed;
/* TPMS_CAPABILITY_DATA Structure */
struct tpms_capability_data {
	u32 capability;
	union tpmu_capabilities data;
} __packed;
/**
 * Definition of TPMU_HA Union
 */
union tpmu_ha {
	u8 sha1[TPM2_SHA1_DIGEST_SIZE];
	u8 sha256[TPM2_SHA256_DIGEST_SIZE];
	u8 sm3_256[TPM2_SM3_256_DIGEST_SIZE];
	u8 sha384[TPM2_SHA384_DIGEST_SIZE];
	u8 sha512[TPM2_SHA512_DIGEST_SIZE];
} __packed;
/**
 * Definition of TPMT_HA Structure
 *
 * @hash_alg:	Hash algorithm defined in enum tpm2_algorithms
 * @digest:	Digest value for a given algorithm
 */
struct tpmt_ha {
	u16 hash_alg;
	union tpmu_ha digest;
} __packed;
/**
 * Definition of TPML_DIGEST_VALUES Structure
 *
 * @count:	Number of algorithms supported by hardware
 * @digests:	struct for algorithm id and hash value
 */
struct tpml_digest_values {
	u32 count;
	struct tpmt_ha digests[TPM2_NUM_PCR_BANKS];
} __packed;
/**
 * TPM2 Structure Tags for command/response buffers.
 *
 * @TPM2_ST_NO_SESSIONS: the command does not need an authentication.
 * @TPM2_ST_SESSIONS: the command needs an authentication.
 */
enum tpm2_structures {
	TPM2_ST_NO_SESSIONS	= 0x8001,
	TPM2_ST_SESSIONS	= 0x8002,
};
/**
 * TPM2 type of boolean.
 */
enum tpm2_yes_no {
	TPMI_YES		= 1,
	TPMI_NO			= 0,
};
/**
 * TPM2 startup values.
 *
 * @TPM2_SU_CLEAR: reset the internal state.
 * @TPM2_SU_STATE: restore saved state (if any).
 */
enum tpm2_startup_types {
	TPM2_SU_CLEAR		= 0x0000,
	TPM2_SU_STATE		= 0x0001,
};
/**
 * TPM2 permanent handles.
 *
 * @TPM2_RH_OWNER: refers to the 'owner' hierarchy.
 * @TPM2_RS_PW: indicates a password.
 * @TPM2_RH_LOCKOUT: refers to the 'lockout' hierarchy.
 * @TPM2_RH_ENDORSEMENT: refers to the 'endorsement' hierarchy.
 * @TPM2_RH_PLATFORM: refers to the 'platform' hierarchy.
 */
enum tpm2_handles {
	TPM2_RH_OWNER		= 0x40000001,
	TPM2_RS_PW		= 0x40000009,
	TPM2_RH_LOCKOUT		= 0x4000000A,
	TPM2_RH_ENDORSEMENT	= 0x4000000B,
	TPM2_RH_PLATFORM	= 0x4000000C,
};
/**
 * TPM2 command codes used at the beginning of a buffer, gives the command.
 *
 * @TPM2_CC_STARTUP: TPM2_Startup().
 * @TPM2_CC_SELF_TEST: TPM2_SelfTest().
 * @TPM2_CC_CLEAR: TPM2_Clear().
 * @TPM2_CC_CLEARCONTROL: TPM2_ClearControl().
 * @TPM2_CC_HIERCHANGEAUTH: TPM2_HierarchyChangeAuth().
 * @TPM2_CC_PCR_SETAUTHPOL: TPM2_PCR_SetAuthPolicy().
 * @TPM2_CC_DAM_RESET: TPM2_DictionaryAttackLockReset().
 * @TPM2_CC_DAM_PARAMETERS: TPM2_DictionaryAttackParameters().
 * @TPM2_CC_GET_CAPABILITY: TPM2_GetCapibility().
 * @TPM2_CC_GET_RANDOM: TPM2_GetRandom().
 * @TPM2_CC_PCR_READ: TPM2_PCR_Read().
 * @TPM2_CC_PCR_EXTEND: TPM2_PCR_Extend().
 * @TPM2_CC_PCR_SETAUTHVAL: TPM2_PCR_SetAuthValue().
 */
enum tpm2_command_codes {
	TPM2_CC_STARTUP		= 0x0144,
	TPM2_CC_SELF_TEST	= 0x0143,
	TPM2_CC_HIER_CONTROL	= 0x0121,
	TPM2_CC_CLEAR		= 0x0126,
	TPM2_CC_CLEARCONTROL	= 0x0127,
	TPM2_CC_HIERCHANGEAUTH	= 0x0129,
	TPM2_CC_NV_DEFINE_SPACE	= 0x012a,
	TPM2_CC_PCR_SETAUTHPOL	= 0x012C,
	TPM2_CC_NV_WRITE	= 0x0137,
	TPM2_CC_NV_WRITELOCK	= 0x0138,
	TPM2_CC_DAM_RESET	= 0x0139,
	TPM2_CC_DAM_PARAMETERS	= 0x013A,
	TPM2_CC_NV_READ         = 0x014E,
	TPM2_CC_GET_CAPABILITY	= 0x017A,
	TPM2_CC_GET_RANDOM      = 0x017B,
	TPM2_CC_PCR_READ	= 0x017E,
	TPM2_CC_PCR_EXTEND	= 0x0182,
	TPM2_CC_PCR_SETAUTHVAL	= 0x0183,
	TPM2_CC_PCR_ALLOCATE    = 0x012B,
	TPM2_CC_SHUTDOWN	= 0x0145,
};
/**
 * TPM2 return codes.
 */
enum tpm2_return_codes {
	TPM2_RC_SUCCESS		= 0x0000,
	TPM2_RC_BAD_TAG		= 0x001E,
	TPM2_RC_FMT1		= 0x0080,
	TPM2_RC_HASH		= TPM2_RC_FMT1 + 0x0003,
	TPM2_RC_VALUE		= TPM2_RC_FMT1 + 0x0004,
	TPM2_RC_SIZE		= TPM2_RC_FMT1 + 0x0015,
	TPM2_RC_BAD_AUTH	= TPM2_RC_FMT1 + 0x0022,
	TPM2_RC_HANDLE		= TPM2_RC_FMT1 + 0x000B,
	TPM2_RC_VER1		= 0x0100,
	TPM2_RC_INITIALIZE	= TPM2_RC_VER1 + 0x0000,
	TPM2_RC_FAILURE		= TPM2_RC_VER1 + 0x0001,
	TPM2_RC_DISABLED	= TPM2_RC_VER1 + 0x0020,
	TPM2_RC_AUTH_MISSING	= TPM2_RC_VER1 + 0x0025,
	TPM2_RC_COMMAND_CODE	= TPM2_RC_VER1 + 0x0043,
	TPM2_RC_AUTHSIZE	= TPM2_RC_VER1 + 0x0044,
	TPM2_RC_AUTH_CONTEXT	= TPM2_RC_VER1 + 0x0045,
	TPM2_RC_NV_DEFINED	= TPM2_RC_VER1 + 0x004c,
	TPM2_RC_NEEDS_TEST	= TPM2_RC_VER1 + 0x0053,
	TPM2_RC_WARN		= 0x0900,
	TPM2_RC_TESTING		= TPM2_RC_WARN + 0x000A,
	TPM2_RC_REFERENCE_H0	= TPM2_RC_WARN + 0x0010,
	TPM2_RC_LOCKOUT		= TPM2_RC_WARN + 0x0021,
};
/**
 * TPM2 algorithms.
 */
enum tpm2_algorithms {
	TPM2_ALG_SHA1		= 0x04,
	TPM2_ALG_XOR		= 0x0A,
	TPM2_ALG_SHA256		= 0x0B,
	TPM2_ALG_SHA384		= 0x0C,
	TPM2_ALG_SHA512		= 0x0D,
	TPM2_ALG_NULL		= 0x10,
	TPM2_ALG_SM3_256	= 0x12,
};
/**
 * struct digest_info - details of supported digests
 *
 * @hash_name:			hash name
 * @hash_alg:			hash algorithm id
 * @hash_mask:			hash registry mask
 * @hash_len:			hash digest length
 */
struct digest_info {
	const char *hash_name;
	u16 hash_alg;
	u32 hash_mask;
	u16 hash_len;
	bool supported;
};
/* Algorithm Registry */
#define TCG2_BOOT_HASH_ALG_SHA1    0x00000001
#define TCG2_BOOT_HASH_ALG_SHA256  0x00000002
#define TCG2_BOOT_HASH_ALG_SHA384  0x00000004
#define TCG2_BOOT_HASH_ALG_SHA512  0x00000008
#define TCG2_BOOT_HASH_ALG_SM3_256 0x00000010
static const struct digest_info hash_algo_list[] = {
	{
		"sha1",
		TPM2_ALG_SHA1,
		TCG2_BOOT_HASH_ALG_SHA1,
		TPM2_SHA1_DIGEST_SIZE,
#if IS_ENABLED(CONFIG_SHA1)
		true,
#else
		false,
#endif
	},
	{
		"sha256",
		TPM2_ALG_SHA256,
		TCG2_BOOT_HASH_ALG_SHA256,
		TPM2_SHA256_DIGEST_SIZE,
#if IS_ENABLED(CONFIG_SHA256)
		true,
#else
		false,
#endif
	},
	{
		"sha384",
		TPM2_ALG_SHA384,
		TCG2_BOOT_HASH_ALG_SHA384,
		TPM2_SHA384_DIGEST_SIZE,
#if IS_ENABLED(CONFIG_SHA384)
		true,
#else
		false,
#endif
	},
	{
		"sha512",
		TPM2_ALG_SHA512,
		TCG2_BOOT_HASH_ALG_SHA512,
		TPM2_SHA512_DIGEST_SIZE,
#if IS_ENABLED(CONFIG_SHA512)
		true,
#else
		false,
#endif
	},
};
/* NV index attributes */
enum tpm_index_attrs {
	TPMA_NV_PPWRITE		= 1UL << 0,
	TPMA_NV_OWNERWRITE	= 1UL << 1,
	TPMA_NV_AUTHWRITE	= 1UL << 2,
	TPMA_NV_POLICYWRITE	= 1UL << 3,
	TPMA_NV_COUNTER		= 1UL << 4,
	TPMA_NV_BITS		= 1UL << 5,
	TPMA_NV_EXTEND		= 1UL << 6,
	TPMA_NV_POLICY_DELETE	= 1UL << 10,
	TPMA_NV_WRITELOCKED	= 1UL << 11,
	TPMA_NV_WRITEALL	= 1UL << 12,
	TPMA_NV_WRITEDEFINE	= 1UL << 13,
	TPMA_NV_WRITE_STCLEAR	= 1UL << 14,
	TPMA_NV_GLOBALLOCK	= 1UL << 15,
	TPMA_NV_PPREAD		= 1UL << 16,
	TPMA_NV_OWNERREAD	= 1UL << 17,
	TPMA_NV_AUTHREAD	= 1UL << 18,
	TPMA_NV_POLICYREAD	= 1UL << 19,
	TPMA_NV_NO_DA		= 1UL << 25,
	TPMA_NV_ORDERLY		= 1UL << 26,
	TPMA_NV_CLEAR_STCLEAR	= 1UL << 27,
	TPMA_NV_READLOCKED	= 1UL << 28,
	TPMA_NV_WRITTEN		= 1UL << 29,
	TPMA_NV_PLATFORMCREATE	= 1UL << 30,
	TPMA_NV_READ_STCLEAR	= 1UL << 31,
	TPMA_NV_MASK_READ	= TPMA_NV_PPREAD | TPMA_NV_OWNERREAD |
				TPMA_NV_AUTHREAD | TPMA_NV_POLICYREAD,
	TPMA_NV_MASK_WRITE	= TPMA_NV_PPWRITE | TPMA_NV_OWNERWRITE |
					TPMA_NV_AUTHWRITE | TPMA_NV_POLICYWRITE,
};
enum {
	TPM_ACCESS_VALID		= 1 << 7,
	TPM_ACCESS_ACTIVE_LOCALITY	= 1 << 5,
	TPM_ACCESS_REQUEST_PENDING	= 1 << 2,
	TPM_ACCESS_REQUEST_USE		= 1 << 1,
	TPM_ACCESS_ESTABLISHMENT	= 1 << 0,
};
enum {
	TPM_STS_FAMILY_SHIFT		= 26,
	TPM_STS_FAMILY_MASK		= 0x3 << TPM_STS_FAMILY_SHIFT,
	TPM_STS_FAMILY_TPM2		= 1 << TPM_STS_FAMILY_SHIFT,
	TPM_STS_RESE_TESTABLISMENT_BIT	= 1 << 25,
	TPM_STS_COMMAND_CANCEL		= 1 << 24,
	TPM_STS_BURST_COUNT_SHIFT	= 8,
	TPM_STS_BURST_COUNT_MASK	= 0xffff << TPM_STS_BURST_COUNT_SHIFT,
	TPM_STS_VALID			= 1 << 7,
	TPM_STS_COMMAND_READY		= 1 << 6,
	TPM_STS_GO			= 1 << 5,
	TPM_STS_DATA_AVAIL		= 1 << 4,
	TPM_STS_DATA_EXPECT		= 1 << 3,
	TPM_STS_SELF_TEST_DONE		= 1 << 2,
	TPM_STS_RESPONSE_RETRY		= 1 << 1,
	TPM_STS_READ_ZERO               = 0x23
};
enum {
	TPM_CMD_COUNT_OFFSET	= 2,
	TPM_CMD_ORDINAL_OFFSET	= 6,
	TPM_MAX_BUF_SIZE	= 1260,
};
enum {
	/* Secure storage for firmware settings */
	TPM_HT_PCR = 0,
	TPM_HT_NV_INDEX,
	TPM_HT_HMAC_SESSION,
	TPM_HT_POLICY_SESSION,
	HR_SHIFT		= 24,
	HR_PCR			= TPM_HT_PCR << HR_SHIFT,
	HR_HMAC_SESSION		= TPM_HT_HMAC_SESSION << HR_SHIFT,
	HR_POLICY_SESSION	= TPM_HT_POLICY_SESSION << HR_SHIFT,
	HR_NV_INDEX		= TPM_HT_NV_INDEX << HR_SHIFT,
};
/**
 * Issue a TPM2_Startup command.
 *
 * @dev		TPM device
 * @mode	TPM startup mode
 *
 * Return: code of the operation
 */
u32 tpm2_startup(struct udevice *dev, bool onoff, enum tpm2_startup_types mode);
/**
 * Issue a TPM2_SelfTest command.
 *
 * @dev		TPM device
 * @full_test	Asking to perform all tests or only the untested ones
 *
 * Return: code of the operation
 */
u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test);
/**
 * Issue a TPM2_Clear command.
 *
 * @dev		TPM device
 * @handle	Handle
 * @pw		Password
 * @pw_sz	Length of the password
 *
 * Return: code of the operation
 */
u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
	       const ssize_t pw_sz);
/**
 * Issue a TPM_NV_DefineSpace command
 *
 * This allows a space to be defined with given attributes and policy
 *
 * @dev			TPM device
 * @space_index		index of the area
 * @space_size		size of area in bytes
 * @nv_attributes	TPM_NV_ATTRIBUTES of the area
 * @nv_policy		policy to use
 * @nv_policy_size	size of the policy
 * Return: return code of the operation
 */
u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
			 size_t space_size, u32 nv_attributes,
			 const u8 *nv_policy, size_t nv_policy_size);
/**
 * Issue a TPM2_PCR_Extend command.
 *
 * @dev		TPM device
 * @index	Index of the PCR
 * @algorithm	Algorithm used, defined in 'enum tpm2_algorithms'
 * @digest	Value representing the event to be recorded
 * @digest_len  len of the hash
 *
 * Return: code of the operation
 */
u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
		    const u8 *digest, u32 digest_len);
/**
 * Read data from the secure storage
 *
 * @dev		TPM device
 * @index	Index of data to read
 * @data	Place to put data
 * @count	Number of bytes of data
 * Return: code of the operation
 */
u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
/**
 * Write data to the secure storage
 *
 * @dev		TPM device
 * @index	Index of data to write
 * @data	Data to write
 * @count	Number of bytes of data
 * Return: code of the operation
 */
u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
			u32 count);
/**
 * Issue a TPM2_PCR_Read command.
 *
 * @dev		TPM device
 * @idx		Index of the PCR
 * @idx_min_sz	Minimum size in bytes of the pcrSelect array
 * @algorithm	Algorithm used, defined in 'enum tpm2_algorithms'
 * @data	Output buffer for contents of the named PCR
 * @digest_len  len of the data
 * @updates	Optional out parameter: number of updates for this PCR
 *
 * Return: code of the operation
 */
u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
		  u16 algorithm, void *data, u32 digest_len,
		  unsigned int *updates);
/**
 * Issue a TPM2_GetCapability command.  This implementation is limited
 * to query property index that is 4-byte wide.
 *
 * @dev		TPM device
 * @capability	Partition of capabilities
 * @property	Further definition of capability, limited to be 4 bytes wide
 * @buf		Output buffer for capability information
 * @prop_count	Size of output buffer
 *
 * Return: code of the operation
 */
u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
			void *buf, size_t prop_count);
/**
 * tpm2_get_pcr_info() - get the supported, active PCRs and number of banks
 *
 * @dev:		TPM device
 * @pcrs:		struct tpml_pcr_selection of available PCRs
 *
 * @return 0 on success, code of operation or negative errno on failure
 */
int tpm2_get_pcr_info(struct udevice *dev, struct tpml_pcr_selection *pcrs);
/**
 * Issue a TPM2_DictionaryAttackLockReset command.
 *
 * @dev		TPM device
 * @pw		Password
 * @pw_sz	Length of the password
 *
 * Return: code of the operation
 */
u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz);
/**
 * Issue a TPM2_DictionaryAttackParameters command.
 *
 * @dev		TPM device
 * @pw		Password
 * @pw_sz	Length of the password
 * @max_tries	Count of authorizations before lockout
 * @recovery_time Time before decrementation of the failure count
 * @lockout_recovery Time to wait after a lockout
 *
 * Return: code of the operation
 */
u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
			const ssize_t pw_sz, unsigned int max_tries,
			unsigned int recovery_time,
			unsigned int lockout_recovery);
/**
 * Issue a TPM2_HierarchyChangeAuth command.
 *
 * @dev		TPM device
 * @handle	Handle
 * @newpw	New password
 * @newpw_sz	Length of the new password
 * @oldpw	Old password
 * @oldpw_sz	Length of the old password
 *
 * Return: code of the operation
 */
int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
		     const ssize_t newpw_sz, const char *oldpw,
		     const ssize_t oldpw_sz);
/**
 * Issue a TPM_PCR_SetAuthPolicy command.
 *
 * @dev		TPM device
 * @pw		Platform password
 * @pw_sz	Length of the password
 * @index	Index of the PCR
 * @digest	New key to access the PCR
 *
 * Return: code of the operation
 */
u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
			   const ssize_t pw_sz, u32 index, const char *key);
/**
 * Issue a TPM_PCR_SetAuthValue command.
 *
 * @dev		TPM device
 * @pw		Platform password
 * @pw_sz	Length of the password
 * @index	Index of the PCR
 * @digest	New key to access the PCR
 * @key_sz	Length of the new key
 *
 * Return: code of the operation
 */
u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
			  const ssize_t pw_sz, u32 index, const char *key,
			  const ssize_t key_sz);
/**
 * Issue a TPM2_GetRandom command.
 *
 * @dev		TPM device
 * @param data		output buffer for the random bytes
 * @param count		size of output buffer
 *
 * Return: return code of the operation
 */
u32 tpm2_get_random(struct udevice *dev, void *data, u32 count);
/**
 * Lock data in the TPM
 *
 * Once locked the data cannot be written until after a reboot
 *
 * @dev		TPM device
 * @index	Index of data to lock
 * Return: code of the operation
 */
u32 tpm2_write_lock(struct udevice *dev, u32 index);
/**
 * Disable access to any platform data
 *
 * This can be called to close off access to the firmware data in the data,
 * before calling the kernel.
 *
 * @dev		TPM device
 * Return: code of the operation
 */
u32 tpm2_disable_platform_hierarchy(struct udevice *dev);
/**
 * submit user specified data to the TPM and get response
 *
 * @dev		TPM device
 * @sendbuf:	Buffer of the data to send
 * @recvbuf:	Buffer to save the response to
 * @recv_size:	Pointer to the size of the response buffer
 *
 * Return: code of the operation
 */
u32 tpm2_submit_command(struct udevice *dev, const u8 *sendbuf,
			u8 *recvbuf, size_t *recv_size);
/**
 * tpm_cr50_report_state() - Report the Cr50 internal state
 *
 * @dev:	TPM device
 * @vendor_cmd:	Vendor command number to send
 * @vendor_subcmd: Vendor sub-command number to send
 * @recvbuf:	Buffer to save the response to
 * @recv_size:	Pointer to the size of the response buffer
 * Return: result of the operation
 */
u32 tpm2_report_state(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd,
		      u8 *recvbuf, size_t *recv_size);
/**
 * tpm2_enable_nvcommits() - Tell TPM to commit NV data immediately
 *
 * For Chromium OS verified boot, we may reboot or reset at different times,
 * possibly leaving non-volatile data unwritten by the TPM.
 *
 * This vendor command is used to indicate that non-volatile data should be
 * written to its store immediately.
 *
 * @dev		TPM device
 * @vendor_cmd:	Vendor command number to send
 * @vendor_subcmd: Vendor sub-command number to send
 * Return: result of the operation
 */
u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
			  uint vendor_subcmd);
/**
 * tpm2_scan_masks - Scan the bitmask of algorithms based on the
 *		     active/supported banks and the one from eventlog.
 *
 * @dev		TPM device
 * @log_active	Active algorithm bitmask
 * @mask	Bitmask to set
 *
 * Return: zero on success, negative errno otherwise
 */
int tpm2_scan_masks(struct udevice *dev, u32 log_active, u32 *mask);
/**
 * tpm2_pcr_config_algo() - Allocate the active PCRs. Requires reboot
 *
 * @dev		TPM device
 * @algo_mask	Mask of the algorithms
 * @pcr		PCR structure for allocation
 * @pcr_len	Actual PCR data length
 *
 * Return: code of the operation
 */
u32 tpm2_pcr_config_algo(struct udevice *dev, u32 algo_mask,
			 struct tpml_pcr_selection *pcr, u32 *pcr_len);
/**
 * tpm2_send_pcr_allocate() - Send PCR allocate command. Requires reboot
 *
 * @dev		TPM device
 * @pw		Platform password
 * @pw_sz	Length of the password
 * @pcr		PCR structure for allocation
 * @pcr_len	Actual PCR data length
 *
 * Return: code of the operation
 */
u32 tpm2_send_pcr_allocate(struct udevice *dev, const char *pw,
			   const ssize_t pw_sz, struct tpml_pcr_selection *pcr,
			   u32 pcr_len);
/**
 * tpm2_activate_banks() - Activate PCR banks
 *
 * @param dev   TPM device
 * @log_active	Bitmask of eventlog algorithms
 *
 * Return: code of the operation
 */
int tpm2_activate_banks(struct udevice *dev, u32 log_active);
/**
 * tpm2_auto_start() - start up the TPM and perform selftests.
 *                     If a testable function has not been tested and is
 *                     requested the TPM2  will return TPM_RC_NEEDS_TEST.
 *
 * @param dev		TPM device
 * Return: TPM2_RC_TESTING, if TPM2 self-test is in progress.
 *         TPM2_RC_SUCCESS, if testing of all functions is complete without
 *         functional failures.
 *         TPM2_RC_FAILURE, if any test failed.
 *         TPM2_RC_INITIALIZE, if the TPM has not gone through the Startup
 *         sequence
 */
u32 tpm2_auto_start(struct udevice *dev);
/**
 * tpm2_name_to_algorithm() - Return an algorithm id given a supported
 *			      algorithm name
 *
 * @name: algorithm name
 * Return: enum tpm2_algorithms or -EINVAL
 */
enum tpm2_algorithms tpm2_name_to_algorithm(const char *name);
/**
 * tpm2_algorithm_name() - Return an algorithm name string for a
 *			   supported algorithm id
 *
 * @algorithm_id: algorithm defined in enum tpm2_algorithms
 * Return: algorithm name string or ""
 */
const char *tpm2_algorithm_name(enum tpm2_algorithms);
/**
 * tpm2_algorithm_supported() -  Check if the algorithm supported by U-Boot
 *
 * @algorithm_id: algorithm defined in enum tpm2_algorithms
 * Return: true if supported, otherwise false
 */
bool tpm2_algorithm_supported(enum tpm2_algorithms algo);
/**
 * tpm2_algorithm_to_len() - Return an algorithm length for supported algorithm id
 *
 * @algorithm_id: algorithm defined in enum tpm2_algorithms
 * Return: len or 0 if not supported
 */
u16 tpm2_algorithm_to_len(enum tpm2_algorithms algo);
/*
 * When measured boot is enabled via EFI or bootX commands all the algorithms
 * above are selected by our Kconfigs. Due to U-Boots nature of being small there
 * are cases where we need some functionality from the TPM -- e.g storage or RNG
 * but we don't want to support measurements.
 *
 * The choice of hash algorithms are determined by the platform and the TPM
 * configuration. Failing to cap a PCR in a bank which the platform left
 * active is a security vulnerability. It permits the unsealing of secrets
 * if an attacker can replay a good set of measurements into an unused bank.
 *
 * On top of that a previous stage bootloader (e.g TF-A), migh pass an eventlog
 * since it doesn't have a TPM driver, which U-Boot needs to replace. The algorit h
 * choice is a compile time option in that case and we need to make sure we conform.
 *
 * Add a variable here that sums the supported algorithms U-Boot was compiled
 * with so we can refuse to do measurements if we don't support all of them
 */
/**
 * tpm2_check_active_banks() - Check if the active PCR banks are supported by
 *                             our configuration
 *
 * @dev: TPM device
 * Return: true if allowed
 */
bool tpm2_check_active_banks(struct udevice *dev);
/**
 * tpm2_is_active_bank() - check the pcr_select. If at least one of the PCRs
 *			   supports the algorithm add it on the active ones
 *
 * @selection: PCR selection structure
 * Return: True if the algorithm is active
 */
bool tpm2_is_active_bank(struct tpms_pcr_selection *selection);
/**
 * tpm2_print_active_banks() - Print the active TPM PCRs
 *
 * @dev: TPM device
 */
void tpm2_print_active_banks(struct udevice *dev);
#endif /* __TPM_V2_H */
 |