src/lib/tpm2_tlcl_structures.h

   1 /*
   2  * Copyright 2016 The Chromium OS Authors. All rights reserved.
   3  * Use of this source code is governed by a BSD-style license that can be
   4  * found in the LICENSE file.
   5  */
   6
   7 #ifndef __SRC_LIB_TPM2_TLCL_STRUCTURES_H
   8 #define __SRC_LIB_TPM2_TLCL_STRUCTURES_H
   9
  10 /*
  11  * This file includes a subset of definitions of TPM protocol version 2.x
  12  * constants and structures needed for functions used in coreboot.
  13  */
  14 #include <stdint.h>
  15 #include <compiler.h>
  16 #include <tpm_lite/tlcl.h>
  17 #include <types.h>
  18
  19 /* This should be plenty for what firmware needs. */
  20 #define TPM_BUFFER_SIZE 256
  21
  22 /* Basic TPM2 types. */
  23 typedef uint16_t TPM_SU;
  24 typedef uint16_t TPM_ALG_ID;
  25 typedef uint32_t TPM_CC;
  26 typedef uint32_t TPM_HANDLE;
  27 typedef uint32_t TPM_RC;
  28 typedef uint8_t TPMI_YES_NO;
  29 typedef TPM_ALG_ID TPMI_ALG_HASH;
  30 typedef TPM_HANDLE TPMI_DH_PCR;
  31 typedef TPM_HANDLE TPMI_RH_NV_INDEX;
  32 typedef TPM_HANDLE TPMI_RH_ENABLES;
  33 typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
  34 typedef TPM_HANDLE TPM_RH;
  35
  36 /* Some hardcoded algorithm values. */
  37 #define TPM_ALG_HMAC   ((TPM_ALG_ID)0x0005)
  38 #define TPM_ALG_NULL   ((TPM_ALG_ID)0x0010)
  39 #define TPM_ALG_SHA1   ((TPM_ALG_ID)0x0004)
  40 #define TPM_ALG_SHA256 ((TPM_ALG_ID)0x000b)
  41
  42 #define SHA256_DIGEST_SIZE 32
  43
  44 /* Some hardcoded hierarchies. */
  45 #define TPM_RH_NULL         0x40000007
  46 #define TPM_RS_PW           0x40000009
  47 #define TPM_RH_PLATFORM     0x4000000C
  48
  49 typedef struct {
  50         uint16_t      size;
  51         uint8_t       *buffer;
  52 } TPM2B;
  53
  54 /* Relevant TPM Command's structures. */
  55 /* Common command/response header. */
  56 struct tpm_header {
  57         uint16_t tpm_tag;
  58         uint32_t tpm_size;
  59         TPM_CC tpm_code;
  60 } __packed;
  61
  62 /* TPM command codes. */
  63 #define TPM2_Hierarchy_Control ((TPM_CC)0x00000121)
  64 #define TPM2_Clear             ((TPM_CC)0x00000126)
  65 #define TPM2_NV_DefineSpace    ((TPM_CC)0x0000012A)
  66 #define TPM2_NV_Write          ((TPM_CC)0x00000137)
  67 #define TPM2_NV_WriteLock      ((TPM_CC)0x00000138)
  68 #define TPM2_SelfTest          ((TPM_CC)0x00000143)
  69 #define TPM2_Startup           ((TPM_CC)0x00000144)
  70 #define TPM2_NV_Read           ((TPM_CC)0x0000014E)
  71 #define TPM2_GetCapability     ((TPM_CC)0x0000017A)
  72 #define TPM2_PCR_Extend        ((TPM_CC)0x00000182)
  73 /* TPM2 specifies vendor commands need to have this bit set. Vendor command
  74    space is defined by the lower 16 bits. */
  75 #define TPM_CC_VENDOR_BIT_MASK 0x20000000
  76 /* FIXME: below is not enough to differentiate between vendors commands
  77    of numerous devices. However, the current tpm2 APIs aren't very amenable
  78    to extending generically because the marshaling code is assuming all
  79    knowledge of all commands. */
  80 #define TPM2_CR50_VENDOR_COMMAND ((TPM_CC)(TPM_CC_VENDOR_BIT_MASK | 0))
  81 #define  TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS (21)
  82 #define  TPM2_CR50_SUB_CMD_TURN_UPDATE_ON (24)
  83
  84 /* Startup values. */
  85 #define TPM_SU_CLEAR 0
  86 #define TPM_SU_STATE 1
  87
  88 #define TPM_HT_PCR             0x00
  89 #define TPM_HT_NV_INDEX        0x01
  90 #define TPM_HT_HMAC_SESSION    0x02
  91 #define TPM_HT_POLICY_SESSION  0x03
  92
  93 #define HR_SHIFT               24
  94 #define HR_PCR                (TPM_HT_PCR <<  HR_SHIFT)
  95 #define HR_HMAC_SESSION       (TPM_HT_HMAC_SESSION <<  HR_SHIFT)
  96 #define HR_POLICY_SESSION     (TPM_HT_POLICY_SESSION <<  HR_SHIFT)
  97 #define HR_TRANSIENT          (TPM_HT_TRANSIENT <<  HR_SHIFT)
  98 #define HR_PERSISTENT         (TPM_HT_PERSISTENT <<  HR_SHIFT)
  99 #define HR_NV_INDEX           (TPM_HT_NV_INDEX <<  HR_SHIFT)
 100 #define HR_PERMANENT          (TPM_HT_PERMANENT <<  HR_SHIFT)
 101 #define PCR_FIRST             (HR_PCR + 0)
 102 #define PCR_LAST              (PCR_FIRST + IMPLEMENTATION_PCR-1)
 103 #define HMAC_SESSION_FIRST    (HR_HMAC_SESSION + 0)
 104 #define HMAC_SESSION_LAST     (HMAC_SESSION_FIRST+MAX_ACTIVE_SESSIONS-1)
 105 #define LOADED_SESSION_FIRST  HMAC_SESSION_FIRST
 106 #define LOADED_SESSION_LAST   HMAC_SESSION_LAST
 107 #define POLICY_SESSION_FIRST  (HR_POLICY_SESSION + 0)
 108 #define POLICY_SESSION_LAST   (POLICY_SESSION_FIRST + MAX_ACTIVE_SESSIONS-1)
 109 #define TRANSIENT_FIRST       (HR_TRANSIENT + 0)
 110 #define ACTIVE_SESSION_FIRST  POLICY_SESSION_FIRST
 111 #define ACTIVE_SESSION_LAST   POLICY_SESSION_LAST
 112 #define TRANSIENT_LAST        (TRANSIENT_FIRST+MAX_LOADED_OBJECTS-1)
 113 #define PERSISTENT_FIRST      (HR_PERSISTENT + 0)
 114 #define PERSISTENT_LAST       (PERSISTENT_FIRST + 0x00FFFFFF)
 115 #define PLATFORM_PERSISTENT   (PERSISTENT_FIRST + 0x00800000)
 116 #define NV_INDEX_FIRST        (HR_NV_INDEX + 0)
 117 #define NV_INDEX_LAST         (NV_INDEX_FIRST + 0x00FFFFFF)
 118 #define PERMANENT_FIRST       TPM_RH_FIRST
 119 #define PERMANENT_LAST        TPM_RH_LAST
 120
 121 /* Tpm2 command tags. */
 122 #define TPM_ST_NO_SESSIONS 0x8001
 123 #define TPM_ST_SESSIONS    0x8002
 124
 125 /* Values copied from tpm2/tpm_types.h */
 126 #define RC_VER1                                         0x100
 127 #define TPM_RC_INITIALIZE         ((TPM_RC)(RC_VER1 + 0x000))
 128 #define TPM_RC_NV_UNINITIALIZED   ((TPM_RC)(RC_VER1 + 0x04A))
 129
 130 /*
 131  * Cr50 returns this code when an attempt is made to read an NV location which
 132  * has not yet been defined. This is an aggregation of various return code
 133  * extensions which may or may not match if a different TPM2 device is
 134  * used.
 135  */
 136 #define TPM_RC_CR50_NV_UNDEFINED  0x28b
 137
 138 /* TPM command structures. */
 139
 140 struct tpm2_startup {
 141         TPM_SU  startup_type;
 142 };
 143
 144 /* Various TPM capability types to use when querying the device. */
 145 typedef uint32_t TPM_CAP;
 146 #define TPM_CAP_TPM_PROPERTIES   ((TPM_CAP)0x00000006)
 147
 148 typedef TPM_HANDLE TPMI_RH_NV_AUTH;
 149 typedef TPM_HANDLE TPMI_RH_NV_INDEX;
 150
 151 /* TPM Property capability constants. */
 152 typedef uint32_t TPM_PT;
 153 #define PT_GROUP                                   0x00000100
 154 #define PT_VAR                                 (PT_GROUP * 2)
 155 #define TPM_PT_PERMANENT               ((TPM_PT)(PT_VAR + 0))
 156
 157 /* Structures of payloads of various TPM2 commands. */
 158 struct tpm2_get_capability {
 159         TPM_CAP capability;
 160         uint32_t property;
 161         uint32_t propertyCount;
 162 };
 163
 164 /* get_capability response when PT_PERMANENT is requested. */
 165 typedef struct {
 166         uint32_t ownerAuthSet       : 1;
 167         uint32_t endorsementAuthSet : 1;
 168         uint32_t lockoutAuthSet     : 1;
 169         uint32_t reserved3_7        : 5;
 170         uint32_t disableClear       : 1;
 171         uint32_t inLockout          : 1;
 172         uint32_t tpmGeneratedEPS    : 1;
 173         uint32_t reserved11_31      : 21;
 174 } TPMA_PERMANENT;
 175
 176 typedef struct {
 177         uint32_t TPMA_NV_PPWRITE        : 1;
 178         uint32_t TPMA_NV_OWNERWRITE     : 1;
 179         uint32_t TPMA_NV_AUTHWRITE      : 1;
 180         uint32_t TPMA_NV_POLICYWRITE    : 1;
 181         uint32_t TPMA_NV_COUNTER        : 1;
 182         uint32_t TPMA_NV_BITS           : 1;
 183         uint32_t TPMA_NV_EXTEND         : 1;
 184         uint32_t reserved7_9            : 3;
 185         uint32_t TPMA_NV_POLICY_DELETE  : 1;
 186         uint32_t TPMA_NV_WRITELOCKED    : 1;
 187         uint32_t TPMA_NV_WRITEALL       : 1;
 188         uint32_t TPMA_NV_WRITEDEFINE    : 1;
 189         uint32_t TPMA_NV_WRITE_STCLEAR  : 1;
 190         uint32_t TPMA_NV_GLOBALLOCK     : 1;
 191         uint32_t TPMA_NV_PPREAD         : 1;
 192         uint32_t TPMA_NV_OWNERREAD      : 1;
 193         uint32_t TPMA_NV_AUTHREAD       : 1;
 194         uint32_t TPMA_NV_POLICYREAD     : 1;
 195         uint32_t reserved20_24          : 5;
 196         uint32_t TPMA_NV_NO_DA          : 1;
 197         uint32_t TPMA_NV_ORDERLY        : 1;
 198         uint32_t TPMA_NV_CLEAR_STCLEAR  : 1;
 199         uint32_t TPMA_NV_READLOCKED     : 1;
 200         uint32_t TPMA_NV_WRITTEN        : 1;
 201         uint32_t TPMA_NV_PLATFORMCREATE : 1;
 202         uint32_t TPMA_NV_READ_STCLEAR   : 1;
 203 } TPMA_NV;
 204
 205 typedef union {
 206         struct {
 207                 uint16_t  size;
 208                 const uint8_t   *buffer;
 209         } t;
 210         TPM2B b;
 211 } TPM2B_DIGEST;
 212
 213 typedef TPM2B_DIGEST TPM2B_AUTH;
 214 typedef TPM2B_DIGEST TPM2B_NONCE;
 215
 216 typedef struct {
 217         TPM_PT  property;
 218         uint32_t  value;
 219 } TPMS_TAGGED_PROPERTY;
 220
 221 #define MAX_CAP_DATA (TPM_BUFFER_SIZE - sizeof(struct tpm_header) - \
 222                       sizeof(TPMI_YES_NO) - sizeof(TPM_CAP) - sizeof(uint32_t))
 223 #define MAX_TPM_PROPERTIES  (MAX_CAP_DATA/sizeof(TPMS_TAGGED_PROPERTY))
 224
 225 /* Somewhat arbitrary, leave enough room for command wrappers. */
 226 #define MAX_NV_BUFFER_SIZE (TPM_BUFFER_SIZE - sizeof(struct tpm_header) - 50)
 227
 228 typedef struct {
 229         uint32_t              count;
 230         TPMS_TAGGED_PROPERTY  tpmProperty[MAX_TPM_PROPERTIES];
 231 } TPML_TAGGED_TPM_PROPERTY;
 232
 233 typedef union {
 234         TPML_TAGGED_TPM_PROPERTY  tpmProperties;
 235 } TPMU_CAPABILITIES;
 236
 237 typedef struct {
 238         TPM_CAP            capability;
 239         TPMU_CAPABILITIES  data;
 240 } TPMS_CAPABILITY_DATA;
 241
 242 struct get_cap_response {
 243         TPMI_YES_NO more_data;
 244         TPMS_CAPABILITY_DATA cd;
 245 };
 246
 247 typedef struct {
 248         TPMI_RH_NV_INDEX  nvIndex;
 249         TPMI_ALG_HASH     nameAlg;
 250         TPMA_NV           attributes;
 251         TPM2B_DIGEST      authPolicy;
 252         uint16_t          dataSize;
 253 } TPMS_NV_PUBLIC;
 254
 255 typedef union {
 256         struct {
 257                 uint16_t        size;
 258                 TPMS_NV_PUBLIC  nvPublic;
 259         } t;
 260         TPM2B b;
 261 } TPM2B_NV_PUBLIC;
 262
 263 typedef union {
 264         struct {
 265                 uint16_t  size;
 266                 const uint8_t   *buffer;
 267         } t;
 268         TPM2B b;
 269 } TPM2B_MAX_NV_BUFFER;
 270
 271 /*
 272  * This is a union, but as of now we support just one digest - sha256, so
 273  * there is just one element.
 274  */
 275 typedef union {
 276         uint8_t  sha256[SHA256_DIGEST_SIZE];
 277 } TPMU_HA;
 278
 279 typedef struct {
 280         TPMI_ALG_HASH  hashAlg;
 281         TPMU_HA        digest;
 282 } TPMT_HA;
 283
 284 typedef struct {
 285         uint32_t   count;
 286         TPMT_HA  digests[1];  /* Limit max number of hashes to 1. */
 287 } TPML_DIGEST_VALUES;
 288
 289 struct nv_read_response {
 290         uint32_t params_size;
 291         TPM2B_MAX_NV_BUFFER buffer;
 292 };
 293
 294 struct vendor_command_response {
 295         uint16_t vc_subcommand;
 296         union {
 297                 uint8_t num_restored_headers;
 298         };
 299 };
 300
 301 struct tpm2_session_attrs {
 302         uint8_t continueSession : 1;
 303         uint8_t auditExclusive  : 1;
 304         uint8_t auditReset      : 1;
 305         uint8_t reserved3_4     : 2;
 306         uint8_t decrypt         : 1;
 307         uint8_t encrypt         : 1;
 308         uint8_t audit           : 1;
 309 };
 310
 311 /*
 312  * TPM session header for commands requiring session information. Also
 313  * included in the responses to those commands.
 314  */
 315 struct tpm2_session_header {
 316         uint32_t session_handle;
 317         uint16_t nonce_size;
 318         uint8_t *nonce;
 319         union {
 320                 struct tpm2_session_attrs session_attr_bits;
 321                 uint8_t session_attrs;
 322         }  __packed;
 323         uint16_t auth_size;
 324         uint8_t *auth;
 325 };
 326
 327 struct tpm2_response {
 328         struct tpm_header hdr;
 329         union {
 330                 struct get_cap_response gc;
 331                 struct nv_read_response nvr;
 332                 struct tpm2_session_header def_space;
 333                 struct vendor_command_response vcr;
 334         };
 335 };
 336
 337 struct tpm2_nv_define_space_cmd {
 338         TPM2B_AUTH auth;
 339         TPMS_NV_PUBLIC publicInfo;
 340 };
 341
 342 struct tpm2_nv_write_cmd {
 343         TPMI_RH_NV_INDEX nvIndex;
 344         TPM2B_MAX_NV_BUFFER data;
 345         uint16_t offset;
 346 };
 347
 348 struct tpm2_self_test {
 349         TPMI_YES_NO yes_no;
 350 };
 351
 352 struct tpm2_nv_read_cmd {
 353         TPMI_RH_NV_INDEX nvIndex;
 354         uint16_t size;
 355         uint16_t offset;
 356 };
 357
 358 struct tpm2_nv_write_lock_cmd {
 359         TPMI_RH_NV_INDEX nvIndex;
 360 };
 361
 362 struct tpm2_pcr_extend_cmd {
 363         TPMI_DH_PCR pcrHandle;
 364         TPML_DIGEST_VALUES digests;
 365 };
 366
 367 struct tpm2_hierarchy_control_cmd {
 368         TPMI_RH_ENABLES enable;
 369         TPMI_YES_NO state;
 370 };
 371
 372 #endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H