Re: [PATCH] implement policy_pcr commands to lock NV-indexes behind a PCR
Hi Illias
sure I pushed it here:
https://github.com/nieknooijens/u-boot/tree/tpm_policy_patch
Niek
差出人: Ilias Apalodimas
送信日時: 2024年2月21日 18:01
宛先: Niek Nooijens / OC-IAB PBD-C DEVEL 1-1
CC: Dan Carpenter ; u-boot@lists.denx.de
件名: Re: [PATCH] implement policy_pcr commands to lock NV-indexes behind a PCR
[ilias.apalodi...@linaro.org
からのメールを受け取る頻度は高くありません。これが問題である可能性の理由については、https://aka.ms/LearnAboutSenderIdentification
をご覧ください。]
Hi Niek,
Thanks for the patch. The reason it's hard for us to apply it, is that
this patch seems copy-pasted on an email.
Instead, you should follow the guidelines here [0]. Till you get this
sorted, do you have it on a git branch somewhere, so I can cherry-pick
it and run it through the CI?
[0]
https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.u-boot.org%2Fen%2Flatest%2Fdevelop%2Fsending_patches.html&data=05%7C02%7Cniek.nooijens%40omron.com%7Ccecf2d3ccfee492b819a08dc32bbd390%7C0ecff5a94bef4a7b96eca96579b4ac37%7C0%7C0%7C638441029505061036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=UFTu5wiss76QRjy6rZxMRl43o90j%2BWn0UVrSPGRdaLU%3D&reserved=0<https://docs.u-boot.org/en/latest/develop/sending_patches.html>
Thanks
/Ilias
On Wed, 21 Feb 2024 at 02:12, niek.nooij...@omron.com
wrote:
>
> Hi dan
>
> This might be because I used the checkpatch.pl script.
> Here's one without it.
>
> Niek
>
> =START PATCH ===
> From de056f510156a2fa1b4b439e1fa1f44516aa8add Mon Sep 17 00:00:00 2001
> From: Niek Nooijens
> Date: Tue, 20 Feb 2024 13:42:57 +0900
> Subject: [PATCH] [TPM] implement commands to lock NV-indexes behind a PCR
> policy
>
> Added commands are:
> - start auth session
> - flush context
> - policyPCR
> - getPolicyDigest
>
> Signed-off-by: Niek Nooijens
> ---
> cmd/tpm-v2.c | 258 +++
> include/tpm-common.h | 2 +
> include/tpm-v2.h | 126 ---
> lib/tpm-v2.c | 355 +--
> lib/tpm_api.c| 4 +-
> 5 files changed, 669 insertions(+), 76 deletions(-)
>
> diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
> index 7e479b9dfe..6b6f4629ea 100644
> --- a/cmd/tpm-v2.c
> +++ b/cmd/tpm-v2.c
> @@ -356,6 +356,221 @@ static int do_tpm_pcr_setauthvalue(struct cmd_tbl
> *cmdtp, int flag,
> key, key_sz));
> }
>
> +static int do_tpm_nv_define(struct cmd_tbl *cmdtp, int flag,
> + int argc, char *const argv[])
> +{
> + struct udevice *dev;
> + struct tpm_chip_priv *priv;
> + u32 nv_addr, nv_size, rc;
> + void *policy_addr = NULL;
> + size_t policy_size = 0;
> + int ret;
> +
> + u32 nv_attributes = TPMA_NV_PLATFORMCREATE | TPMA_NV_OWNERWRITE |
> TPMA_NV_OWNERREAD | TPMA_NV_PPWRITE | TPMA_NV_PPREAD;
> +
> + if (argc < 3 && argc > 7)
> + return CMD_RET_USAGE;
> +
> + ret = get_tpm(&dev);
> + if (ret)
> + return ret;
> +
> + priv = dev_get_uclass_priv(dev);
> + if (!priv)
> + return -EINVAL;
> +
> + nv_addr = simple_strtoul(argv[1], NULL, 0);
> +
> + nv_size = simple_strtoul(argv[2], NULL, 0);
> +
> + if (argc > 3)
> + nv_attributes = simple_strtoul(argv[3], NULL, 0);
> +
> + if (argc > 4) {
> + policy_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
> + nv_attributes |= (TPMA_NV_POLICYREAD | TPMA_NV_POLICYWRITE);
> //obligated, might as well force it
> + if (argc < 5)
> + return CMD_RET_USAGE;
> + policy_size = simple_strtoul(argv[5], NULL, 0);
> + }
> +
> + rc = tpm2_nv_define_space(dev, nv_addr, nv_size, nv_attributes,
> policy_addr, policy_size);
> +
> + if (rc)
> + printf("ERROR: nv_define #%u returns: 0x%x\n", nv_addr, rc);
> +
> + if (policy_addr)
> + unmap_sysmem(policy_addr);
> +
> + return report_return_code(rc);
> +}
> +
> +static int do_tpm_nv_undefine(struct cmd_tbl *cmdtp, int flag,
> + int argc, char *const argv[])
> +{
> + struct udevice *dev;
> + u32 nv_addr, ret, rc;
> +
> + ret = get_tpm(&dev);
> + if (ret)
> + return ret;
> +
> + if (argc != 2)
> + return CMD_RET_USAGE;
> +
> + nv_addr = simple_strtoul(argv[1], NULL, 0);
> + rc = tpm2_nv_undefine_space(dev, nv_addr);
> +
> + return report_return_code(rc);
> +}
> +
> +static int do_tpm_nv_read_value(struct cmd_tbl *cmdtp, int flag,
&g
Re: [PATCH] implement policy_pcr commands to lock NV-indexes behind a PCR
Hi dan
This might be because I used the checkpatch.pl script.
Here's one without it.
Niek
=START PATCH ===
From de056f510156a2fa1b4b439e1fa1f44516aa8add Mon Sep 17 00:00:00 2001
From: Niek Nooijens
Date: Tue, 20 Feb 2024 13:42:57 +0900
Subject: [PATCH] [TPM] implement commands to lock NV-indexes behind a PCR
policy
Added commands are:
- start auth session
- flush context
- policyPCR
- getPolicyDigest
Signed-off-by: Niek Nooijens
---
cmd/tpm-v2.c | 258 +++
include/tpm-common.h | 2 +
include/tpm-v2.h | 126 ---
lib/tpm-v2.c | 355 +--
lib/tpm_api.c| 4 +-
5 files changed, 669 insertions(+), 76 deletions(-)
diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index 7e479b9dfe..6b6f4629ea 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -356,6 +356,221 @@ static int do_tpm_pcr_setauthvalue(struct cmd_tbl *cmdtp,
int flag,
key, key_sz));
}
+static int do_tpm_nv_define(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ struct tpm_chip_priv *priv;
+ u32 nv_addr, nv_size, rc;
+ void *policy_addr = NULL;
+ size_t policy_size = 0;
+ int ret;
+
+ u32 nv_attributes = TPMA_NV_PLATFORMCREATE | TPMA_NV_OWNERWRITE |
TPMA_NV_OWNERREAD | TPMA_NV_PPWRITE | TPMA_NV_PPREAD;
+
+ if (argc < 3 && argc > 7)
+ return CMD_RET_USAGE;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ priv = dev_get_uclass_priv(dev);
+ if (!priv)
+ return -EINVAL;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0);
+
+ nv_size = simple_strtoul(argv[2], NULL, 0);
+
+ if (argc > 3)
+ nv_attributes = simple_strtoul(argv[3], NULL, 0);
+
+ if (argc > 4) {
+ policy_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
+ nv_attributes |= (TPMA_NV_POLICYREAD | TPMA_NV_POLICYWRITE);
//obligated, might as well force it
+ if (argc < 5)
+ return CMD_RET_USAGE;
+ policy_size = simple_strtoul(argv[5], NULL, 0);
+ }
+
+ rc = tpm2_nv_define_space(dev, nv_addr, nv_size, nv_attributes,
policy_addr, policy_size);
+
+ if (rc)
+ printf("ERROR: nv_define #%u returns: 0x%x\n", nv_addr, rc);
+
+ if (policy_addr)
+ unmap_sysmem(policy_addr);
+
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_undefine(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 nv_addr, ret, rc;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc != 2)
+ return CMD_RET_USAGE;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0);
+ rc = tpm2_nv_undefine_space(dev, nv_addr);
+
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_read_value(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 nv_addr, nv_size, rc;
+ void *session_addr = NULL;
+ int ret;
+ void *out_data;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc < 4)
+ return CMD_RET_USAGE;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0);
+
+ nv_size = simple_strtoul(argv[2], NULL, 0);
+
+ out_data = map_sysmem(simple_strtoul(argv[3], NULL, 0), 0);
+
+ if (argc == 5)
+ session_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
+
+ rc = tpm2_nv_read_value(dev, nv_addr, out_data, nv_size, session_addr);
+
+ if (rc)
+ printf("ERROR: nv_read #%u returns: #%u\n", nv_addr, rc);
+
+ unmap_sysmem(out_data);
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_write_value(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[]) //TODO: session handle from auth
session!
+{
+ struct udevice *dev;
+ u32 nv_addr, nv_size, rc;
+ void *session_addr = NULL;
+ int ret;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc < 4)
+ return CMD_RET_USAGE;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+
+ nv_size = simple_strtoul(argv[2], NULL, 0); //size
+
+ void *data_to_write = map_sysmem(simple_strtoul(argv[3], NULL, 0), 0);
+
+ if (argc == 5)
+ session_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
+
+ rc = tpm2_nv_write_value(dev, nv_addr, data_to_write, nv_size,
session_addr);
+
+ if (rc)
+ printf("ERROR: nv_write #%u returns: #%u\n", nv_addr, rc);
+
+ unmap_sysmem(session_addr);
+ unmap_sysmem(data_to_write);
+ return report_return_code(rc);
+}
+
+static int do_start_auth_session(struct cmd_tbl *cmdtp, int flag,
+int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 rc;
+ u8 session_type = TPM_SE_POLIC
[PATCH] implement policy_pcr commands to lock NV-indexes behind a PCR
Hi there
After the NV-memory read/write code I'm here again for another patch.
This time I implemented code to allow an NV-index to be locked behind a PCR
value.
This can be used together with the new measured-boot code allowing you to store
encryption keys inside the TPM and locking them behind PCR's.
To do that you:
1. set the PCR's to some value
2. start an auth session
3.
create a policy_pcr
4. get that policy's digest
5. use NV_define together with the policy digest.
6. use nv_write together with the session handle in which the policy_digest
was generated.
After another PCR extend, the NV index will be locked and cannot be read.
At next boot, when the PCR's are in the correct state again, you can read the
NV_index by authenticating with a PCR value.
To do that you:
1.
set the PCR's to the correct value
2. start an auth session
3. create a policy_pcr
4. nv_read whilst providing the session handle in which the policy was
created.
It might not be perfect yet, but at least it vastly extends the TPM
capabilities of uboot.
I generated the patch against latest github master.
Feedback is welcome.
Niek
=START PATCH
From 8d3ea3130794d9db51d95056eb42044a2c5d9f4f Mon Sep 17 00:00:00 2001
From: Niek Nooijens
Date: Tue, 20 Feb 2024 13:42:57 +0900
Subject: [PATCH] implement policy_pcr commands to lock NV-indexes behind a PCR
policy
Signed-off-by: Niek Nooijens
---
cmd/tpm-v2.c | 258 +++
include/tpm-common.h | 2 +
include/tpm-v2.h | 126 ---
lib/tpm-v2.c | 355 +--
lib/tpm_api.c| 4 +-
5 files changed, 669 insertions(+), 76 deletions(-)
diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index 7e479b9dfe..6b6f4629ea 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -356,6 +356,222 @@ static int do_tpm_pcr_setauthvalue(struct cmd_tbl *cmdtp,
int flag,
key, key_sz));
}
+static int do_tpm_nv_define(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ struct tpm_chip_priv *priv;
+ u32 nv_addr, nv_size, rc;
+ void *policy_addr = NULL;
+ size_t policy_size = 0;
+ int ret;
+
+ u32 nv_attributes = TPMA_NV_PLATFORMCREATE | TPMA_NV_OWNERWRITE |
TPMA_NV_OWNERREAD | TPMA_NV_PPWRITE | TPMA_NV_PPREAD;
+
+ if (argc < 3 && argc > 7)
+ return CMD_RET_USAGE;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ priv = dev_get_uclass_priv(dev);
+ if (!priv)
+ return -EINVAL;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0);
+
+ nv_size = simple_strtoul(argv[2], NULL, 0);
+
+ if (argc > 3)
+ nv_attributes = simple_strtoul(argv[3], NULL, 0);
+
+ if (argc > 4) {
+ policy_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
+ nv_attributes |= (TPMA_NV_POLICYREAD | TPMA_NV_POLICYWRITE);
//obligated, might as well force it
+ if (argc < 5)
+ return CMD_RET_USAGE;
+ policy_size = simple_strtoul(argv[5], NULL, 0);
+ }
+
+ rc = tpm2_nv_define_space(dev, nv_addr, nv_size, nv_attributes,
policy_addr, policy_size);
+
+ if (rc)
+ printf("ERROR: nv_define #%u returns: 0x%x\n", nv_addr, rc);
+
+ if (policy_addr)
+ unmap_sysmem(policy_addr);
+
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_undefine(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 nv_addr, ret, rc;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc != 2)
+ return CMD_RET_USAGE;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0);
+ rc = tpm2_nv_undefine_space(dev, nv_addr);
+
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_read_value(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 nv_addr, nv_size, rc;
+ void *session_addr = NULL;
+ int ret;
+ void *out_data;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc < 4)
+ return CMD_RET_USAGE;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0);
+
+ nv_size = simple_strtoul(argv[2], NULL, 0);
+
+ out_data = map_sysmem(simple_strtoul(argv[3], NULL, 0), 0);
+
+ if (argc == 5)
+ session_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
+
+ rc = tpm2_nv_read_value(dev, nv_addr, out_data, nv_size, session_addr);
+
+ if (rc)
+ printf("ERROR: nv_read #%u returns: #%u\n", nv_addr, rc);
+
+ unmap_sysmem(out_data);
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_write_value(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[]) //TODO: session handle
from auth session!
+{
+ struct
Re: New TPM commands.
/* session_attrs */
+ tpm_u16(0), /* HMAC size */
+ /*end auth area*/
tpm_u16(0), /* auth_size */
/* message 14 bytes + policy */
@@ -842,6 +846,35 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32
space_index,
return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}
+u32 tpm2_nv_undefine_space(struct udevice *dev, u32 space_index)
+{
+ const int platform_len = sizeof(u32);
+ const int session_hdr_len = 13;
+ const int message_len = 4;
+ u8 command_v2[COMMAND_BUFFER_SIZE] = {
+ /* header 10 bytes */
+ tpm_u16(TPM2_ST_SESSIONS),/* TAG */
+ tpm_u32(TPM2_HDR_LEN + platform_len + session_hdr_len +
+ message_len),/* Length - header + provision + index +
auth area*/
+ tpm_u32(TPM2_CC_NV_UNDEFINE_SPACE),/* Command code */
+
+ /* handles 4 bytes */
+ tpm_u32(TPM2_RH_PLATFORM),/* Primary platform seed */
+ /* nv_index */
+ tpm_u32(space_index),
+
+ /*null auth session*/
+ tpm_u32(9), /* Header size */
+ tpm_u32(TPM2_RS_PW), /* Password authorisation FIXME:
allow PCR authorization */
+ tpm_u16(0), /* nonce_size */
+ 0, /* session_attrs */
+ tpm_u16(0), /* HMAC size */
+ /*end auth area*/
+
+ };
+ return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+}
+
u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
const u8 *digest, u32 digest_len)
{
@@ -890,22 +923,23 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32 index,
void *data, u32 count)
u8 command_v2[COMMAND_BUFFER_SIZE] = {
/* header 10 bytes */
tpm_u16(TPM2_ST_SESSIONS),/* TAG */
- tpm_u32(10 + 8 + 4 + 9 + 4), /* Length */
+ tpm_u32(TPM2_HDR_LEN + 8 + 4 + 9 + 4),/* Length */
tpm_u32(TPM2_CC_NV_READ), /* Command code */
/* handles 8 bytes */
tpm_u32(TPM2_RH_PLATFORM),/* Primary platform seed */
- tpm_u32(HR_NV_INDEX + index), /* Password authorisation */
+ tpm_u32(index), /*nv index*/
/* AUTH_SESSION */
- tpm_u32(9), /* Authorization size */
- tpm_u32(TPM2_RS_PW), /* Session handle */
+ tpm_u32(9), /* Authorization size - 4 bytes*/
+ /*auth handle - 9 bytes */
+ tpm_u32(TPM2_RS_PW), /* Password authorisation */
tpm_u16(0), /* Size of */
/* (if any) */
0, /* Attributes: Cont/Excl/Rst */
tpm_u16(0), /* Size of */
/* (if any) */
-
+ /*end auth handle */
tpm_u16(count), /* Number of bytes */
tpm_u16(0), /* Offset */
};
@@ -930,7 +964,7 @@ u32 tpm2_nv_write_value(struct udevice *dev, u32 index,
const void *data,
u32 count)
{
struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
- uint offset = 10 + 8 + 4 + 9 + 2;
+ uint offset = TPM2_HDR_LEN + 8 + 4 + 9 + 2;
uint len = offset + count + 2;
/* Use empty password auth if platform hierarchy is disabled */
u32 auth = priv->plat_hier_disabled ? HR_NV_INDEX + index :
@@ -943,18 +977,21 @@ u32 tpm2_nv_write_value(struct udevice *dev, u32 index,
const void *data,
/* handles 8 bytes */
tpm_u32(auth),/* Primary platform seed */
- tpm_u32(HR_NV_INDEX + index), /* Password authorisation */
+ tpm_u32(index), /*nv index*/
/* AUTH_SESSION */
- tpm_u32(9), /* Authorization size */
- tpm_u32(TPM2_RS_PW), /* Session handle */
+ tpm_u32(9), /* Authorization size - 4 bytes */
+ /*auth handle - 9 bytes */
+ tpm_u32(TPM2_RS_PW),/* Password authorisation */ /* Session
handle */
tpm_u16(0), /* Size of */
/* (if any) */
0, /* Attributes: Cont/Excl/Rst */
tpm_u16(0), /* Size of */
/* (if any) */
-
- tpm_u16(count),
+ /*end auth handle */
+ tpm_u16(count),/*size of buffer - 2 bytes*/
+ /*data (buffer)*/
+ /*offset -> the octet offset into the NV Area*/
};
size_t response_len = COMMAND_BUFFER_SIZE;
u8 response[COMMAND_BUFFER_SIZE];
--
2.34.1
===END PATCH===
差出人: Ilias Apalodimas
送信日時: 2023年12月20日 17:17
宛先: Niek Nooijens / OC-IAB PBD-C DEVEL 1-1
CC: u-boot@lists.denx.d
New TPM commands.
Hi There
I added some new commands to the TPM2 command to allow read/writes to
nv_memory. I also implemented the nv_define and nv_undefine commands so spaces
can be created/deleted.
Still need to test with PCR policies, but at least for now we can store values
in the TPM.
Here's the patch:
Signed-off-by: Niek Nooijens
BEGIN OF PATCH==
diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index d93b83ada9..d2a06b9f65 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -356,6 +356,133 @@ static int do_tpm_pcr_setauthvalue(struct cmd_tbl *cmdtp,
int flag,
key, key_sz));
}
+static int do_tpm_nv_define(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ struct tpm_chip_priv *priv;
+ u32 nv_addr, nv_size,nv_attributes, rc;
+ void *policy_addr = NULL;
+ size_t policy_size = 0;
+ int ret;
+
+ nv_attributes = 0;
+
+ if ((argc < 3 && argc > 6) || argc == 4)
+ return CMD_RET_USAGE;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ priv = dev_get_uclass_priv(dev);
+ if (!priv)
+ return -EINVAL;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+
+ nv_size = simple_strtoul(argv[2], NULL, 0); //size
+
+ if(argc > 3) { //attributes
+ nv_attributes = simple_strtoul(argv[3], NULL, 0);
+ } else {
+ nv_attributes =
TPMA_NV_PLATFORMCREATE|TPMA_NV_OWNERWRITE|TPMA_NV_OWNERREAD|TPMA_NV_PPWRITE|TPMA_NV_PPREAD;
+ }
+
+ if(argc > 4) {//policy
+ policy_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
+ if((nv_attributes & (TPMA_NV_POLICYREAD|TPMA_NV_POLICYWRITE)) == 0)
{ //not sure if I should enforce this or just warn the user?
+ printf("Warning: policy provided, but TPMA_NV_POLICYREAD and
TPMA_NV_POLICYWRITE are NOT set!\n");
+ }
+ policy_size = simple_strtoul(argv[5], NULL, 0);
+ }
+
+ rc = tpm2_nv_define_space(dev, nv_addr, nv_size,
nv_attributes,policy_addr, policy_size);
+
+ if (rc) {
+ printf("ERROR: nv_define #%u returns: 0x%x\n", nv_addr, rc);
+ }
+ if(argc > 4) {
+ unmap_sysmem(policy_addr);
+ }
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_undefine(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 nv_addr,ret, rc;
+
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc !=2)
+ return CMD_RET_USAGE;
+ nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+ rc = tpm2_nv_undefine_space(dev, nv_addr);
+
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_read_value(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 nv_addr, nv_size, rc;
+ int ret;
+ void *out_data;
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc != 4)
+ return CMD_RET_USAGE;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+
+ nv_size = simple_strtoul(argv[2], NULL, 0); //size
+
+ out_data = map_sysmem(simple_strtoul(argv[3], NULL, 0), 0);
+
+ rc = tpm2_nv_read_value(dev,nv_addr, out_data, nv_size);
+
+ if (rc) {
+ printf("ERROR: nv_read #%u returns: #%u\n", nv_addr, rc);
+ }
+ unmap_sysmem(out_data);
+ return report_return_code(rc);
+}
+
+static int do_tpm_nv_write_value(struct cmd_tbl *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ struct udevice *dev;
+ u32 nv_addr, nv_size, rc;
+ int ret;
+ ret = get_tpm(&dev);
+ if (ret)
+ return ret;
+
+ if (argc != 4)
+ return CMD_RET_USAGE;
+
+ nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+
+ nv_size = simple_strtoul(argv[2], NULL, 0); //size
+
+ void *data_to_write = map_sysmem(simple_strtoul(argv[3], NULL, 0), 0);
+
+ rc = tpm2_nv_write_value(dev,nv_addr, data_to_write, nv_size);
+
+ if (rc) {
+ printf("ERROR: nv_read #%u returns: #%u\n", nv_addr, rc);
+ }
+ unmap_sysmem(data_to_write);
+ return report_return_code(rc);
+}
+
static struct cmd_tbl tpm2_commands[] = {
U_BOOT_CMD_MKENT(device, 0, 1, do_tpm_device, "", ""),
U_BOOT_CMD_MKENT(info, 0, 1, do_tpm_info, "", ""),
@@ -374,6 +501,10 @@ static struct cmd_tbl tpm2_commands[] = {
do_tpm_pcr_setauthpolicy, "", ""),
U_BOOT_CMD_MKENT(pcr_setauthvalue, 0, 1,
do_tpm_pcr_setauthvalue, "", ""),
+ U_BOOT_CMD_MKENT(nv_define, 0, 1, do_tpm_nv_define, "", ""),
+ U_BOOT_CMD_MKENT(nv_undefine, 0, 1, do_tpm_nv_undefine, "", ""),
+ U_BOOT_CMD_MKENT(nv_read, 0, 1, do_tpm_nv_read_value, "", ""),
+ U_BOOT_CMD_MKENT(nv_write, 0, 1, do_tpm_nv_write_value, "", ""),
};
struct cm
Re: TPM SPI issue
Hi Fabio
I'm using the socfpga_cyclone5 with the designwire_spi driver.
I added the TPM to the devicetree as so:
&spi0 {
status = "okay";
num-cs = <2>;
mram0@0 {
compatible = "spi-dev";
reg = <0>;
spi-max-frequency = <100>;
};
tpm@1 { // slm9670 - U144
compatible = "infineon,slb9670", "tcg,tpm_tis-spi";
reg = <1>;
spi-max-frequency = <100>;
};
};
NIek
差出人: Fabio Estevam
送信日時: 2023年11月29日 22:17
宛先: Niek Nooijens / OC-IAB PBD-C DEVEL 1-1
CC: u-boot@lists.denx.de
件名: Re: TPM SPI issue
[feste...@gmail.com
からのメールを受け取る頻度は高くありません。これが問題である可能性の理由については、https://aka.ms/LearnAboutSenderIdentification
をご覧ください。]
Hi Niek,
On Wed, Nov 29, 2023 at 9:51 AM niek.nooij...@omron.com
wrote:
>
> Hi there
>
> I have the same issue as here:
> https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.infineon.com%2Ft5%2FOPTIGA-TPM%2FI-MX8-TPM-SLB9670-SPI-Com-Error%2Ftd-p%2F472533&data=05%7C01%7Cniek.nooijens%40omron.com%7C0ed9342c6f4e4d14dbbe08dbf0dd80b5%7C0ecff5a94bef4a7b96eca96579b4ac37%7C0%7C0%7C638368606354451409%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D3f09RUX4i0EcgQiUC4rv3y1VP3A5Ka3ozAR8dXden8%3D&reserved=0<https://community.infineon.com/t5/OPTIGA-TPM/I-MX8-TPM-SLB9670-SPI-Com-Error/td-p/472533>
>
> apparently the CS is released in between responses. Can you help me solve
> this?
Which SoC are you using?
In case you are using drivers/spi/mxc_spi.c, there was a commit in the
kernel driver that
allowed to put the CS line in low when idle:
https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel.org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Fstable%2Flinux.git%2Fcommit%2F%3Fh%3Dv6.6.3%26id%3D6a983ff5102ff0d859df05ca3f5cf2f6a17c0fad&data=05%7C01%7Cniek.nooijens%40omron.com%7C0ed9342c6f4e4d14dbbe08dbf0dd80b5%7C0ecff5a94bef4a7b96eca96579b4ac37%7C0%7C0%7C638368606354458890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Q3feQjDcyArxhwoehGB3D%2Fwnq0phPPs3pb8jdmkdaSg%3D&reserved=0<https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.6.3&id=6a983ff5102ff0d859df05ca3f5cf2f6a17c0fad>
TPM SPI issue
Hi there I have the same issue as here: https://community.infineon.com/t5/OPTIGA-TPM/I-MX8-TPM-SLB9670-SPI-Com-Error/td-p/472533 apparently the CS is released in between responses. Can you help me solve this? Thnx! Niek
Re: quick question about TPM
Hi Simon Yes that fixes it! Thanks! Maybe an Idea to add a dedicated TPM page to the docs with information like this? (https://u-boot.readthedocs.io/en/latest/index.html) Cause I wouldn't have thought I needed an option tugged away under Library routines. Anyhow Thanks! Niek 差出人: Simon Glass 送信日時: 2023年10月26日 03:23 宛先: Niek Nooijens / OC-IAB PBD-C DEVEL 1-1 CC: u-boot@lists.denx.de 件名: Re: quick question about TPM Hi Niek, On Tue, 24 Oct 2023 at 19:26, niek.nooij...@omron.com wrote: > > Hi Simon > > Driver model is enabled, so it's pretty weird it doesn't show up. > CONFIG_DM=y > CONFIG_SPL_DM=y > CONFIG_DM_WARN=y > > The TPM menu is there, yet somehow empty. > This is just after "make socfpga_cyclone5_defconfig" and "make menuconfig" Do you enable CONFIG_TPM here?: Library routines -> Security support -> Trusted Platform Module (TPM) Support then the drivers appear for me (under device drivers) > if I use "make snow_defconfig" the menu is usable like normal, so something > is disabling it, yet when grep-ping for TPM in socfpga there are no results. > Adding it to .config manually also doesn't seem to work. so I'm a bit > confused about what's going on. Anyhow thanks for the help! You can edit the defconfig to add CONFIG_TPM and whatever driver you need. Regards, Simon > > Niek > > 差出人: Simon Glass > 送信日時: 2023年10月25日 03:03 > 宛先: Niek Nooijens / OC-IAB PBD-C DEVEL 1-1 > CC: u-boot@lists.denx.de > 件名: Re: quick question about TPM > > Hi Niek, > > On Tue, 24 Oct 2023 at 04:51, niek.nooij...@omron.com > wrote: > > > > Hi > > > > Just a quick question. I'm developing a platform using the > > socfpga_cyclone5_defconfig > > everything is working, linux boots, but we decided to add a TPM to it's SPI > > bus. > > For some reason the TPM support menu in the menuconfig is disabled and I > > can't seem to find out why, or which file disables it. can you point me in > > the right direction? > > The only thing 'config TPM' depends on is DM (driver model). Is that > somehow disabled? Once you enable that, it should appear. > > Regards, > Simon
Re: quick question about TPM
Hi Simon Driver model is enabled, so it's pretty weird it doesn't show up. CONFIG_DM=y CONFIG_SPL_DM=y CONFIG_DM_WARN=y The TPM menu is there, yet somehow empty. This is just after "make socfpga_cyclone5_defconfig" and "make menuconfig" if I use "make snow_defconfig" the menu is usable like normal, so something is disabling it, yet when grep-ping for TPM in socfpga there are no results. Adding it to .config manually also doesn't seem to work. so I'm a bit confused about what's going on. Anyhow thanks for the help! Niek 差出人: Simon Glass 送信日�r: 2023年10月25日 03:03 宛先: Niek Nooijens / OC-IAB PBD-C DEVEL 1-1 CC: u-boot@lists.denx.de 件名: Re: quick question about TPM Hi Niek, On Tue, 24 Oct 2023 at 04:51, niek.nooij...@omron.com wrote: > > Hi > > Just a quick question. I'm developing a platform using the > socfpga_cyclone5_defconfig > everything is working, linux boots, but we decided to add a TPM to it's SPI > bus. > For some reason the TPM support menu in the menuconfig is disabled and I > can't seem to find out why, or which file disables it. can you point me in > the right direction? The only thing 'config TPM' depends on is DM (driver model). Is that somehow disabled? Once you enable that, it should appear. Regards, Simon
quick question about TPM
Hi Just a quick question. I'm developing a platform using the socfpga_cyclone5_defconfig everything is working, linux boots, but we decided to add a TPM to it's SPI bus. For some reason the TPM support menu in the menuconfig is disabled and I can't seem to find out why, or which file disables it. can you point me in the right direction? Thanks! Niek Nooijens.
