Add support for the TPM2_HierarchyChangeAuth command.
Change the command file and the help accordingly.
Signed-off-by: Miquel Raynal <miquel.ray...@bootlin.com>
---
cmd/tpm.c | 34 ++++++++++++++++++++++++++++++++++
include/tpm.h | 14 ++++++++++++++
lib/tpm.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 95 insertions(+)
diff --git a/cmd/tpm.c b/cmd/tpm.c
index 533da2d2ac..3c486c313b 100644
--- a/cmd/tpm.c
+++ b/cmd/tpm.c
@@ -555,6 +555,36 @@ static int do_tpm_force_clear(cmd_tbl_t *cmdtp, int flag,
return report_return_code(tpm_force_clear(handle, pw, pw_sz));
}
+static int do_tpm_change_auth(cmd_tbl_t *cmdtp, int flag,
+ int argc, char *const argv[])
+{
+ u32 handle;
+ const char *newpw = argv[2];
+ const char *oldpw = (argc == 3) ? NULL : argv[3];
+ const ssize_t newpw_sz = strlen(newpw);
+ const ssize_t oldpw_sz = oldpw ? strlen(oldpw) : 0;
+
+ if (argc < 3 || argc > 4)
+ return CMD_RET_USAGE;
+
+ if (newpw_sz > TPM2_DIGEST_LENGTH || oldpw_sz > TPM2_DIGEST_LENGTH)
+ return -EINVAL;
+
+ if (!strcasecmp("TPM2_RH_LOCKOUT", argv[1]))
+ handle = TPM2_RH_LOCKOUT;
+ else if (!strcasecmp("TPM2_RH_ENDORSEMENT", argv[1]))
+ handle = TPM2_RH_ENDORSEMENT;
+ else if (!strcasecmp("TPM2_RH_OWNER", argv[1]))
+ handle = TPM2_RH_OWNER;
+ else if (!strcasecmp("TPM2_RH_PLATFORM", argv[1]))
+ handle = TPM2_RH_PLATFORM;
+ else
+ return CMD_RET_USAGE;
+
+ return report_return_code(tpm2_change_auth(handle, newpw, newpw_sz,
+ oldpw, oldpw_sz));
+}
+
#define TPM_COMMAND_NO_ARG(cmd) \
static int do_##cmd(cmd_tbl_t *cmdtp, int flag, \
int argc, char * const argv[]) \
@@ -959,6 +989,8 @@ static cmd_tbl_t tpm_commands[] = {
do_tpm_dam_set_parameters, "", ""),
U_BOOT_CMD_MKENT(force_clear, 0, 1,
do_tpm_force_clear, "", ""),
+ U_BOOT_CMD_MKENT(change_auth, 0, 1,
+ do_tpm_change_auth, "", ""),
U_BOOT_CMD_MKENT(physical_enable, 0, 1,
do_tpm_physical_enable, "", ""),
U_BOOT_CMD_MKENT(physical_disable, 0, 1,
@@ -1060,6 +1092,8 @@ U_BOOT_CMD(tpm, CONFIG_SYS_MAXARGS, 1, do_tpm,
" force_clear [<type>]\n"
" - Issue TPM_[Force]Clear command, with <type> one of (TPMv2 only):\n"
" * TPM2_RH_LOCKOUT, TPM2_RH_PLATFORM.\n"
+" change_auth <new_pw> [<old_pw>]\n"
+" - Change the hierarchy authorizations (TPMv2 only).\n"
" tsc_physical_presence flags\n"
" - Set TPM device's Physical Presence flags to <flags>.\n"
"The Capability Commands:\n"
diff --git a/include/tpm.h b/include/tpm.h
index 4d062584f9..cc63f06634 100644
--- a/include/tpm.h
+++ b/include/tpm.h
@@ -60,6 +60,7 @@ enum tpm2_command_codes {
TPM2_CC_SELF_TEST = 0x0143,
TPM2_CC_CLEAR = 0x0126,
TPM2_CC_CLEARCONTROL = 0x0127,
+ TPM2_CC_HIERCHANGEAUTH = 0x0129,
TPM2_CC_DAM_RESET = 0x0139,
TPM2_CC_DAM_PARAMETERS = 0x013A,
TPM2_CC_GET_CAPABILITY = 0x017A,
@@ -630,6 +631,19 @@ int tpm2_dam_set_parameters(const char *pw, const ssize_t
pw_sz,
*/
int tpm_force_clear(u32 handle, const char *pw, const ssize_t pw_sz);
+/**
+ * Issue a TPM2_HierarchyChangeAuthorization command.
+ *
+ * @param handle Handle
+ * @param newpw New password
+ * @param newpw_sz Length of the new password
+ * @param oldpw Old password
+ * @param oldpw_sz Length of the old password
+ * @return return code of the operation
+ */
+int tpm2_change_auth(u32 handle, const char *newpw, const ssize_t newpw_sz,
+ const char *oldpw, const ssize_t oldpw_sz);
+
/**
* Issue a TPM_PhysicalEnable command.
*
diff --git a/lib/tpm.c b/lib/tpm.c
index 1e064e6ff1..f09b9ce9eb 100644
--- a/lib/tpm.c
+++ b/lib/tpm.c
@@ -835,6 +835,53 @@ int tpm_force_clear(u32 handle, const char *pw, const
ssize_t pw_sz)
return tpm_sendrecv_command(command_v2, NULL, NULL);
}
+int tpm2_change_auth(u32 handle, const char *newpw, const ssize_t newpw_sz,
+ const char *oldpw, const ssize_t oldpw_sz)
+{
+ unsigned int offset = 27;
+ u8 command_v2[COMMAND_BUFFER_SIZE] = {
+ STRINGIFY16(TPM2_ST_SESSIONS), /* TAG */
+ STRINGIFY32(offset + oldpw_sz + 2 + newpw_sz), /* Command len */
+ STRINGIFY32(TPM2_CC_HIERCHANGEAUTH), /* Command code */
+
+ /* HANDLE */
+ STRINGIFY32(handle), /* TPM resource handle */
+
+ /* AUTH_SESSION */
+ STRINGIFY32(9 + oldpw_sz), /* Authorization size */
+ STRINGIFY32(TPM2_RS_PW), /* Session handle */
+ STRINGIFY16(0), /* Size of <nonce> */
+ /* <nonce> (if any) */
+ 0, /* Attributes: Cont/Excl/Rst */
+ STRINGIFY16(oldpw_sz) /* Size of <hmac/password> */
+ /* STRING(oldpw) <hmac/password> (if any) */
+
+ /* TPM2B_AUTH (TPM2B_DIGEST) */
+ /* STRINGIFY16(newpw_sz) Digest size, new pw length */
+ /* STRING(newpw) Digest buffer, new pw */
+ };
+ int ret;
+
+ if (!is_tpmv2)
+ return TPM_LIB_ERROR;
+
+ /*
+ * Fill the command structure starting from the first buffer:
+ * - the old password (if any)
+ * - size of the new password
+ * - new password
+ */
+ ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
+ offset, oldpw, oldpw_sz,
+ offset + oldpw_sz, newpw_sz,
+ offset + oldpw_sz + 2, newpw, newpw_sz);
+ offset += oldpw_sz + 2 + newpw_sz;
+ if (ret)
+ return TPM_LIB_ERROR;
+
+ return tpm_sendrecv_command(command_v2, NULL, NULL);
+}
+
uint32_t tpm_physical_enable(void)
{
const uint8_t command[10] = {
--
2.14.1
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
