Current U-Boot supports TPM v1.2 specification. The new specification (v2.0) is not backward compatible and renames/introduces several functions.
This series introduces a new SPI driver following the TPM v2.0 specification. It has been tested on a ST TPM but should be usable with others v2.0 compliant chips. Then, basic functionalities are introduced one by one for the v2.0 specification. The INIT command now can receive a parameter to distinguish further TPMv1/TPMv2 commands. After that, the library itself will know which one is pertinent and will return a special error if the desired command is not supported for the selected specification. Available commands for v2.0 TPMs are: * STARTUP * SELF TEST * CLEAR * PCR EXTEND * PCR READ * GET CAPABILITY * DICTIONARY ATTACK LOCK RESET * DICTIONARY ATTACK CHANGE PARAMETERS * HIERARCHY CHANGE AUTH Two commands have been written but could not be tested (unsupported by the TPM chosen): * PCR CHANGE AUTH POLICY * PCR CHANGE AUTH VALUE With this set of function, minimal TPMv2.0 handling is possible with the following sequence. * First, initialize the TPM stack in U-Boot: "TPM2" is a new parameter to discern the format of the commands: > tpm init TPM2 * Then send the STARTUP command to the TPM. The flag is slightly different between the revisions. > tpm startup TPM2_SU_CLEAR * To enable full TPM capabilities, continue the tests (or do them all again). It seems like self_test_full always waits for the operation to finish, while continue_self_test returns a busy state if called to early. > tpm continue_self_test > tpm self_test_full * Manage passwords (force_clear also resets a lot of internal stuff). Olderly, TAKE OWNERSHIP == CLEAR + CHANGE AUTH. LOCKOUT is an example, ENDORSEMENT and PLATFORM hierarchies are available too: > tpm force_clear TPM2_RH_LOCKOUT [<pw>] > tpm change_auth TPM2_RH_LOCKOUT <new_pw> [<old_pw>] * Dictionary Attack Mitigation (DAM) parameters can be changed. It is possible to reset the failure counter and disable the lockout (values erased after a CLEAR). It is then possible to check the parameters have been correctly applied. > tpm dam_reset_counter [<pw>] > tpm dam_set_parameters 0xffff 1 0 [<pw>] > tpm get_capability 0x0006 0x020e 0x4000000 4 * PCR policy may be changed (untested). PCR can be extended (no protection against packet replay yet). PCR can be read (the counter with the number of "extensions" is also given). > tpm pcr_setauthpolicy 0 12345678901234567890123456789012 [<pw>] > tpm pcr_read 0 0x4000000 > tpm pcr_extend 0 0x4000000 Regular testing may be done through the test/py/ framework when using real hardware, there is no sandbox support for now. Thanks, Miquèl Miquel Raynal (19): tpm: add Revision ID field in the chip structure tpm: rename tpm_tis_infineon in tpm_tis_infineon_i2c tpm: add support for TPMv2 SPI modules tpm: fix indentation in command list before adding more tpm: prepare support for TPMv2 commands tpm: add macros for TPMv2 commands tpm: add possible traces to analyze buffers returned by the TPM tpm: handle different buffer sizes tpm: add TPM2_Startup command support tpm: add TPM2_SelfTest command support tpm: add TPM2_Clear command support tpm: rename the _extend() function to be _pcr_event() tpm: add TPM2_PCR_Extend command support tpm: add TPM2_PCR_Read command support tpm: add TPM2_GetCapability command support tpm: add dictionary attack mitigation commands support tpm: add TPM2_HierarchyChangeAuth command support tpm: add PCR authentication commands support test/py: add TPMv2.0 test suite cmd/tpm.c | 360 +++++++++-- cmd/tpm_test.c | 10 +- drivers/tpm/Kconfig | 13 +- drivers/tpm/Makefile | 3 +- drivers/tpm/tpm_tis.h | 4 + .../{tpm_tis_infineon.c => tpm_tis_infineon_i2c.c} | 2 +- drivers/tpm/tpm_tis_spi.c | 656 +++++++++++++++++++++ include/tpm.h | 183 +++++- lib/tpm.c | 654 ++++++++++++++++++-- test/py/tests/test_tpm2.py | 254 ++++++++ 10 files changed, 1993 insertions(+), 146 deletions(-) rename drivers/tpm/{tpm_tis_infineon.c => tpm_tis_infineon_i2c.c} (99%) create mode 100644 drivers/tpm/tpm_tis_spi.c create mode 100644 test/py/tests/test_tpm2.py -- 2.14.1 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot