diff options
| author | Chris Engel <cjengel@us.ibm.com> | 2015-04-22 16:53:47 -0500 |
|---|---|---|
| committer | A. Patrick Williams III <iawillia@us.ibm.com> | 2015-11-05 23:43:14 -0600 |
| commit | 5c6ea674b20398ce999f64f8c7cde4292b104690 (patch) | |
| tree | 60aacaeeeaeba6a369176a33c1a639a490e80288 | |
| parent | 70e665f85f3e3ec8b118310884640a44ce83b7f2 (diff) | |
| download | talos-hostboot-5c6ea674b20398ce999f64f8c7cde4292b104690.tar.gz talos-hostboot-5c6ea674b20398ce999f64f8c7cde4292b104690.zip | |
Trusted boot support for performing TPM_STARTUP during isteps
Support added for TPM DD2.0
Added call to host_update_master_tpm during host_discover_targets istep
host_update_master_tpm istep performs TPM_STARTUP on TPM
Change-Id: Ie9c232ed6ecf72da58c40df726fe1deaec5af053
RTC: 125287
Reviewed-on: http://gfw160.aus.stglabs.ibm.com:8080/gerrit/18075
Tested-by: Jenkins Server
Reviewed-by: STEPHEN M. CPREK <smcprek@us.ibm.com>
Tested-by: Jenkins OP Build CI
Tested-by: Jenkins OP HW
Tested-by: FSP CI Jenkins
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Reviewed-by: A. Patrick Williams III <iawillia@us.ibm.com>
| -rwxr-xr-x | src/build/tools/listdeps.pl | 1 | ||||
| -rw-r--r-- | src/include/usr/secureboot/secure_reasoncodes.H | 6 | ||||
| -rw-r--r-- | src/include/usr/secureboot/trustedboot_reasoncodes.H | 47 | ||||
| -rw-r--r-- | src/include/usr/secureboot/trustedbootif.H | 55 | ||||
| -rw-r--r-- | src/makefile | 1 | ||||
| -rw-r--r-- | src/usr/hwas/hostbootIstep.C | 12 | ||||
| -rwxr-xr-x | src/usr/i2c/i2c.C | 16 | ||||
| -rwxr-xr-x | src/usr/i2c/test/tpmddtest.H | 213 | ||||
| -rwxr-xr-x | src/usr/i2c/tpmdd.C | 187 | ||||
| -rwxr-xr-x | src/usr/i2c/tpmdd.H | 53 | ||||
| -rw-r--r-- | src/usr/initservice/extinitsvc/extinitsvctasks.H | 15 | ||||
| -rw-r--r-- | src/usr/secureboot/makefile | 1 | ||||
| -rw-r--r-- | src/usr/secureboot/trusted/makefile | 31 | ||||
| -rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 248 | ||||
| -rw-r--r-- | src/usr/secureboot/trusted/trustedboot.H | 94 |
15 files changed, 844 insertions, 136 deletions
diff --git a/src/build/tools/listdeps.pl b/src/build/tools/listdeps.pl index 437202fd9..bdea5e0f2 100755 --- a/src/build/tools/listdeps.pl +++ b/src/build/tools/listdeps.pl @@ -217,6 +217,7 @@ my %resident_modules = ( "liberrldisplay.so" => '1', "libipmi.so" => '1', "libvpd.so" => '1', + "libsecureboot_trusted.so" => '1', ); # has with library to istep list file were the DepMod array is kept diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H index 5afa0279d..959278710 100644 --- a/src/include/usr/secureboot/secure_reasoncodes.H +++ b/src/include/usr/secureboot/secure_reasoncodes.H @@ -5,7 +5,9 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* COPYRIGHT International Business Machines Corp. 2013,2014 */ +/* Contributors Listed Below - COPYRIGHT 2013,2015 */ +/* [+] International Business Machines Corp. */ +/* */ /* */ /* Licensed under the Apache License, Version 2.0 (the "License"); */ /* you may not use this file except in compliance with the License. */ @@ -45,6 +47,8 @@ namespace SECUREBOOT RC_SET_PERMISSION_FAIL_EXE = SECURE_COMP_ID | 0x05, RC_SET_PERMISSION_FAIL_WRITE = SECURE_COMP_ID | 0x06, RC_ROM_VERIFY = SECURE_COMP_ID | 0x07, + + // Reason codes 0xA0 - 0xEF reserved for trustedboot_reasoncodes.H }; } diff --git a/src/include/usr/secureboot/trustedboot_reasoncodes.H b/src/include/usr/secureboot/trustedboot_reasoncodes.H new file mode 100644 index 000000000..53fb6f8fc --- /dev/null +++ b/src/include/usr/secureboot/trustedboot_reasoncodes.H @@ -0,0 +1,47 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/include/usr/secureboot/trustedboot_reasoncodes.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#ifndef __TRUSTEDBOOT_REASONCODES_H +#define __TRUSTEDBOOT_REASONCODES_H + +#include <hbotcompid.H> + +namespace TRUSTEDBOOT +{ + enum TRUSTEDModuleId + { + MOD_HOST_UPDATE_MASTER_TPM = 0x00, + MOD_TPM_INITIALIZE = 0x01, + }; + + enum TRUSTEDReasonCode + { + // Reason codes 0x00 - 0x9F reserved for secure_reasoncodes.H + + RC_TPM_START_FAIL = SECURE_COMP_ID | 0xA0, + RC_TPM_EXISTENCE_FAIL = SECURE_COMP_ID | 0xA1, + }; +} + +#endif diff --git a/src/include/usr/secureboot/trustedbootif.H b/src/include/usr/secureboot/trustedbootif.H new file mode 100644 index 000000000..a43939c5c --- /dev/null +++ b/src/include/usr/secureboot/trustedbootif.H @@ -0,0 +1,55 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trustedboot.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file trustedbootif.H + * + * @brief Trustedboot interfaces + * + */ +#ifndef __TRUSTEDBOOTIF_H +#define __TRUSTEDBOOTIF_H +// ----------------------------------------------- +// Includes +// ----------------------------------------------- + +namespace TRUSTEDBOOT +{ + + + /** + * @brief Initialize trusted boot/TPM components for the master TPM + * + * @param[in] io_pArgs istep args + * + * @return errlHndl_t NULL if successful, otherwise a pointer to the + * error log. + */ + void* host_update_master_tpm( void *io_pArgs ); + + +} // end TRUSTEDBOOT namespace + + +#endif // __TRUSTEDBOOTIF_H diff --git a/src/makefile b/src/makefile index 87c20d06b..8f986862c 100644 --- a/src/makefile +++ b/src/makefile @@ -159,6 +159,7 @@ EXTENDED_MODULES += ibscom EXTENDED_MODULES += $(if $(CONFIG_VPO_COMPILE),,dump) EXTENDED_MODULES += $(if $(CONFIG_VPO_COMPILE),,tod_init) EXTENDED_MODULES += secureboot_ext +EXTENDED_MODULES += $(if $(CONFIG_TPMDD),secureboot_trusted,) EXTENDED_MODULES += devtree EXTENDED_MODULES += sbe EXTENDED_MODULES += proc_hwreconfig diff --git a/src/usr/hwas/hostbootIstep.C b/src/usr/hwas/hostbootIstep.C index 31362a8ad..cdc4fbc72 100644 --- a/src/usr/hwas/hostbootIstep.C +++ b/src/usr/hwas/hostbootIstep.C @@ -81,6 +81,10 @@ #include <diag/attn/attn.H> #endif +#ifdef CONFIG_TPMDD + #include <secureboot/trustedbootif.H> +#endif + namespace HWAS { @@ -207,6 +211,14 @@ void* host_discover_targets( void *io_pArgs ) SENSOR::updateBMCSensorStatus(); #endif +#ifdef CONFIG_TPMDD + if (NULL == errl) + { + // Initialize the master TPM + errl = (errlHndl_t)TRUSTEDBOOT::host_update_master_tpm(io_pArgs); + } +#endif + TRACDCOMP( ISTEPS_TRACE::g_trac_isteps_trace, "host_discover_targets exit" ); diff --git a/src/usr/i2c/i2c.C b/src/usr/i2c/i2c.C index d1b46b519..e88504f23 100755 --- a/src/usr/i2c/i2c.C +++ b/src/usr/i2c/i2c.C @@ -936,14 +936,20 @@ errlHndl_t i2cRead ( TARGETING::Target * i_target, TRACUCOMP( g_trac_i2c, "i2cRead() Wait Loop: status=0x%016llx " - ".fifo_entry_count=%d, .data_request=%d", - status.value, status.fifo_entry_count, status.data_request); + ".fifo_entry_count=%d, .data_request=%d", + status.value, status.fifo_entry_count, + status.data_request); if( 0 == timeoutCount-- ) { TRACFCOMP( g_trac_i2c, - ERR_MRK"i2cRead() - Timed out waiting for data in FIFO!" ); + ERR_MRK"i2cRead() - " + "Timed out waiting for data in FIFO! " + "status=0x%016llx " + ".fifo_entry_count=%d, .data_request=%d", + status.value, status.fifo_entry_count, + status.data_request ); /*@ * @errortype @@ -1326,7 +1332,9 @@ errlHndl_t i2cWaitForCmdComp ( TARGETING::Target * i_target, if( 0 == timeoutCount-- ) { TRACFCOMP( g_trac_i2c, - ERR_MRK"i2cWaitForCmdComp() - Timed out waiting for Command Complete!" ); + ERR_MRK"i2cWaitForCmdComp() - " + "Timed out waiting for Command Complete! " + "status=%016llX", status.value ); /*@ * @errortype diff --git a/src/usr/i2c/test/tpmddtest.H b/src/usr/i2c/test/tpmddtest.H index 578cd6b95..4fd82cda1 100755 --- a/src/usr/i2c/test/tpmddtest.H +++ b/src/usr/i2c/test/tpmddtest.H @@ -59,41 +59,42 @@ class TPMDDTest: public CxxTest::TestSuite */ TARGETING::Target* getTestTarget( tpm_chip_types_t i_chip ) { - TARGETING::TargetService& tS = TARGETING::targetService(); - TARGETING::Target* testTarget = NULL; - tS.getMasterNodeTarget( testTarget ); + TARGETING::TargetService& tS = TARGETING::targetService(); + TARGETING::Target* testTarget = NULL; + tS.getMasterNodeTarget( testTarget ); - assert(testTarget != NULL); + assert(testTarget != NULL); - TRACFCOMP( g_trac_tpmdd, - "getTestTarget node tgt=0x%X chip=%d", - TARGETING::get_huid(testTarget), - i_chip); + TRACFCOMP( g_trac_tpmdd, + "getTestTarget node tgt=0x%X chip=%d", + TARGETING::get_huid(testTarget), + i_chip); - // Let's see if the requested chip is functional - tpm_info_t tpmInfo; - tpmInfo.chip = i_chip; - errlHndl_t err = tpmReadAttributes (testTarget, tpmInfo); - if (NULL != err) - { - testTarget = NULL; - delete err; - } - else if (!tpmInfo.tpmEnabled) - { - TRACFCOMP(g_trac_tpmdd, "getTestTarget - " - "Chip %d not enabled", - i_chip); - testTarget = NULL; - } - else - { - TRACFCOMP(g_trac_tpmdd, "getTestTarget - " - "Chip %d enabled", - i_chip); - } + // Let's see if the requested chip is functional + tpm_info_t tpmInfo; + tpmInfo.chip = i_chip; + errlHndl_t err = tpmReadAttributes (testTarget, tpmInfo); + + if (NULL != err) + { + testTarget = NULL; + delete err; + } + else if (!tpmInfo.tpmEnabled) + { + TRACFCOMP(g_trac_tpmdd, "getTestTarget - " + "Chip %d not enabled", + i_chip); + testTarget = NULL; + } + else + { + TRACFCOMP(g_trac_tpmdd, "getTestTarget - " + "Chip %d enabled", + i_chip); + } - return testTarget; + return testTarget; } /** @@ -136,7 +137,8 @@ class TPMDDTest: public CxxTest::TestSuite err = NULL; continue; } - else if (data != TPMDD::TPM_VENDORID) + else if ((data & TPMDD::TPM_VENDORID_MASK) + != TPMDD::TPM_VENDORID) { fails++; TS_FAIL( "testTPMReadVendorID - Failed to read " @@ -514,15 +516,18 @@ class TPMDDTest: public CxxTest::TestSuite */ void testTPMTransmit ( void ) { + errlHndl_t err = NULL; int64_t fails = 0, num_ops = 0; uint8_t data[256]; size_t dataSize = sizeof(data); +#ifdef CONFIG_TPMDD_1_2 uint32_t subCap = 0; +#endif + size_t cmdSize = 0; TRACFCOMP( g_trac_tpmdd, "testTPMTransmit - Start" ); - do { @@ -534,65 +539,6 @@ class TPMDDTest: public CxxTest::TestSuite } - // Build our command block for a startup - memset(data, 0xFE, sizeof(data)); - -#ifdef CONFIG_TPMDD_1_2 - TRUSTEDBOOT::TPM_2ByteIn* cmd = - reinterpret_cast<TRUSTEDBOOT::TPM_2ByteIn*>(data); - cmd->base.tag = TRUSTEDBOOT::TPM_TAG_RQU_COMMAND; - cmd->base.paramSize = sizeof (TRUSTEDBOOT::TPM_2ByteIn); - cmd->base.ordinal = TRUSTEDBOOT::TPM_ORD_Startup; - cmd->param = TRUSTEDBOOT::TPM_ST_CLEAR; -#endif - - num_ops++; - err = deviceRead(testTarget, - &data, - dataSize, - DEVICE_TPM_ADDRESS( TPM_PRIMARY, - TPM_OP_TRANSMIT, - cmd->base.paramSize) ); -#ifdef CONFIG_TPMDD_1_2 - TRUSTEDBOOT::TPM_BaseOut* resp = - reinterpret_cast<TRUSTEDBOOT::TPM_BaseOut*>(data); -#endif - - - if( NULL != err ) - { - fails++; - TS_FAIL( "testTPMTransmit - Error detected" ); - errlCommit( err, - TPMDD_COMP_ID ); - delete err; - err = NULL; - continue; - } - else if (sizeof(TRUSTEDBOOT::TPM_BaseOut) != dataSize) - { - fails++; - TS_FAIL( "testTPMTransmit - TPM didn't return correct " - "response size"); - continue; - } - else if (TRUSTEDBOOT::TPM_SUCCESS != - resp->returnCode) - { - fails++; - TS_FAIL( "testTPMTransmit - TPM return non-success : %d", - resp->returnCode); - continue; - } - else - { - TRACUCOMP(g_trac_tpmdd, "testTPMTransmit - " - "Transmit returned as expected. len=%d", - dataSize); - } - - - // Build our command block for a get capability dataSize = sizeof(data); memset(data, 0xFE, sizeof(data)); @@ -609,6 +555,21 @@ class TPMDDTest: public CxxTest::TestSuite capCmd->capArea = TRUSTEDBOOT::TPM_CAP_PROPERTY; capCmd->subCapSize = sizeof (subCap); memcpy(capCmd->subCap, &subCap, sizeof (subCap)); + cmdSize = capCmd->base.paramSize; +#elif defined (CONFIG_TPMDD_2_0) + TRUSTEDBOOT::TPM2_GetCapabilityIn* cmd = + (TRUSTEDBOOT::TPM2_GetCapabilityIn*)data; + + cmd->base.tag = TRUSTEDBOOT::TPM_ST_NO_SESSIONS; + cmd->base.commandSize = + sizeof (TRUSTEDBOOT::TPM2_GetCapabilityIn); + cmd->base.commandCode = TRUSTEDBOOT::TPM_CC_GetCapability; + cmd->capability = TRUSTEDBOOT::TPM_CAP_TPM_PROPERTIES; + cmd->property = TRUSTEDBOOT::TPM_PT_MANUFACTURER; + cmd->propertyCount = 1; + + cmdSize = cmd->base.commandSize; + #endif num_ops++; @@ -617,11 +578,10 @@ class TPMDDTest: public CxxTest::TestSuite dataSize, DEVICE_TPM_ADDRESS( TPM_PRIMARY, TPM_OP_TRANSMIT, - capCmd->base.paramSize) ); -#ifdef CONFIG_TPMDD_1_2 - TRUSTEDBOOT::TPM_GetCapabilityOut* capResp = - reinterpret_cast<TRUSTEDBOOT::TPM_GetCapabilityOut*>(data); -#endif + cmdSize) ); + + TRUSTEDBOOT::TPM_BaseOut* resp = + reinterpret_cast<TRUSTEDBOOT::TPM_BaseOut*>(data); if( NULL != err ) @@ -634,19 +594,17 @@ class TPMDDTest: public CxxTest::TestSuite err = NULL; continue; } - else if ((sizeof(TRUSTEDBOOT::TPM_GetCapabilityOut) + - capResp->respSize) != dataSize) + else if (resp->paramSize != dataSize) { fails++; TS_FAIL( "testTPMTransmit - GetCap : TPM didn't return " "correct response size E:%d A:%d", - sizeof(TRUSTEDBOOT::TPM_GetCapabilityOut) + - capResp->respSize, + resp->paramSize, dataSize); continue; } else if (TRUSTEDBOOT::TPM_SUCCESS != - capResp->base.returnCode) + resp->returnCode) { fails++; TS_FAIL( "testTPMTransmit - GetCap : " @@ -681,7 +639,10 @@ class TPMDDTest: public CxxTest::TestSuite int64_t fails = 0, num_ops = 0; uint8_t data[256]; size_t dataSize = sizeof(data); +#ifdef CONFIG_TPMDD_1_2 uint32_t subCap = 0; +#endif + size_t cmdSize = 0; TRACFCOMP( g_trac_tpmdd, "testTPMTransmitOverUnder - Start" ); @@ -696,7 +657,6 @@ class TPMDDTest: public CxxTest::TestSuite continue; } - // Build our command block for a startup memset(data, 0xFE, sizeof(data)); @@ -713,6 +673,20 @@ class TPMDDTest: public CxxTest::TestSuite capCmd->capArea = TRUSTEDBOOT::TPM_CAP_PROPERTY; capCmd->subCapSize = sizeof (subCap); memcpy(capCmd->subCap, &subCap, sizeof (subCap)); + cmdSize = capCmd->base.paramSize; +#elif defined (CONFIG_TPMDD_2_0) + TRUSTEDBOOT::TPM2_GetCapabilityIn* cmd = + (TRUSTEDBOOT::TPM2_GetCapabilityIn*)data; + + cmd->base.tag = TRUSTEDBOOT::TPM_ST_NO_SESSIONS; + cmd->base.commandSize = + sizeof (TRUSTEDBOOT::TPM2_GetCapabilityIn); + cmd->base.commandCode = TRUSTEDBOOT::TPM_CC_GetCapability; + cmd->capability = TRUSTEDBOOT::TPM_CAP_TPM_PROPERTIES; + cmd->property = TRUSTEDBOOT::TPM_PT_MANUFACTURER; + cmd->propertyCount = 1; + + cmdSize = cmd->base.commandSize; #endif num_ops++; @@ -721,7 +695,7 @@ class TPMDDTest: public CxxTest::TestSuite dataSize, DEVICE_TPM_ADDRESS( TPM_PRIMARY, TPM_OP_TRANSMIT, - capCmd->base.paramSize - 1) ); + cmdSize - 1) ); if( NULL == err || err->reasonCode() != TPM_UNDERFLOW_ERROR) @@ -757,6 +731,18 @@ class TPMDDTest: public CxxTest::TestSuite capCmd->capArea = TRUSTEDBOOT::TPM_CAP_PROPERTY; capCmd->subCapSize = sizeof (subCap); memcpy(capCmd->subCap, &subCap, sizeof (subCap)); + cmdSize = capCmd->base.paramSize; +#elif defined (CONFIG_TPMDD_2_0) + + cmd->base.tag = TRUSTEDBOOT::TPM_ST_NO_SESSIONS; + cmd->base.commandSize = + sizeof (TRUSTEDBOOT::TPM2_GetCapabilityIn); + cmd->base.commandCode = TRUSTEDBOOT::TPM_CC_GetCapability; + cmd->capability = TRUSTEDBOOT::TPM_CAP_TPM_PROPERTIES; + cmd->property = TRUSTEDBOOT::TPM_PT_MANUFACTURER; + cmd->propertyCount = 1; + + cmdSize = cmd->base.commandSize; #endif num_ops++; @@ -765,7 +751,7 @@ class TPMDDTest: public CxxTest::TestSuite dataSize, DEVICE_TPM_ADDRESS( TPM_PRIMARY, TPM_OP_TRANSMIT, - capCmd->base.paramSize + 1) ); + cmdSize + 1) ); if( NULL == err || err->reasonCode() != TPM_OVERFLOW_ERROR) @@ -800,17 +786,29 @@ class TPMDDTest: public CxxTest::TestSuite capCmd->capArea = TRUSTEDBOOT::TPM_CAP_PROPERTY; capCmd->subCapSize = sizeof (subCap); memcpy(capCmd->subCap, &subCap, sizeof (subCap)); + cmdSize = capCmd->base.paramSize; +#elif defined (CONFIG_TPMDD_2_0) + + cmd->base.tag = TRUSTEDBOOT::TPM_ST_NO_SESSIONS; + cmd->base.commandSize = + sizeof (TRUSTEDBOOT::TPM2_GetCapabilityIn); + cmd->base.commandCode = TRUSTEDBOOT::TPM_CC_GetCapability; + cmd->capability = TRUSTEDBOOT::TPM_CAP_TPM_PROPERTIES; + cmd->property = TRUSTEDBOOT::TPM_PT_MANUFACTURER; + cmd->propertyCount = 1; + + cmdSize = cmd->base.commandSize; #endif num_ops++; // Force datasize to be too small - dataSize = sizeof(TRUSTEDBOOT::TPM_GetCapabilityOut) - 1; + dataSize = sizeof(TRUSTEDBOOT::TPM_BaseOut); err = deviceRead(testTarget, &data, dataSize, DEVICE_TPM_ADDRESS( TPM_PRIMARY, TPM_OP_TRANSMIT, - capCmd->base.paramSize) ); + cmdSize) ); if( NULL == err || err->reasonCode() != TPM_OVERFLOW_ERROR) @@ -830,7 +828,6 @@ class TPMDDTest: public CxxTest::TestSuite dataSize); } - } while( 0 ); TRACFCOMP( g_trac_tpmdd, "testTPMTransmitOverUnder - End: %d/%d fails", diff --git a/src/usr/i2c/tpmdd.C b/src/usr/i2c/tpmdd.C index d493009d7..ec25c511c 100755 --- a/src/usr/i2c/tpmdd.C +++ b/src/usr/i2c/tpmdd.C @@ -307,9 +307,13 @@ bool tpmPresence ( TARGETING::Target * i_target, { TRACDCOMP(g_trac_tpmdd, ENTER_MRK"tpmPresence()"); + TRACUCOMP(g_trac_tpmdd, ENTER_MRK"tpmPresence() : " + "node tgt=0x%X chip=%d", + TARGETING::get_huid(i_target), + i_chip); errlHndl_t err = NULL; - bool l_present = false; + bool l_present = true; tpm_info_t tpmInfo; @@ -327,6 +331,7 @@ bool tpmPresence ( TARGETING::Target * i_target, TRACFCOMP(g_trac_tpmdd, ERR_MRK"Error in tpmPresence::tpmReadAttributes() " "RC 0x%X", err->reasonCode()); + l_present = false; delete err; err = NULL; break; @@ -341,6 +346,7 @@ bool tpmPresence ( TARGETING::Target * i_target, TRACFCOMP(g_trac_tpmdd, ERR_MRK"Error in tpmPresence::tpmGetI2Cmaster() " "RC 0x%X", err->reasonCode()); + l_present = false; delete err; err = NULL; break; @@ -351,27 +357,140 @@ bool tpmPresence ( TARGETING::Target * i_target, { TRACUCOMP(g_trac_tpmdd, INFO_MRK"tpmPresence : Device not enabled"); + l_present = false; break; } - //Check for the target at the I2C level - l_present = I2C::i2cPresence(tpmInfo.i2cTarget, - tpmInfo.port, - tpmInfo.engine, - static_cast<uint64_t>(tpmInfo.devAddr) - ); - if( !l_present ) + + + // Verify the TPM is supported by this driver by reading and + // comparing the vendorid + uint32_t vendorId = 0; + size_t vendorIdSize = 4; + + + // Set the offset for the vendor reg + tpmInfo.offset = TPMDD::I2C_REG_VENDOR; + + + err = tpmRead( &vendorId, + vendorIdSize, + tpmInfo ); + + if ( NULL != err ) + { + TRACUCOMP(g_trac_tpmdd, + ERR_MRK"tpmPresence : ReadVendorID failed!" + "node tgt=0x%X C-p/e/dA=%d-%d/%d/0x%X RC=0x%X", + TARGETING::get_huid(i_target), + tpmInfo.chip, + tpmInfo.port, + tpmInfo.engine, + static_cast<uint64_t>(tpmInfo.devAddr), + err->reasonCode() + ); + l_present = false; + delete err; + err = NULL; + break; + + } + else if ((TPMDD::TPM_VENDORID_MASK & vendorId) + != TPMDD::TPM_VENDORID) + { + TRACUCOMP(g_trac_tpmdd, + ERR_MRK"tpmPresence : ReadVendorID mismatch!" + "node tgt=0x%X C-p/e/dA=%d-%d/%d/0x%X" + " found ID=0x%X exp ID=0x%X", + TARGETING::get_huid(i_target), + tpmInfo.chip, + tpmInfo.port, + tpmInfo.engine, + static_cast<uint64_t>(tpmInfo.devAddr), + vendorId, TPMDD::TPM_VENDORID + ); + l_present = false; + break; + } + + + // Verify the TPM is supported by this driver by reading and + // comparing the familyid + uint8_t familyId = 0; + size_t familyIdSize = 1; + + + // Set the offset for the vendor reg + tpmInfo.offset = TPMDD::I2C_REG_FAMILYID; + + + err = tpmRead( &familyId, + familyIdSize, + tpmInfo ); + + if ( NULL != err ) + { + TRACUCOMP(g_trac_tpmdd, + ERR_MRK"tpmPresence : ReadFamilyID failed!" + "node tgt=0x%X C-p/e/dA=%d-%d/%d/0x%X RC=0x%X", + TARGETING::get_huid(i_target), + tpmInfo.chip, + tpmInfo.port, + tpmInfo.engine, + static_cast<uint64_t>(tpmInfo.devAddr), + err->reasonCode() + ); + l_present = false; + delete err; + err = NULL; + break; + + } + else if ((TPMDD::TPM_FAMILYID_MASK & familyId) + != TPMDD::TPM_FAMILYID) { TRACUCOMP(g_trac_tpmdd, - INFO_MRK"i2cPresence returned false! chip NOT present!"); + ERR_MRK"tpmPresence : FamilyID mismatch!" + "node tgt=0x%X C-p/e/dA=%d-%d/%d/0x%X" + " found ID=0x%X exp ID=0x%X", + TARGETING::get_huid(i_target), + tpmInfo.chip, + tpmInfo.port, + tpmInfo.engine, + static_cast<uint64_t>(tpmInfo.devAddr), + familyId, TPMDD::TPM_FAMILYID + ); + l_present = false; break; } + else + { + TRACFCOMP(g_trac_tpmdd, + INFO_MRK"tpmPresence : TPM Detected!" + " node tgt=0x%X C-p/e/dA=%d-%d/%d/0x%X" + " Vendor ID=0x%X, Family ID=0x%X", + TARGETING::get_huid(i_target), + tpmInfo.chip, + tpmInfo.port, + tpmInfo.engine, + static_cast<uint64_t>(tpmInfo.devAddr), + vendorId, familyId + ); + l_present = true; + } + + + } while( 0 ); TRACDCOMP(g_trac_tpmdd, EXIT_MRK"tpmPresence() : presence : %d", l_present); + TRACUCOMP(g_trac_tpmdd, EXIT_MRK"tpmPresence() : " + "node tgt=0x%X chip=%d presence=%d", + TARGETING::get_huid(i_target), + i_chip, l_present); return l_present; } @@ -392,7 +511,7 @@ errlHndl_t tpmRead ( void * o_buffer, do { - TRACSCOMP( g_trac_tpmdd, + TRACUCOMP( g_trac_tpmdd, "TPM READ START : Chip: %02d : Offset %.2X : Len %d", i_tpmInfo.chip, i_tpmInfo.offset, i_buflen ); @@ -859,7 +978,8 @@ errlHndl_t tpmTransmit ( void * io_buffer, TRACDCOMP( g_trac_tpmdd, ENTER_MRK"tpmTransmit()" ); - do { + do + { TRACUCOMP( g_trac_tpmdd, "TPM TRANSMIT START : Chip: %02d : " @@ -1161,7 +1281,7 @@ errlHndl_t tpmReadAttributes ( TARGETING::Target * i_target, } while( 0 ); TRACUCOMP(g_trac_tpmdd,"tpmReadAttributes() tgt=0x%X, %d/%d/0x%X " - "En=%d, aS=%d, aS=%d (%d)", + "En=%d, aS=%d, aO=%d", TARGETING::get_huid(i_target), io_tpmInfo.port, io_tpmInfo.engine, io_tpmInfo.devAddr, io_tpmInfo.tpmEnabled, @@ -1596,15 +1716,21 @@ errlHndl_t tpmPollForDataAvail( tpm_info_t i_tpmInfo) } // end tpmPollForDataAvail errlHndl_t tpmReadBurstCount( tpm_info_t i_tpmInfo, - uint8_t & o_burstCount) + uint16_t & o_burstCount) { errlHndl_t err = NULL; - o_burstCount = 0; + +#ifdef CONFIG_TPMDD_1_2 + // Nuvoton 1.2 used a one byte burst count + uint8_t burstLow = 0; + err = tpmReadReg(i_tpmInfo, TPMDD::I2C_REG_BURSTCOUNT, 1, - reinterpret_cast<void*>(&o_burstCount)); + reinterpret_cast<void*>(&burstLow)); + + o_burstCount = burstLow; if (NULL == err && o_burstCount > TPMDD::TPM_MAXBURSTSIZE) @@ -1612,6 +1738,29 @@ errlHndl_t tpmReadBurstCount( tpm_info_t i_tpmInfo, o_burstCount = TPMDD::TPM_MAXBURSTSIZE; } +#else + // Nuvoton 2.0 uses a two byte burst count + // Read the burst count + uint16_t burstCount = 0; + if (NULL == err) + { + err = tpmReadReg(i_tpmInfo, + TPMDD::I2C_REG_BURSTCOUNT, + 2, + reinterpret_cast<void*>(&burstCount)); + } + + if (NULL == err) + { + o_burstCount = (burstCount & 0x00FF) << 8; + o_burstCount |= (burstCount & 0xFF00) >> 8; + } +#endif + TRACUCOMP( g_trac_tpmdd, + "tpmReadBurstCount() - BurstCount %d", + o_burstCount); + + return err; } // end tpmReadBurstCount @@ -1666,7 +1815,7 @@ errlHndl_t tpmWriteFifo( tpm_info_t i_tpmInfo, size_t curByte = 0; uint8_t* bytePtr = (uint8_t*)i_buffer; uint8_t* curBytePtr = NULL; - uint8_t burstCount = 0; + uint16_t burstCount = 0; errlHndl_t err = NULL; bool expecting = false; // We will transfer the command except for the last byte @@ -1892,7 +2041,7 @@ errlHndl_t tpmReadFifo( tpm_info_t i_tpmInfo, size_t curByte = 0; uint8_t* bytePtr = (uint8_t*)o_buffer; uint8_t* curBytePtr = NULL; - uint8_t burstCount = 0; + uint16_t burstCount = 0; errlHndl_t err = NULL; bool dataAvail = false; @@ -1903,7 +2052,7 @@ errlHndl_t tpmReadFifo( tpm_info_t i_tpmInfo, do { err = tpmReadBurstCount(i_tpmInfo, - burstCount); + burstCount); if (err) { break; @@ -1927,7 +2076,7 @@ errlHndl_t tpmReadFifo( tpm_info_t i_tpmInfo, "clen=%d", i_tpmInfo.chip, i_tpmInfo.port, i_tpmInfo.engine, i_tpmInfo.devAddr, - io_buflen, curByte); + io_buflen, curByte + burstCount); /*@ * @errortype diff --git a/src/usr/i2c/tpmdd.H b/src/usr/i2c/tpmdd.H index b9f2aace1..4c702d093 100755 --- a/src/usr/i2c/tpmdd.H +++ b/src/usr/i2c/tpmdd.H @@ -97,13 +97,40 @@ enum nuvo_12_defs_t { I2C_REG_STS = 0x0, I2C_REG_BURSTCOUNT = 0x1, + I2C_REG_FAMILYID = 0x3, I2C_REG_WR_FIFO = 0x20, I2C_REG_RD_FIFO = 0x40, I2C_REG_VENDOR = 0x60, TPM_VENDORID = 0x5010FE00, + TPM_VENDORID_MASK = 0xFFFFFF00, TPM_MAXBURSTSIZE = 32, ///< Max size to transfer in one i2c op + TPM_FAMILYID = 0x00, + TPM_FAMILYID_MASK = 0x0C, }; + +#elif defined(CONFIG_TPMDD_2_0) +/** + * @brief Nuvoton 2.0 TPM definitions + */ +enum nuvo_20_defs_t +{ + I2C_REG_STS = 0x0, + I2C_REG_BURSTCOUNT = 0x1, + I2C_REG_BURSTCOUNT_HIGH = 0x2, + I2C_REG_FAMILYID = 0x3, + I2C_REG_WR_FIFO = 0x20, + I2C_REG_RD_FIFO = 0x40, + I2C_REG_VENDOR = 0x60, + + TPM_VENDORID = 0x5010FE00, + TPM_VENDORID_MASK = 0xFFFFFF00, + TPM_MAXBURSTSIZE = 0xFFFF, + TPM_FAMILYID = 0x04, + TPM_FAMILYID_MASK = 0x0C, +}; + + #endif #endif @@ -126,13 +153,35 @@ union tpm_sts_reg_t uint8_t rsvd2 : 1; // 07 // RO } PACKED; }; + +#elif defined(CONFIG_TPMDD_2_0) + +/** +* @brief TPM STS register definition (PTP 2.0 Spec) +*/ +union tpm_sts_reg_t +{ + uint8_t value; + struct + { + uint8_t stsValid : 1; // 00 // RO + uint8_t isCommandReady : 1; // 01 // RW + uint8_t tpmGo : 1; // 02 // WO + uint8_t dataAvail : 1; // 03 // RO + uint8_t expect : 1; // 04 // RO + uint8_t selfTestDone : 1; // 05 // RO + uint8_t responseRetry : 1; // 06 // WO + uint8_t rsvd2 : 1; // 07 // RO + } PACKED; +}; + #endif /** * -* @brief Perform an TPM access operation. +* @brief Perform a TPM access operation. * * @param[in] i_opType Operation Type - See DeviceFW::OperationType in * driververif.H @@ -431,7 +480,7 @@ errlHndl_t tpmPollForDataAvail( tpm_info_t i_tpmInfo); * error log. */ errlHndl_t tpmReadBurstCount( tpm_info_t i_tpmInfo, - uint8_t & o_burstCount); + uint16_t & o_burstCount); /** * @brief Write the command ready bit in the Tpm STS register diff --git a/src/usr/initservice/extinitsvc/extinitsvctasks.H b/src/usr/initservice/extinitsvc/extinitsvctasks.H index 34374c197..6e2cf324e 100644 --- a/src/usr/initservice/extinitsvc/extinitsvctasks.H +++ b/src/usr/initservice/extinitsvc/extinitsvctasks.H @@ -370,6 +370,21 @@ const TaskInfo g_exttaskinfolist[] = { }, #endif +#ifdef CONFIG_TPMDD + /** + * @brief Trusted boot library + */ + { + "libsecureboot_trusted.so" , // taskname + NULL, // no pointer to fn + { + INIT_TASK, // task type + EXT_IMAGE, // Extended Module + } + }, +#endif + + // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! // NOTE: libistepdisp.so needs to always be last in this list!! diff --git a/src/usr/secureboot/makefile b/src/usr/secureboot/makefile index 346f702ad..2195cabb2 100644 --- a/src/usr/secureboot/makefile +++ b/src/usr/secureboot/makefile @@ -26,5 +26,6 @@ ROOTPATH = ../../.. SUBDIRS += base.d SUBDIRS += ext.d +SUBDIRS += trusted.d include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/trusted/makefile b/src/usr/secureboot/trusted/makefile new file mode 100644 index 000000000..00991ed0f --- /dev/null +++ b/src/usr/secureboot/trusted/makefile @@ -0,0 +1,31 @@ +# IBM_PROLOG_BEGIN_TAG +# This is an automatically generated prolog. +# +# $Source: src/usr/secureboot/trusted/makefile $ +# +# OpenPOWER HostBoot Project +# +# Contributors Listed Below - COPYRIGHT 2015 +# [+] International Business Machines Corp. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. See the License for the specific language governing +# permissions and limitations under the License. +# +# IBM_PROLOG_END_TAG +ROOTPATH = ../../../.. +MODULE = secureboot_trusted + +OBJS += $(if $(CONFIG_TPMDD),trustedboot.o,) + +CFLAGS += -iquote ../ +include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C new file mode 100644 index 000000000..507826c57 --- /dev/null +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -0,0 +1,248 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trustedboot.C $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file trustedboot.C + * + * @brief Trusted boot interfaces + */ + +// ---------------------------------------------- +// Includes +// ---------------------------------------------- +#include <string.h> +#include <sys/time.h> +#include <trace/interface.H> +#include <errl/errlentry.H> +#include <errl/errlmanager.H> +#include <errl/errludtarget.H> +#include <errl/errludstring.H> +#include <targeting/common/targetservice.H> +#include <devicefw/driverif.H> +#include <i2c/tpmddif.H> +#include <secureboot/trustedbootif.H> +#include <i2c/tpmddreasoncodes.H> +#include "trustedboot.H" +#include <secureboot/trustedboot_reasoncodes.H> + +// ---------------------------------------------- +// Trace definitions +// ---------------------------------------------- +trace_desc_t* g_trac_trustedboot = NULL; +TRAC_INIT( & g_trac_trustedboot, "TRBOOT", KILOBYTE ); + +// Easy macro replace for unit testing +//#define TRACUCOMP(args...) TRACFCOMP(args) +#define TRACUCOMP(args...) + +namespace TRUSTEDBOOT +{ + +void* host_update_master_tpm( void *io_pArgs ) +{ + errlHndl_t err = NULL; + TRACDCOMP( g_trac_trustedboot, + ENTER_MRK"host_update_master_tpm()" ); + TRACUCOMP( g_trac_trustedboot, + ENTER_MRK"host_update_master_tpm()"); + + do + { + + // First time here so we need to clean out our data structure + memset(&tpmTargets, 0, + sizeof(TpmTarget) * TRUSTEDBOOT::MAX_SYSTEM_TPMS); + + + // Get a node Target + TARGETING::TargetService& tS = TARGETING::targetService(); + TARGETING::Target* nodeTarget = NULL; + tS.getMasterNodeTarget( nodeTarget ); + + if (nodeTarget == NULL) + break; + + // Skip this target if target is non-functional + if(!nodeTarget->getAttr<TARGETING::ATTR_HWAS_STATE>(). \ + functional) + { + continue; + } + + if (TPMDD::tpmPresence(nodeTarget, TPMDD::TPM_PRIMARY)) + { + tpmTargets[TPM_MASTER_INDEX].nodeTarget = nodeTarget; + tpmTargets[TPM_MASTER_INDEX].chip = TPMDD::TPM_PRIMARY; + tpmTargets[TPM_MASTER_INDEX].functional = true; + + // Initialize the TPM, this will mark it as non-functional on fail + tpmInitialize(tpmTargets[TPM_MASTER_INDEX]); + + } + + if (!tpmTargets[TPM_MASTER_INDEX].functional) + { + + /// @todo RTC:134913 Switch to redundant chip if redundant TPM avail + + // Master TPM not available + TRACFCOMP( g_trac_trustedboot, + "Master TPM Existence Fail"); + + /*@ + * @errortype + * @reasoncode RC_TPM_EXISTENCE_FAIL + * @severity ERRL_SEV_UNRECOVERABLE + * @moduleid MOD_HOST_UPDATE_MASTER_TPM + * @userdata1 node + * @userdata2 0 + * @devdesc No TPMs found in system. + */ + err = new ERRORLOG::ErrlEntry( ERRORLOG::ERRL_SEV_UNRECOVERABLE, + MOD_HOST_UPDATE_MASTER_TPM, + RC_TPM_EXISTENCE_FAIL, + TARGETING::get_huid(nodeTarget), + 0, + true /*Add HB SW Callout*/ ); + + err->collectTrace( SECURE_COMP_NAME ); + break; + } + + + } while ( 0 ); + + TRACDCOMP( g_trac_trustedboot, + EXIT_MRK"host_update_master_tpm() - %s", + ((NULL == err) ? "No Error" : "With Error") ); + return err; +} + + +void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target) +{ + errlHndl_t err = NULL; + uint8_t dataBuf[BUFSIZE]; + size_t dataSize = sizeof(dataBuf); + size_t cmdSize = 0; + + TRACDCOMP( g_trac_trustedboot, + ENTER_MRK"tpmInitialize()" ); + TRACUCOMP( g_trac_trustedboot, + ENTER_MRK"tpmInitialize() tgt=0x%X chip=%d", + TARGETING::get_huid(io_target.nodeTarget), + io_target.chip); + + do + { + // TPM Initialization sequence + + // Send the TPM startup command + // Build our command block for a startup + memset(dataBuf, 0, sizeof(dataBuf)); + + TRUSTEDBOOT::TPM_BaseOut* resp = + (TRUSTEDBOOT::TPM_BaseOut*)dataBuf; +#ifdef CONFIG_TPMDD_1_2 + TRUSTEDBOOT::TPM_2ByteIn* cmd = + (TRUSTEDBOOT::TPM_2ByteIn*)dataBuf; + + cmd->base.tag = TRUSTEDBOOT::TPM_TAG_RQU_COMMAND; + cmd->base.paramSize = sizeof (TRUSTEDBOOT::TPM_2ByteIn); + cmd->base.ordinal = TRUSTEDBOOT::TPM_ORD_Startup; + cmd->param = TRUSTEDBOOT::TPM_ST_CLEAR; + cmdSize = cmd->base.paramSize; +#elif defined(CONFIG_TPMDD_2_0) + TRUSTEDBOOT::TPM2_2ByteIn* cmd = + (TRUSTEDBOOT::TPM2_2ByteIn*)dataBuf; + + cmd->base.tag = TRUSTEDBOOT::TPM_ST_NO_SESSIONS; + cmd->base.commandSize = sizeof (TRUSTEDBOOT::TPM2_2ByteIn); + cmd->base.commandCode = TRUSTEDBOOT::TPM_CC_Startup; + cmd->param = TRUSTEDBOOT::TPM_SU_CLEAR; + cmdSize = cmd->base.commandSize; +#endif + + err = deviceRead(io_target.nodeTarget, + &dataBuf, + dataSize, + DEVICE_TPM_ADDRESS( io_target.chip, + TPMDD::TPM_OP_TRANSMIT, + cmdSize) ); + + if (NULL != err) + { + TRACFCOMP( g_trac_trustedboot, + "TPM STARTUP I2C Fail %X : ", + err->reasonCode() ); + break; + + } + else if (TRUSTEDBOOT::TPM_SUCCESS != resp->returnCode) + { + TRACFCOMP( g_trac_trustedboot, + "TPM STARTUP OP Fail %X : ", + resp->returnCode); + + /*@ + * @errortype + * @reasoncode RC_TPM_START_FAIL + * @severity ERRL_SEV_UNRECOVERABLE + * @moduleid MOD_TPM_INITIALIZE + * @userdata1 node + * @userdata2 returnCode + * @devdesc Invalid operation type. + */ + err = new ERRORLOG::ErrlEntry( ERRORLOG::ERRL_SEV_UNRECOVERABLE, + MOD_TPM_INITIALIZE, + RC_TPM_START_FAIL, + TARGETING::get_huid( + io_target.nodeTarget), + resp->returnCode, + true /*Add HB SW Callout*/ ); + + err->collectTrace( SECURE_COMP_NAME ); + break; + } + + + } while ( 0 ); + + + // If the TPM failed we will mark it not functional + if (NULL != err) + { + io_target.functional = false; + // Log this failure + errlCommit(err, SECURE_COMP_ID); + } + + + TRACDCOMP( g_trac_trustedboot, + EXIT_MRK"tpmInitialize() - %s", + ((NULL == err) ? "No Error" : "With Error") ); + +} + +} // end TRUSTEDBOOT diff --git a/src/usr/secureboot/trusted/trustedboot.H b/src/usr/secureboot/trusted/trustedboot.H index 93a48096d..0f7a323f8 100644 --- a/src/usr/secureboot/trusted/trustedboot.H +++ b/src/usr/secureboot/trusted/trustedboot.H @@ -40,10 +40,26 @@ namespace TRUSTEDBOOT enum { MAX_SYSTEM_TPMS = 2, + BUFSIZE = 256, + TPM_MASTER_INDEX = 0, ///< Index into tpmTargets array for master chip + TPM_REDUNDANT_INDEX = 1, ///< Index for redundant chip TPM }; +/// Track system TPM status +struct TpmTarget +{ + TARGETING::Target* nodeTarget; + TPMDD::tpm_chip_types_t chip; ///< Chip Pri vs Backup + uint8_t functional:1; ///< Is TPM currently functional +} tpmTargets[MAX_SYSTEM_TPMS]; + +/** + * @brief Initialize the targetted TPM + * @param[in/out] target Current TPM target structure +*/ +void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target); + -#ifdef CONFIG_TPMDD_1_2 // Command structures taken from TPM Main - Part3 commands v 1.2 rev116 /// Base of all incoming messages @@ -72,6 +88,8 @@ struct TPM_4ByteOut { uint32_t resp; } PACKED; +#ifdef CONFIG_TPMDD_1_2 + /// Incoming TPM_GetCapability structure struct TPM_GetCapabilityIn { TPM_BaseIn base; @@ -123,7 +141,79 @@ enum { }; -#endif // CONFIG_TPMDD_1_2 +#elif defined(CONFIG_TPMDD_2_0) + +struct TPM2_BaseIn { + uint16_t tag; ///< Type TPM_ST_xx + uint32_t commandSize; ///< Total # output bytes incl cmdSize and tag + uint32_t commandCode; ///< Type TPM_CC_xx +} PACKED; + +/// Base of all outgoing messages +struct TPM2_BaseOut { + uint16_t tag; ///< Type TPM_ST_xx + uint32_t responseSize; ///< Total # output bytes incl paramSize and tag + uint32_t responseCode;///< The return code of the operation +} PACKED; + +/// Generic TPM Input Command structure with a 2 byte param +struct TPM2_2ByteIn { + TPM2_BaseIn base; + uint16_t param; +} PACKED; + +/// Generic TPM Output Command structure with a 4 byte return data +struct TPM2_4ByteOut { + TPM2_BaseOut base; + uint32_t resp; +} PACKED; + +/// Incoming TPM_GetCapability structure +struct TPM2_GetCapabilityIn { + TPM2_BaseIn base; + uint32_t capability; ///< group selection + uint32_t property; ///< Further definition + uint32_t propertyCount; ///< Number of properties to return +} PACKED; + +/// Outgoing TPM_GetCapability structure +struct TPM2_GetCapabilityOut { + TPM2_BaseOut base; + uint8_t moreData; ///< Flag to indicate if more values available + uint8_t capData[]; ///< The capability response +} PACKED; + +/// Various static values +enum { + // Command structure tags + TPM_ST_NO_SESSIONS = 0x8001, ///< A command with no sess/auth + + + // Command Codes + TPM_CC_Startup = 0x00000144, + TPM_CC_GetCapability = 0x0000017A, + TPM_CC_PCR_Read = 0x0000017E, + TPM_CC_PCR_Extend = 0x00000182, + + + // TPM Startup types + TPM_SU_CLEAR = 0x0000, ///< TPM perform reset,restart + TPM_SU_STATE = 0x0001, ///< TPM perform restore saved state + + // Capability + TPM_CAP_TPM_PROPERTIES = 0x00000006, ///< Pull TPM Properties + + // TPM Properties + TPM_PT_MANUFACTURER = 0x00000105, + + // TPM Return Codes + TPM_SUCCESS = 0x000, + + TPM_RC_INITIALIZE = 0x100, + +}; + +#endif } // end TRUSTEDBOOT namespace |
