diff options
author | Ilya Smirnov <ismirno@us.ibm.com> | 2018-12-06 15:22:10 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2019-01-18 16:44:58 -0600 |
commit | 868b68df85eb7aeed7eba3392303fa3be854e2a6 (patch) | |
tree | ea6ef1afe17ebc0c39baa4ad0e926be77f36e501 /src/include/usr/secureboot | |
parent | 6a5388bbc8b066a9547e1e1268e8c3a7e9f33291 (diff) | |
download | talos-hostboot-868b68df85eb7aeed7eba3392303fa3be854e2a6.tar.gz talos-hostboot-868b68df85eb7aeed7eba3392303fa3be854e2a6.zip |
Secureboot: Add New TPM Commands For Nodecomm
This commit adds four new TPM commands, and APIs thereto,
for enhanced secure multinode communication protocol. The
TPM commands are the base for the new protocol and will be
used as part of it.
Change-Id: I080ff87cd6001b5d2e13ae350a379cbc2c92bfcf
RTC: 202364
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/69725
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/include/usr/secureboot')
-rw-r--r-- | src/include/usr/secureboot/trustedboot_reasoncodes.H | 9 | ||||
-rw-r--r-- | src/include/usr/secureboot/trustedbootif.H | 77 |
2 files changed, 81 insertions, 5 deletions
diff --git a/src/include/usr/secureboot/trustedboot_reasoncodes.H b/src/include/usr/secureboot/trustedboot_reasoncodes.H index 8c03fd272..60727239e 100644 --- a/src/include/usr/secureboot/trustedboot_reasoncodes.H +++ b/src/include/usr/secureboot/trustedboot_reasoncodes.H @@ -69,6 +69,14 @@ namespace TRUSTEDBOOT MOD_TEST_CMP_PRIMARY_AND_BACKUP_TPM = 0x17, MOD_TPM_GETRANDOM = 0x18, MOD_VALIDATE_TPM_HANDLE = 0x19, + MOD_TPM_CMD_CREATE_ATTEST = 0x1A, + MOD_CREATE_ATT_KEYS = 0x1B, + MOD_READ_AK_CERT = 0x1C, + MOD_TPM_CMD_READ_AK_CERT = 0x1D, + MOD_TPM_CMD_GEN_QUOTE = 0x1E, + MOD_GEN_QUOTE = 0x1F, + MOD_TPM_CMD_FLUSH_CONTEXT = 0x20, + MOD_FLUSH_CONTEXT = 0x21, }; enum TRUSTEDReasonCode @@ -104,6 +112,7 @@ namespace TRUSTEDBOOT RC_NON_FUNCTIONAL_TPM_HANDLE = TRBOOT_COMP_ID | 0xB9, RC_UNREACHABLE_TPM = TRBOOT_COMP_ID | 0xBA, RC_RAND_NUM_TOO_BIG = TRBOOT_COMP_ID | 0xBB, + RC_TPM_BAD_RESP = TRBOOT_COMP_ID | 0xBC, }; #ifdef __cplusplus } diff --git a/src/include/usr/secureboot/trustedbootif.H b/src/include/usr/secureboot/trustedbootif.H index 6038ac486..8be8e6448 100644 --- a/src/include/usr/secureboot/trustedbootif.H +++ b/src/include/usr/secureboot/trustedbootif.H @@ -50,10 +50,34 @@ namespace TRUSTEDBOOT struct _TpmLogMgr; + // Structure that contains the TPM quote data and the size thereof + struct _QuoteDataOut + { + size_t size; // the size (bytes) of the data pointer + uint8_t* data; // the actual quote data + } PACKED; + typedef struct _QuoteDataOut QuoteDataOut; + // Hostboot code just maps the TpmTarget type, which shared APIs use, as a // targeting target typedef TARGETING::Target TpmTarget; + enum + { + // The size of AK certificate from the TPM, in bytes + TPM_NV_DATA_SIZE = 0x1F4, + // The size of the master nonce, in bytes + TPM_NONCE_SIZE_BYTES = 0x20, + }; + + // The structure that defines the size of the TPM AK certificate + // (in bytes) + typedef uint8_t AKCertificate_t[TPM_NV_DATA_SIZE]; + + // The structure that defines the size of the master node nonce + // (in bytes) + typedef uint8_t MasterTpmNonce_t[TPM_NONCE_SIZE_BYTES]; + /** * @brief Enum used for the getTPMs API to specify scope of TPMs to return */ @@ -250,17 +274,17 @@ namespace TRUSTEDBOOT * be functional. All of these conditions must be met or an error * log will result. * - * @param[out] o_randNum A pointer to the array to be filled with random - * bits - * * @param[in] i_randNumSize The desired size (bytes) of the random number * to be requested from the TPM * + * @param[out] o_randNum A pointer to the array to be filled with random + * bits + * * @return errlHndl_t nullptr on success or an error log pointer on failure */ errlHndl_t GetRandom(const TpmTarget* i_pTpm, - uint8_t* o_randNum, - size_t i_randNumSize); + size_t i_randNumSize, + uint8_t* o_randNum); #endif /** @@ -355,6 +379,49 @@ namespace TRUSTEDBOOT */ errlHndl_t flushTpmQueue(); + /** + * @brief Send the command to the given TPM to create node attestation + * key pair + * + * @param[in] i_target the pointer to the TPM target to send the command to + * @return nullptr if success; non-nullptr on error + */ + errlHndl_t createAttestationKeys(TpmTarget* i_target); + + /** + * @brief Send the command to the given TPM to retrieve the AK certificate + * from its NVRAM + * + * @param[in] i_target the pointer to the TPM target to send the command to + * @param[out] o_data the buffer to store the contents of AK certificate + * @return nullptr if success; non-nullptr on error + */ + errlHndl_t readAKCertificate(TpmTarget* i_target, + AKCertificate_t* o_data); + + /** + * @brief Send the command to the given TPM to generate the quote + * + * @param[in] i_target the pointer to the TPM target to send the command to + * @param[in] i_masterNonce the 32-byte nonce from the master node + * @param[out] o_data a pointer to the data structure containing the size + * of the quote data from the TPM and the actual data + * @return nullptr if success; non-nullptr on error + */ + errlHndl_t generateQuote(TpmTarget* i_target, + MasterTpmNonce_t* i_masterNonce, + QuoteDataOut* o_data); + + /** + * @brief Send the command to the given TPM to remove all context associated + * with created objects + * + * @param[in] i_target the pointer to the TPM target to send the command to + * @return nullptr if success; non-nullptr on error + */ + errlHndl_t flushContext(TpmTarget* i_target); + + } // end TRUSTEDBOOT namespace |