d8/dd3/security_2tpm_2tss_2vendor_2cr50_2cr50_8c_source.html

 /* SPDX-License-Identifier: BSD-3-Clause */


 #include <console/console.h>

 #include <endian.h>

 #include <halt.h>

 #include <vb2_api.h>

 #include <security/tpm/tis.h>

 #include <security/tpm/tss.h>


 #include "../../tcg-2.0/tss_marshaling.h"


 uint32_t tlcl_cr50_enable_nvcommits(void)

 {

         uint16_t sub_command = TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS;

         struct tpm2_response *response;


         printk(BIOS_INFO, "Enabling cr50 nvmem commits\n");


         response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);


         if (response == NULL || (response && response->hdr.tpm_code)) {

                 if (response)

                         printk(BIOS_INFO, "%s: failed %x\n", __func__,

                                response->hdr.tpm_code);

                 else

                         printk(BIOS_INFO, "%s: failed\n", __func__);

                 return TPM_E_IOERROR;

         }

         return TPM_SUCCESS;

 }


 uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,

                                  uint8_t *num_restored_headers)

 {

         struct tpm2_response *response;

         uint16_t command_body[] = {

                 TPM2_CR50_SUB_CMD_TURN_UPDATE_ON, timeout_ms

         };


         printk(BIOS_INFO, "Checking cr50 for pending updates\n");


         response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, command_body);


         if (!response || response->hdr.tpm_code)

                 return TPM_E_IOERROR;


         *num_restored_headers = response->vcr.num_restored_headers;

         return TPM_SUCCESS;

 }


 uint32_t tlcl_cr50_get_recovery_button(uint8_t *recovery_button_state)

 {

         struct tpm2_response *response;

         uint16_t sub_command = TPM2_CR50_SUB_CMD_GET_REC_BTN;


         printk(BIOS_INFO, "Checking cr50 for recovery request\n");


         response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);


         if (!response || response->hdr.tpm_code)

                 return TPM_E_IOERROR;


         *recovery_button_state = response->vcr.recovery_button_state;

         return TPM_SUCCESS;

 }


 uint32_t tlcl_cr50_get_tpm_mode(uint8_t *tpm_mode)

 {

         struct tpm2_response *response;

         uint16_t mode_command = TPM2_CR50_SUB_CMD_TPM_MODE;

         *tpm_mode = TPM_MODE_INVALID;


         printk(BIOS_INFO, "Reading cr50 TPM mode\n");


         response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &mode_command);


         if (!response)

                 return TPM_E_IOERROR;


         if (response->hdr.tpm_code == VENDOR_RC_INTERNAL_ERROR) {

                 /*

                  * The Cr50 returns VENDOR_RC_INTERNAL_ERROR iff the key ladder

                  * is disabled. The Cr50 requires a reboot to re-enable the key

                  * ladder.

                  */

                 return TPM_E_MUST_REBOOT;

         }


         if (response->hdr.tpm_code == VENDOR_RC_NO_SUCH_COMMAND ||

             response->hdr.tpm_code == VENDOR_RC_NO_SUCH_SUBCOMMAND) {

                 /*

                  * Explicitly inform caller when command is not supported

                  */

                 return TPM_E_NO_SUCH_COMMAND;

         }


         if (response->hdr.tpm_code) {

                 /* Unexpected return code from Cr50 */

                 return TPM_E_IOERROR;

         }


         /* TPM command completed without error */

         *tpm_mode = response->vcr.tpm_mode;


         return TPM_SUCCESS;

 }


 uint32_t tlcl_cr50_get_boot_mode(uint8_t *boot_mode)

 {

         struct tpm2_response *response;

         uint16_t mode_command = TPM2_CR50_SUB_CMD_GET_BOOT_MODE;


         printk(BIOS_DEBUG, "Reading cr50 boot mode\n");


         response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &mode_command);


         if (!response)

                 return TPM_E_IOERROR;


         if (response->hdr.tpm_code == VENDOR_RC_NO_SUCH_COMMAND ||

             response->hdr.tpm_code == VENDOR_RC_NO_SUCH_SUBCOMMAND)

                 /* Explicitly inform caller when command is not supported */

                 return TPM_E_NO_SUCH_COMMAND;


         if (response->hdr.tpm_code)

                 /* Unexpected return code from Cr50 */

                 return TPM_E_IOERROR;


         *boot_mode = response->vcr.boot_mode;


         return TPM_SUCCESS;

 }


 uint32_t tlcl_cr50_immediate_reset(uint16_t timeout_ms)

 {

         struct tpm2_response *response;

         uint16_t reset_command_body[] = {

                 TPM2_CR50_SUB_CMD_IMMEDIATE_RESET, timeout_ms};


         /*

          * Issue an immediate reset to the Cr50.

          */

         printk(BIOS_INFO, "Issuing cr50 reset\n");

         response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND,

                                        &reset_command_body);


         if (!response)

                 return TPM_E_IOERROR;


         return TPM_SUCCESS;

 }


 uint32_t tlcl_cr50_reset_ec(void)

 {

         struct tpm2_response *response;

         uint16_t reset_cmd = TPM2_CR50_SUB_CMD_RESET_EC;


         printk(BIOS_DEBUG, "Issuing EC reset\n");


         response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &reset_cmd);


         if (!response)

                 return TPM_E_IOERROR;


         if (response->hdr.tpm_code == VENDOR_RC_NO_SUCH_COMMAND ||

             response->hdr.tpm_code == VENDOR_RC_NO_SUCH_SUBCOMMAND)

                 /* Explicitly inform caller when command is not supported */

                 return TPM_E_NO_SUCH_COMMAND;


         if (response->hdr.tpm_code)

                 /* Unexpected return code from Cr50 */

                 return TPM_E_IOERROR;


         printk(BIOS_DEBUG, "EC reset coming up...\n");

         halt();


         return TPM_SUCCESS;

 }

printk
#define printk(level,...)
Definition: stdlib.h:16

console.h

halt.h

halt
void __noreturn halt(void)
halt the system reliably
Definition: halt.c:6

BIOS_INFO
#define BIOS_INFO
BIOS_INFO - Expected events.
Definition: loglevel.h:113

BIOS_DEBUG
#define BIOS_DEBUG
BIOS_DEBUG - Verbose output.
Definition: loglevel.h:128

tlcl_cr50_get_tpm_mode
uint32_t tlcl_cr50_get_tpm_mode(uint8_t *tpm_mode)
CR50 specific TPM command sequence to query the current TPM mode.
Definition: cr50.c:67

tlcl_cr50_immediate_reset
uint32_t tlcl_cr50_immediate_reset(uint16_t timeout_ms)
CR50 specific TPM command sequence to trigger an immediate reset to the Cr50 device after the specifi...
Definition: cr50.c:134

tlcl_cr50_enable_update
uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms, uint8_t *num_restored_headers)
CR50 specific tpm command to restore header(s) of the dormant RO/RW image(s) and in case there indeed...
Definition: cr50.c:32

tlcl_cr50_reset_ec
uint32_t tlcl_cr50_reset_ec(void)
CR50 specific TPM command sequence to issue an EC reset.
Definition: cr50.c:153

tlcl_cr50_get_recovery_button
uint32_t tlcl_cr50_get_recovery_button(uint8_t *recovery_button_state)
CR50 specific tpm command to get the latched state of the recovery button.
Definition: cr50.c:51

tlcl_cr50_enable_nvcommits
uint32_t tlcl_cr50_enable_nvcommits(void)
CR50 specific tpm command to enable nvmem commits before internal timeout expires.
Definition: cr50.c:12

tlcl_cr50_get_boot_mode
uint32_t tlcl_cr50_get_boot_mode(uint8_t *boot_mode)
CR50 specific TPM command sequence to query the current boot mode.
Definition: cr50.c:108

TPM2_CR50_SUB_CMD_TPM_MODE
#define TPM2_CR50_SUB_CMD_TPM_MODE
Definition: cr50.h:16

TPM2_CR50_SUB_CMD_GET_BOOT_MODE
#define TPM2_CR50_SUB_CMD_GET_BOOT_MODE
Definition: cr50.h:17

TPM2_CR50_SUB_CMD_TURN_UPDATE_ON
#define TPM2_CR50_SUB_CMD_TURN_UPDATE_ON
Definition: cr50.h:14

TPM2_CR50_SUB_CMD_IMMEDIATE_RESET
#define TPM2_CR50_SUB_CMD_IMMEDIATE_RESET
Definition: cr50.h:12

TPM2_CR50_VENDOR_COMMAND
#define TPM2_CR50_VENDOR_COMMAND
Definition: cr50.h:11

TPM_MODE_INVALID
@ TPM_MODE_INVALID
Definition: cr50.h:41

TPM2_CR50_SUB_CMD_RESET_EC
#define TPM2_CR50_SUB_CMD_RESET_EC
Definition: cr50.h:18

TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS
#define TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS
Definition: cr50.h:13

TPM2_CR50_SUB_CMD_GET_REC_BTN
#define TPM2_CR50_SUB_CMD_GET_REC_BTN
Definition: cr50.h:15

VENDOR_RC_INTERNAL_ERROR
@ VENDOR_RC_INTERNAL_ERROR
Definition: cr50.h:23

VENDOR_RC_NO_SUCH_SUBCOMMAND
@ VENDOR_RC_NO_SUCH_SUBCOMMAND
Definition: cr50.h:24

VENDOR_RC_NO_SUCH_COMMAND
@ VENDOR_RC_NO_SUCH_COMMAND
Definition: cr50.h:25

NULL
#define NULL
Definition: stddef.h:19

uint16_t
unsigned short uint16_t
Definition: stdint.h:11

uint32_t
unsigned int uint32_t
Definition: stdint.h:14

uint8_t
unsigned char uint8_t
Definition: stdint.h:8

tpm2_response
Definition: tss_structures.h:379

tpm2_response::vcr
struct vendor_command_response vcr
Definition: tss_structures.h:385

tpm2_response::hdr
struct tpm_header hdr
Definition: tss_structures.h:380

tpm_header::tpm_code
TPM_CC tpm_code
Definition: tss_structures.h:76

vendor_command_response::num_restored_headers
uint8_t num_restored_headers
Definition: tss_structures.h:346

vendor_command_response::tpm_mode
uint8_t tpm_mode
Definition: tss_structures.h:348

vendor_command_response::boot_mode
uint8_t boot_mode
Definition: tss_structures.h:349

vendor_command_response::recovery_button_state
uint8_t recovery_button_state
Definition: tss_structures.h:347

tpm_process_command
void * tpm_process_command(TPM_CC command, void *command_body)
Definition: tss.c:19

tis.h

tss.h

TPM_SUCCESS
#define TPM_SUCCESS
Definition: tss_common.h:9

TPM_E_IOERROR
#define TPM_E_IOERROR
Definition: tss_errors.h:21

TPM_E_MUST_REBOOT
#define TPM_E_MUST_REBOOT
Definition: tss_errors.h:31

TPM_E_NO_SUCH_COMMAND
#define TPM_E_NO_SUCH_COMMAND
Definition: tss_errors.h:43