commit be6c1529c1ce9718cc955f23fdaa5891d15b6551
author Reinhard Pfau <pfau@gdsys.de> Wed Jun 26 15:55:13 2013 +0200
committer Andy Fleming <afleming@freescale.com> Tue Jul 16 17:44:29 2013 -0500
tree b73253817917f39b0583ec9da4cfbb7e054409dc
parent baa8841d6cc8a8cb79e0aee2fe1b360dacc05aaf

tpm: add AUTH1 cmds for LoadKey2 and GetPubKey

Extend the tpm library with support for single authorized (AUTH1) commands
as specified in the TCG Main Specification 1.2. (The internally used helper
functions are implemented in a way that they could also be used for double
authorized commands if someone needs it.)

Provide enums with the return codes from the TCG Main specification.

For now only a single OIAP session is supported.

OIAP authorized version of the commands TPM_LoadKey2 and TPM_GetPubKey are
provided. Both features are available using the 'tpm' command, too.

Authorized commands are enabled with CONFIG_TPM_AUTH_SESSIONS. (Note that
this also requires CONFIG_SHA1 to be enabled.)

Signed-off-by: Reinhard Pfau <reinhard.pfau@gdsys.cc>
Signed-off-by: Dirk Eibach <dirk.eibach@gdsys.cc>
Acked-by: Che-Liang Chiou <clchiou@chromium.org>
Signed-off-by: Andy Fleming <afleming@freescale.com>

common/cmd_tpm.c

diff --git a/common/cmd_tpm.c b/common/cmd_tpm.c
index 46fae18..c34000a 100644
--- a/common/cmd_tpm.c
+++ b/common/cmd_tpm.c
@@ -27,6 +27,13 @@
 #include <asm/unaligned.h>
 #include <linux/string.h>
 
+/* Useful constants */
+enum {
+	DIGEST_LENGTH		= 20,
+	/* max lengths, valid for RSA keys <= 2048 bits */
+	TPM_PUBKEY_MAX_LENGTH	= 288,
+};
+
 /**
  * Print a byte string in hexdecimal format, 16-bytes per line.
  *
@@ -546,6 +553,72 @@
 	return convert_return_code(err);
 }
 
+#ifdef CONFIG_TPM_AUTH_SESSIONS
+
+static int do_tpm_oiap(cmd_tbl_t *cmdtp, int flag,
+		int argc, char * const argv[])
+{
+	uint32_t auth_handle, err;
+
+	err = tpm_oiap(&auth_handle);
+
+	return convert_return_code(err);
+}
+
+static int do_tpm_load_key2_oiap(cmd_tbl_t *cmdtp, int flag,
+		int argc, char * const argv[])
+{
+	uint32_t parent_handle, key_len, key_handle, err;
+	uint8_t usage_auth[DIGEST_LENGTH];
+	void *key;
+
+	if (argc < 5)
+		return CMD_RET_USAGE;
+
+	parent_handle = simple_strtoul(argv[1], NULL, 0);
+	key = (void *)simple_strtoul(argv[2], NULL, 0);
+	key_len = simple_strtoul(argv[3], NULL, 0);
+	if (strlen(argv[4]) != 2 * DIGEST_LENGTH)
+		return CMD_RET_FAILURE;
+	parse_byte_string(argv[4], usage_auth, NULL);
+
+	err = tpm_load_key2_oiap(parent_handle, key, key_len, usage_auth,
+			&key_handle);
+	if (!err)
+		printf("Key handle is 0x%x\n", key_handle);
+
+	return convert_return_code(err);
+}
+
+static int do_tpm_get_pub_key_oiap(cmd_tbl_t *cmdtp, int flag,
+		int argc, char * const argv[])
+{
+	uint32_t key_handle, err;
+	uint8_t usage_auth[DIGEST_LENGTH];
+	uint8_t pub_key_buffer[TPM_PUBKEY_MAX_LENGTH];
+	size_t pub_key_len = sizeof(pub_key_buffer);
+
+	if (argc < 3)
+		return CMD_RET_USAGE;
+
+	key_handle = simple_strtoul(argv[1], NULL, 0);
+	if (strlen(argv[2]) != 2 * DIGEST_LENGTH)
+		return CMD_RET_FAILURE;
+	parse_byte_string(argv[2], usage_auth, NULL);
+
+	err = tpm_get_pub_key_oiap(key_handle, usage_auth,
+			pub_key_buffer, &pub_key_len);
+	if (!err) {
+		printf("dump of received pub key structure:\n");
+		print_byte_string(pub_key_buffer, pub_key_len);
+	}
+	return convert_return_code(err);
+}
+
+TPM_COMMAND_NO_ARG(tpm_end_oiap)
+
+#endif /* CONFIG_TPM_AUTH_SESSIONS */
+
 #define MAKE_TPM_CMD_ENTRY(cmd) \
 	U_BOOT_CMD_MKENT(cmd, 0, 1, do_tpm_ ## cmd, "", "")
 
@@ -590,6 +663,16 @@
 			do_tpm_nv_read, "", ""),
 	U_BOOT_CMD_MKENT(nv_write, 0, 1,
 			do_tpm_nv_write, "", ""),
+#ifdef CONFIG_TPM_AUTH_SESSIONS
+	U_BOOT_CMD_MKENT(oiap, 0, 1,
+			 do_tpm_oiap, "", ""),
+	U_BOOT_CMD_MKENT(end_oiap, 0, 1,
+			 do_tpm_end_oiap, "", ""),
+	U_BOOT_CMD_MKENT(load_key2_oiap, 0, 1,
+			 do_tpm_load_key2_oiap, "", ""),
+	U_BOOT_CMD_MKENT(get_pub_key_oiap, 0, 1,
+			 do_tpm_get_pub_key_oiap, "", ""),
+#endif /* CONFIG_TPM_AUTH_SESSIONS */
 };
 
 static int do_tpm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
@@ -638,6 +721,16 @@
 "  get_capability cap_area sub_cap addr count\n"
 "    - Read <count> bytes of TPM capability indexed by <cap_area> and\n"
 "      <sub_cap> to memory address <addr>.\n"
+#ifdef CONFIG_TPM_AUTH_SESSIONS
+"Storage functions\n"
+"  loadkey2_oiap parent_handle key_addr key_len usage_auth\n"
+"    - loads a key data from memory address <key_addr>, <key_len> bytes\n"
+"      into TPM using the parent key <parent_handle> with authorization\n"
+"      <usage_auth> (20 bytes hex string).\n"
+"  get_pub_key_oiap key_handle usage_auth\n"
+"    - get the public key portion of a loaded key <key_handle> using\n"
+"      authorization <usage auth> (20 bytes hex string)\n"
+#endif /* CONFIG_TPM_AUTH_SESSIONS */
 "Endorsement Key Handling Commands:\n"
 "  read_pubek addr count\n"
 "    - Read <count> bytes of the public endorsement key to memory\n"
@@ -648,6 +741,13 @@
 "      <digest_hex_string>\n"
 "  pcr_read index addr count\n"
 "    - Read <count> bytes from PCR <index> to memory address <addr>.\n"
+#ifdef CONFIG_TPM_AUTH_SESSIONS
+"Authorization Sessions\n"
+"  oiap\n"
+"    - setup an OIAP session\n"
+"  end_oiap\n"
+"    - terminates an active OIAP session\n"
+#endif /* CONFIG_TPM_AUTH_SESSIONS */
 "Non-volatile Storage Commands:\n"
 "  nv_define_space index permission size\n"
 "    - Establish a space at index <index> with <permission> of <size> bytes.\n"