From patchwork Thu Mar 29 07:43:42 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Miquel Raynal X-Patchwork-Id: 892598 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 40BcG06Wfrz9ry1 for ; Thu, 29 Mar 2018 18:44:24 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 43BB7C21FCD; Thu, 29 Mar 2018 07:44:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 28A14C21E3E; Thu, 29 Mar 2018 07:44:16 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 90F15C21E4E; Thu, 29 Mar 2018 07:44:14 +0000 (UTC) Received: from mail.bootlin.com (mail.bootlin.com [62.4.15.54]) by lists.denx.de (Postfix) with ESMTP id 443A2C21DD9 for ; Thu, 29 Mar 2018 07:44:14 +0000 (UTC) Received: by mail.bootlin.com (Postfix, from userid 110) id 06113208C4; Thu, 29 Mar 2018 09:44:14 +0200 (CEST) Received: from localhost.localdomain (LStLambert-657-1-97-87.w90-63.abo.wanadoo.fr [90.63.216.87]) by mail.bootlin.com (Postfix) with ESMTPSA id BFC9F2055E; Thu, 29 Mar 2018 09:44:03 +0200 (CEST) From: Miquel Raynal To: Tom Rini , Simon Glass Date: Thu, 29 Mar 2018 09:43:42 +0200 Message-Id: <20180329074401.8691-1-miquel.raynal@bootlin.com> X-Mailer: git-send-email 2.14.1 MIME-Version: 1.0 Cc: u-boot@lists.denx.de Subject: [U-Boot] [PATCH v2 00/19] Introduce SPI TPM v2.0 support X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Current U-Boot supports TPM v1.2 specification. The new specification (v2.0) is not backward compatible and renames/introduces several functions. This series introduces a new SPI driver following the TPM v2.0 specification. It has been tested on a ST TPM but should be usable with others v2.0 compliant chips. Then, basic functionalities are introduced one by one for the v2.0 specification. The INIT command now can receive a parameter to distinguish further TPMv1/TPMv2 commands. After that, the library itself will know which one is pertinent and will return a special error if the desired command is not supported for the selected specification. Available commands for v2.0 TPMs are: * STARTUP * SELF TEST * CLEAR * PCR EXTEND * PCR READ * GET CAPABILITY * DICTIONARY ATTACK LOCK RESET * DICTIONARY ATTACK CHANGE PARAMETERS * HIERARCHY CHANGE AUTH Two commands have been written but could not be tested (unsupported by the TPM chosen): * PCR CHANGE AUTH POLICY * PCR CHANGE AUTH VALUE With this set of function, minimal TPMv2.0 handling is possible with the following sequence. * First, initialize the TPM stack in U-Boot: "TPM2" is a new parameter to discern the format of the commands: > tpm init TPM2 * Then send the STARTUP command to the TPM. The flag is slightly different between the revisions. > tpm startup TPM2_SU_CLEAR * To enable full TPM capabilities, continue the tests (or do them all again). It seems like self_test_full always waits for the operation to finish, while continue_self_test returns a busy state if called to early. > tpm continue_self_test > tpm self_test_full * Manage passwords (force_clear also resets a lot of internal stuff). Olderly, TAKE OWNERSHIP == CLEAR + CHANGE AUTH. LOCKOUT is an example, ENDORSEMENT and PLATFORM hierarchies are available too: > tpm force_clear TPM2_RH_LOCKOUT [] > tpm change_auth TPM2_RH_LOCKOUT [] * Dictionary Attack Mitigation (DAM) parameters can be changed. It is possible to reset the failure counter and disable the lockout (values erased after a CLEAR). It is then possible to check the parameters have been correctly applied. > tpm dam_reset_counter [] > tpm dam_set_parameters 0xffff 1 0 [] > tpm get_capability 0x0006 0x020e 0x4000000 4 * PCR policy may be changed (untested). PCR can be extended (no protection against packet replay yet). PCR can be read (the counter with the number of "extensions" is also given). > tpm pcr_setauthpolicy 0 12345678901234567890123456789012 [] > tpm pcr_read 0 0x4000000 > tpm pcr_extend 0 0x4000000 Regular testing may be done through the test/py/ framework when using real hardware, there is no sandbox support for now. Thanks, Miquèl Miquel Raynal (19): tpm: add Revision ID field in the chip structure tpm: rename tpm_tis_infineon in tpm_tis_infineon_i2c tpm: add support for TPMv2 SPI modules tpm: fix indentation in command list before adding more tpm: prepare support for TPMv2 commands tpm: add macros for TPMv2 commands tpm: add possible traces to analyze buffers returned by the TPM tpm: handle different buffer sizes tpm: add TPM2_Startup command support tpm: add TPM2_SelfTest command support tpm: add TPM2_Clear command support tpm: rename the _extend() function to be _pcr_event() tpm: add TPM2_PCR_Extend command support tpm: add TPM2_PCR_Read command support tpm: add TPM2_GetCapability command support tpm: add dictionary attack mitigation commands support tpm: add TPM2_HierarchyChangeAuth command support tpm: add PCR authentication commands support test/py: add TPMv2.0 test suite cmd/tpm.c | 360 +++++++++-- cmd/tpm_test.c | 10 +- drivers/tpm/Kconfig | 13 +- drivers/tpm/Makefile | 3 +- drivers/tpm/tpm_tis.h | 4 + .../{tpm_tis_infineon.c => tpm_tis_infineon_i2c.c} | 2 +- drivers/tpm/tpm_tis_spi.c | 656 +++++++++++++++++++++ include/tpm.h | 183 +++++- lib/tpm.c | 654 ++++++++++++++++++-- test/py/tests/test_tpm2.py | 254 ++++++++ 10 files changed, 1993 insertions(+), 146 deletions(-) rename drivers/tpm/{tpm_tis_infineon.c => tpm_tis_infineon_i2c.c} (99%) create mode 100644 drivers/tpm/tpm_tis_spi.c create mode 100644 test/py/tests/test_tpm2.py