• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /** @file
2   Implement TPM2 Hierarchy related command.
3 
4 Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution.  The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
9 
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
12 
13 **/
14 
15 #include <IndustryStandard/UefiTcgPlatform.h>
16 #include <Library/Tpm2CommandLib.h>
17 #include <Library/Tpm2DeviceLib.h>
18 #include <Library/BaseMemoryLib.h>
19 #include <Library/BaseLib.h>
20 #include <Library/DebugLib.h>
21 
22 #pragma pack(1)
23 
24 typedef struct {
25   TPM2_COMMAND_HEADER       Header;
26   TPMI_RH_HIERARCHY_AUTH    AuthHandle;
27   UINT32                    AuthSessionSize;
28   TPMS_AUTH_COMMAND         AuthSession;
29   TPM2B_DIGEST              AuthPolicy;
30   TPMI_ALG_HASH             HashAlg;
31 } TPM2_SET_PRIMARY_POLICY_COMMAND;
32 
33 typedef struct {
34   TPM2_RESPONSE_HEADER       Header;
35   UINT32                     AuthSessionSize;
36   TPMS_AUTH_RESPONSE         AuthSession;
37 } TPM2_SET_PRIMARY_POLICY_RESPONSE;
38 
39 typedef struct {
40   TPM2_COMMAND_HEADER       Header;
41   TPMI_RH_CLEAR             AuthHandle;
42   UINT32                    AuthorizationSize;
43   TPMS_AUTH_COMMAND         AuthSession;
44 } TPM2_CLEAR_COMMAND;
45 
46 typedef struct {
47   TPM2_RESPONSE_HEADER       Header;
48   UINT32                     ParameterSize;
49   TPMS_AUTH_RESPONSE         AuthSession;
50 } TPM2_CLEAR_RESPONSE;
51 
52 typedef struct {
53   TPM2_COMMAND_HEADER       Header;
54   TPMI_RH_CLEAR             AuthHandle;
55   UINT32                    AuthorizationSize;
56   TPMS_AUTH_COMMAND         AuthSession;
57   TPMI_YES_NO               Disable;
58 } TPM2_CLEAR_CONTROL_COMMAND;
59 
60 typedef struct {
61   TPM2_RESPONSE_HEADER       Header;
62   UINT32                     ParameterSize;
63   TPMS_AUTH_RESPONSE         AuthSession;
64 } TPM2_CLEAR_CONTROL_RESPONSE;
65 
66 typedef struct {
67   TPM2_COMMAND_HEADER       Header;
68   TPMI_RH_HIERARCHY_AUTH    AuthHandle;
69   UINT32                    AuthorizationSize;
70   TPMS_AUTH_COMMAND         AuthSession;
71   TPM2B_AUTH                NewAuth;
72 } TPM2_HIERARCHY_CHANGE_AUTH_COMMAND;
73 
74 typedef struct {
75   TPM2_RESPONSE_HEADER       Header;
76   UINT32                     ParameterSize;
77   TPMS_AUTH_RESPONSE         AuthSession;
78 } TPM2_HIERARCHY_CHANGE_AUTH_RESPONSE;
79 
80 typedef struct {
81   TPM2_COMMAND_HEADER       Header;
82   TPMI_RH_PLATFORM          AuthHandle;
83   UINT32                    AuthorizationSize;
84   TPMS_AUTH_COMMAND         AuthSession;
85 } TPM2_CHANGE_EPS_COMMAND;
86 
87 typedef struct {
88   TPM2_RESPONSE_HEADER       Header;
89   UINT32                     ParameterSize;
90   TPMS_AUTH_RESPONSE         AuthSession;
91 } TPM2_CHANGE_EPS_RESPONSE;
92 
93 typedef struct {
94   TPM2_COMMAND_HEADER       Header;
95   TPMI_RH_PLATFORM          AuthHandle;
96   UINT32                    AuthorizationSize;
97   TPMS_AUTH_COMMAND         AuthSession;
98 } TPM2_CHANGE_PPS_COMMAND;
99 
100 typedef struct {
101   TPM2_RESPONSE_HEADER       Header;
102   UINT32                     ParameterSize;
103   TPMS_AUTH_RESPONSE         AuthSession;
104 } TPM2_CHANGE_PPS_RESPONSE;
105 
106 typedef struct {
107   TPM2_COMMAND_HEADER       Header;
108   TPMI_RH_HIERARCHY         AuthHandle;
109   UINT32                    AuthorizationSize;
110   TPMS_AUTH_COMMAND         AuthSession;
111   TPMI_RH_HIERARCHY         Hierarchy;
112   TPMI_YES_NO               State;
113 } TPM2_HIERARCHY_CONTROL_COMMAND;
114 
115 typedef struct {
116   TPM2_RESPONSE_HEADER       Header;
117   UINT32                     ParameterSize;
118   TPMS_AUTH_RESPONSE         AuthSession;
119 } TPM2_HIERARCHY_CONTROL_RESPONSE;
120 
121 #pragma pack()
122 
123 /**
124   This command allows setting of the authorization policy for the platform hierarchy (platformPolicy), the
125   storage hierarchy (ownerPolicy), and and the endorsement hierarchy (endorsementPolicy).
126 
127   @param[in]  AuthHandle            TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP} parameters to be validated
128   @param[in]  AuthSession           Auth Session context
129   @param[in]  AuthPolicy            An authorization policy hash
130   @param[in]  HashAlg               The hash algorithm to use for the policy
131 
132   @retval EFI_SUCCESS      Operation completed successfully.
133   @retval EFI_DEVICE_ERROR Unexpected device behavior.
134 **/
135 EFI_STATUS
136 EFIAPI
Tpm2SetPrimaryPolicy(IN TPMI_RH_HIERARCHY_AUTH AuthHandle,IN TPMS_AUTH_COMMAND * AuthSession,IN TPM2B_DIGEST * AuthPolicy,IN TPMI_ALG_HASH HashAlg)137 Tpm2SetPrimaryPolicy (
138   IN  TPMI_RH_HIERARCHY_AUTH    AuthHandle,
139   IN  TPMS_AUTH_COMMAND         *AuthSession,
140   IN  TPM2B_DIGEST              *AuthPolicy,
141   IN  TPMI_ALG_HASH             HashAlg
142   )
143 {
144   EFI_STATUS                                 Status;
145   TPM2_SET_PRIMARY_POLICY_COMMAND            SendBuffer;
146   TPM2_SET_PRIMARY_POLICY_RESPONSE           RecvBuffer;
147   UINT32                                     SendBufferSize;
148   UINT32                                     RecvBufferSize;
149   UINT8                                      *Buffer;
150   UINT32                                     SessionInfoSize;
151 
152   //
153   // Construct command
154   //
155   SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
156   SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_SetPrimaryPolicy);
157 
158   SendBuffer.AuthHandle = SwapBytes32 (AuthHandle);
159 
160   //
161   // Add in Auth session
162   //
163   Buffer = (UINT8 *)&SendBuffer.AuthSession;
164 
165   // sessionInfoSize
166   SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);
167   Buffer += SessionInfoSize;
168   SendBuffer.AuthSessionSize = SwapBytes32(SessionInfoSize);
169 
170   //
171   // Real data
172   //
173   WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(AuthPolicy->size));
174   Buffer += sizeof(UINT16);
175   CopyMem (Buffer, AuthPolicy->buffer, AuthPolicy->size);
176   Buffer += AuthPolicy->size;
177   WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(HashAlg));
178   Buffer += sizeof(UINT16);
179 
180   SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);
181   SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
182 
183   //
184   // send Tpm command
185   //
186   RecvBufferSize = sizeof (RecvBuffer);
187   Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);
188   if (EFI_ERROR (Status)) {
189     goto Done;
190   }
191 
192   if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
193     DEBUG ((EFI_D_ERROR, "Tpm2SetPrimaryPolicy - RecvBufferSize Error - %x\n", RecvBufferSize));
194     Status = EFI_DEVICE_ERROR;
195     goto Done;
196   }
197   if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
198     DEBUG ((EFI_D_ERROR, "Tpm2SetPrimaryPolicy - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
199     Status = EFI_DEVICE_ERROR;
200     goto Done;
201   }
202 
203 Done:
204   //
205   // Clear AuthSession Content
206   //
207   ZeroMem (&SendBuffer, sizeof(SendBuffer));
208   ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
209   return Status;
210 }
211 
212 /**
213   This command removes all TPM context associated with a specific Owner.
214 
215   @param[in] AuthHandle        TPM_RH_LOCKOUT or TPM_RH_PLATFORM+{PP}
216   @param[in] AuthSession       Auth Session context
217 
218   @retval EFI_SUCCESS      Operation completed successfully.
219   @retval EFI_DEVICE_ERROR Unexpected device behavior.
220 **/
221 EFI_STATUS
222 EFIAPI
Tpm2Clear(IN TPMI_RH_CLEAR AuthHandle,IN TPMS_AUTH_COMMAND * AuthSession OPTIONAL)223 Tpm2Clear (
224   IN TPMI_RH_CLEAR             AuthHandle,
225   IN TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
226   )
227 {
228   EFI_STATUS                        Status;
229   TPM2_CLEAR_COMMAND                Cmd;
230   TPM2_CLEAR_RESPONSE               Res;
231   UINT32                            ResultBufSize;
232   UINT32                            CmdSize;
233   UINT32                            RespSize;
234   UINT8                             *Buffer;
235   UINT32                            SessionInfoSize;
236 
237   Cmd.Header.tag         = SwapBytes16(TPM_ST_SESSIONS);
238   Cmd.Header.commandCode = SwapBytes32(TPM_CC_Clear);
239   Cmd.AuthHandle         = SwapBytes32(AuthHandle);
240 
241   //
242   // Add in Auth session
243   //
244   Buffer = (UINT8 *)&Cmd.AuthSession;
245 
246   // sessionInfoSize
247   SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);
248   Buffer += SessionInfoSize;
249   Cmd.AuthorizationSize = SwapBytes32(SessionInfoSize);
250 
251   CmdSize = (UINT32)(Buffer - (UINT8 *)&Cmd);
252   Cmd.Header.paramSize   = SwapBytes32(CmdSize);
253 
254   ResultBufSize = sizeof(Res);
255   Status = Tpm2SubmitCommand (CmdSize, (UINT8 *)&Cmd, &ResultBufSize, (UINT8 *)&Res);
256   if (EFI_ERROR(Status)) {
257     goto Done;
258   }
259 
260   if (ResultBufSize > sizeof(Res)) {
261     DEBUG ((EFI_D_ERROR, "Clear: Failed ExecuteCommand: Buffer Too Small\r\n"));
262     Status = EFI_BUFFER_TOO_SMALL;
263     goto Done;
264   }
265 
266   //
267   // Validate response headers
268   //
269   RespSize = SwapBytes32(Res.Header.paramSize);
270   if (RespSize > sizeof(Res)) {
271     DEBUG ((EFI_D_ERROR, "Clear: Response size too large! %d\r\n", RespSize));
272     Status = EFI_BUFFER_TOO_SMALL;
273     goto Done;
274   }
275 
276   //
277   // Fail if command failed
278   //
279   if (SwapBytes32(Res.Header.responseCode) != TPM_RC_SUCCESS) {
280     DEBUG ((EFI_D_ERROR, "Clear: Response Code error! 0x%08x\r\n", SwapBytes32(Res.Header.responseCode)));
281     Status = EFI_DEVICE_ERROR;
282     goto Done;
283   }
284 
285   //
286   // Unmarshal the response
287   //
288 
289   // None
290 Done:
291   //
292   // Clear AuthSession Content
293   //
294   ZeroMem (&Cmd, sizeof(Cmd));
295   ZeroMem (&Res, sizeof(Res));
296   return Status;
297 }
298 
299 /**
300   Disables and enables the execution of TPM2_Clear().
301 
302   @param[in] AuthHandle        TPM_RH_LOCKOUT or TPM_RH_PLATFORM+{PP}
303   @param[in] AuthSession       Auth Session context
304   @param[in] Disable           YES if the disableOwnerClear flag is to be SET,
305                                NO if the flag is to be CLEAR.
306 
307   @retval EFI_SUCCESS      Operation completed successfully.
308   @retval EFI_DEVICE_ERROR Unexpected device behavior.
309 **/
310 EFI_STATUS
311 EFIAPI
Tpm2ClearControl(IN TPMI_RH_CLEAR AuthHandle,IN TPMS_AUTH_COMMAND * AuthSession,OPTIONAL IN TPMI_YES_NO Disable)312 Tpm2ClearControl (
313   IN TPMI_RH_CLEAR             AuthHandle,
314   IN TPMS_AUTH_COMMAND         *AuthSession, OPTIONAL
315   IN TPMI_YES_NO               Disable
316   )
317 {
318   EFI_STATUS                        Status;
319   TPM2_CLEAR_CONTROL_COMMAND        Cmd;
320   TPM2_CLEAR_CONTROL_RESPONSE       Res;
321   UINT32                            ResultBufSize;
322   UINT32                            CmdSize;
323   UINT32                            RespSize;
324   UINT8                             *Buffer;
325   UINT32                            SessionInfoSize;
326 
327   Cmd.Header.tag         = SwapBytes16(TPM_ST_SESSIONS);
328   Cmd.Header.commandCode = SwapBytes32(TPM_CC_ClearControl);
329   Cmd.AuthHandle         = SwapBytes32(AuthHandle);
330 
331   //
332   // Add in Auth session
333   //
334   Buffer = (UINT8 *)&Cmd.AuthSession;
335 
336   // sessionInfoSize
337   SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);
338   Buffer += SessionInfoSize;
339   Cmd.AuthorizationSize = SwapBytes32(SessionInfoSize);
340 
341   // disable
342   *(UINT8 *)Buffer = Disable;
343   Buffer++;
344 
345   CmdSize = (UINT32)(Buffer - (UINT8 *)&Cmd);
346   Cmd.Header.paramSize   = SwapBytes32(CmdSize);
347 
348   ResultBufSize = sizeof(Res);
349   Status = Tpm2SubmitCommand (CmdSize, (UINT8 *)&Cmd, &ResultBufSize, (UINT8 *)&Res);
350   if (EFI_ERROR(Status)) {
351     goto Done;
352   }
353 
354   if (ResultBufSize > sizeof(Res)) {
355     DEBUG ((EFI_D_ERROR, "ClearControl: Failed ExecuteCommand: Buffer Too Small\r\n"));
356     Status = EFI_BUFFER_TOO_SMALL;
357     goto Done;
358   }
359 
360   //
361   // Validate response headers
362   //
363   RespSize = SwapBytes32(Res.Header.paramSize);
364   if (RespSize > sizeof(Res)) {
365     DEBUG ((EFI_D_ERROR, "ClearControl: Response size too large! %d\r\n", RespSize));
366     Status = EFI_BUFFER_TOO_SMALL;
367     goto Done;
368   }
369 
370   //
371   // Fail if command failed
372   //
373   if (SwapBytes32(Res.Header.responseCode) != TPM_RC_SUCCESS) {
374     DEBUG ((EFI_D_ERROR, "ClearControl: Response Code error! 0x%08x\r\n", SwapBytes32(Res.Header.responseCode)));
375     Status = EFI_DEVICE_ERROR;
376     goto Done;
377   }
378 
379   //
380   // Unmarshal the response
381   //
382 
383   // None
384 Done:
385   //
386   // Clear AuthSession Content
387   //
388   ZeroMem (&Cmd, sizeof(Cmd));
389   ZeroMem (&Res, sizeof(Res));
390   return Status;
391 }
392 
393 /**
394   This command allows the authorization secret for a hierarchy or lockout to be changed using the current
395   authorization value as the command authorization.
396 
397   @param[in] AuthHandle        TPM_RH_LOCKOUT, TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
398   @param[in] AuthSession       Auth Session context
399   @param[in] NewAuth           New authorization secret
400 
401   @retval EFI_SUCCESS      Operation completed successfully.
402   @retval EFI_DEVICE_ERROR Unexpected device behavior.
403 **/
404 EFI_STATUS
405 EFIAPI
Tpm2HierarchyChangeAuth(IN TPMI_RH_HIERARCHY_AUTH AuthHandle,IN TPMS_AUTH_COMMAND * AuthSession,IN TPM2B_AUTH * NewAuth)406 Tpm2HierarchyChangeAuth (
407   IN TPMI_RH_HIERARCHY_AUTH    AuthHandle,
408   IN TPMS_AUTH_COMMAND         *AuthSession,
409   IN TPM2B_AUTH                *NewAuth
410   )
411 {
412   EFI_STATUS                           Status;
413   TPM2_HIERARCHY_CHANGE_AUTH_COMMAND   Cmd;
414   TPM2_HIERARCHY_CHANGE_AUTH_RESPONSE  Res;
415   UINT32                               CmdSize;
416   UINT32                               RespSize;
417   UINT8                                *Buffer;
418   UINT32                               SessionInfoSize;
419   UINT8                                *ResultBuf;
420   UINT32                               ResultBufSize;
421 
422   //
423   // Construct command
424   //
425   Cmd.Header.tag          = SwapBytes16(TPM_ST_SESSIONS);
426   Cmd.Header.paramSize    = SwapBytes32(sizeof(Cmd));
427   Cmd.Header.commandCode  = SwapBytes32(TPM_CC_HierarchyChangeAuth);
428   Cmd.AuthHandle          = SwapBytes32(AuthHandle);
429 
430   //
431   // Add in Auth session
432   //
433   Buffer = (UINT8 *)&Cmd.AuthSession;
434 
435   // sessionInfoSize
436   SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);
437   Buffer += SessionInfoSize;
438   Cmd.AuthorizationSize = SwapBytes32(SessionInfoSize);
439 
440   // New Authorization size
441   WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(NewAuth->size));
442   Buffer += sizeof(UINT16);
443 
444   // New Authorizeation
445   CopyMem(Buffer, NewAuth->buffer, NewAuth->size);
446   Buffer += NewAuth->size;
447 
448   CmdSize = (UINT32)(Buffer - (UINT8 *)&Cmd);
449   Cmd.Header.paramSize = SwapBytes32(CmdSize);
450 
451   ResultBuf     = (UINT8 *) &Res;
452   ResultBufSize = sizeof(Res);
453 
454   //
455   // Call the TPM
456   //
457   Status = Tpm2SubmitCommand (
458              CmdSize,
459              (UINT8 *)&Cmd,
460              &ResultBufSize,
461              ResultBuf
462              );
463   if (EFI_ERROR(Status)) {
464     goto Done;
465   }
466 
467   if (ResultBufSize > sizeof(Res)) {
468     DEBUG ((EFI_D_ERROR, "HierarchyChangeAuth: Failed ExecuteCommand: Buffer Too Small\r\n"));
469     Status = EFI_BUFFER_TOO_SMALL;
470     goto Done;
471   }
472 
473   //
474   // Validate response headers
475   //
476   RespSize = SwapBytes32(Res.Header.paramSize);
477   if (RespSize > sizeof(Res)) {
478     DEBUG ((EFI_D_ERROR, "HierarchyChangeAuth: Response size too large! %d\r\n", RespSize));
479     Status = EFI_BUFFER_TOO_SMALL;
480     goto Done;
481   }
482 
483   //
484   // Fail if command failed
485   //
486   if (SwapBytes32(Res.Header.responseCode) != TPM_RC_SUCCESS) {
487     DEBUG((EFI_D_ERROR,"HierarchyChangeAuth: Response Code error! 0x%08x\r\n", SwapBytes32(Res.Header.responseCode)));
488     Status = EFI_DEVICE_ERROR;
489     goto Done;
490   }
491 
492 Done:
493   //
494   // Clear AuthSession Content
495   //
496   ZeroMem (&Cmd, sizeof(Cmd));
497   ZeroMem (&Res, sizeof(Res));
498   return Status;
499 }
500 
501 /**
502   This replaces the current EPS with a value from the RNG and sets the Endorsement hierarchy controls to
503   their default initialization values.
504 
505   @param[in] AuthHandle        TPM_RH_PLATFORM+{PP}
506   @param[in] AuthSession       Auth Session context
507 
508   @retval EFI_SUCCESS      Operation completed successfully.
509   @retval EFI_DEVICE_ERROR Unexpected device behavior.
510 **/
511 EFI_STATUS
512 EFIAPI
Tpm2ChangeEPS(IN TPMI_RH_PLATFORM AuthHandle,IN TPMS_AUTH_COMMAND * AuthSession)513 Tpm2ChangeEPS (
514   IN TPMI_RH_PLATFORM          AuthHandle,
515   IN TPMS_AUTH_COMMAND         *AuthSession
516   )
517 {
518   EFI_STATUS                Status;
519   TPM2_CHANGE_EPS_COMMAND   Cmd;
520   TPM2_CHANGE_EPS_RESPONSE  Res;
521   UINT32                    CmdSize;
522   UINT32                    RespSize;
523   UINT8                     *Buffer;
524   UINT32                    SessionInfoSize;
525   UINT8                     *ResultBuf;
526   UINT32                    ResultBufSize;
527 
528   //
529   // Construct command
530   //
531   Cmd.Header.tag          = SwapBytes16(TPM_ST_SESSIONS);
532   Cmd.Header.paramSize    = SwapBytes32(sizeof(Cmd));
533   Cmd.Header.commandCode  = SwapBytes32(TPM_CC_ChangeEPS);
534   Cmd.AuthHandle          = SwapBytes32(AuthHandle);
535 
536   //
537   // Add in Auth session
538   //
539   Buffer = (UINT8 *)&Cmd.AuthSession;
540 
541   // sessionInfoSize
542   SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);
543   Buffer += SessionInfoSize;
544   Cmd.AuthorizationSize = SwapBytes32(SessionInfoSize);
545 
546   CmdSize = (UINT32)(Buffer - (UINT8 *)&Cmd);
547   Cmd.Header.paramSize = SwapBytes32(CmdSize);
548 
549   ResultBuf     = (UINT8 *) &Res;
550   ResultBufSize = sizeof(Res);
551 
552   //
553   // Call the TPM
554   //
555   Status = Tpm2SubmitCommand (
556              CmdSize,
557              (UINT8 *)&Cmd,
558              &ResultBufSize,
559              ResultBuf
560              );
561   if (EFI_ERROR(Status)) {
562     goto Done;
563   }
564 
565   if (ResultBufSize > sizeof(Res)) {
566     DEBUG ((EFI_D_ERROR, "ChangeEPS: Failed ExecuteCommand: Buffer Too Small\r\n"));
567     Status = EFI_BUFFER_TOO_SMALL;
568     goto Done;
569   }
570 
571   //
572   // Validate response headers
573   //
574   RespSize = SwapBytes32(Res.Header.paramSize);
575   if (RespSize > sizeof(Res)) {
576     DEBUG ((EFI_D_ERROR, "ChangeEPS: Response size too large! %d\r\n", RespSize));
577     Status = EFI_BUFFER_TOO_SMALL;
578     goto Done;
579   }
580 
581   //
582   // Fail if command failed
583   //
584   if (SwapBytes32(Res.Header.responseCode) != TPM_RC_SUCCESS) {
585     DEBUG((EFI_D_ERROR,"ChangeEPS: Response Code error! 0x%08x\r\n", SwapBytes32(Res.Header.responseCode)));
586     Status = EFI_DEVICE_ERROR;
587     goto Done;
588   }
589 
590 Done:
591   //
592   // Clear AuthSession Content
593   //
594   ZeroMem (&Cmd, sizeof(Cmd));
595   ZeroMem (&Res, sizeof(Res));
596   return Status;
597 }
598 
599 /**
600   This replaces the current PPS with a value from the RNG and sets platformPolicy to the default
601   initialization value (the Empty Buffer).
602 
603   @param[in] AuthHandle        TPM_RH_PLATFORM+{PP}
604   @param[in] AuthSession       Auth Session context
605 
606   @retval EFI_SUCCESS      Operation completed successfully.
607   @retval EFI_DEVICE_ERROR Unexpected device behavior.
608 **/
609 EFI_STATUS
610 EFIAPI
Tpm2ChangePPS(IN TPMI_RH_PLATFORM AuthHandle,IN TPMS_AUTH_COMMAND * AuthSession)611 Tpm2ChangePPS (
612   IN TPMI_RH_PLATFORM          AuthHandle,
613   IN TPMS_AUTH_COMMAND         *AuthSession
614   )
615 {
616   EFI_STATUS                Status;
617   TPM2_CHANGE_PPS_COMMAND   Cmd;
618   TPM2_CHANGE_PPS_RESPONSE  Res;
619   UINT32                    CmdSize;
620   UINT32                    RespSize;
621   UINT8                     *Buffer;
622   UINT32                    SessionInfoSize;
623   UINT8                     *ResultBuf;
624   UINT32                    ResultBufSize;
625 
626   //
627   // Construct command
628   //
629   Cmd.Header.tag          = SwapBytes16(TPM_ST_SESSIONS);
630   Cmd.Header.paramSize    = SwapBytes32(sizeof(Cmd));
631   Cmd.Header.commandCode  = SwapBytes32(TPM_CC_ChangePPS);
632   Cmd.AuthHandle          = SwapBytes32(AuthHandle);
633 
634   //
635   // Add in Auth session
636   //
637   Buffer = (UINT8 *)&Cmd.AuthSession;
638 
639   // sessionInfoSize
640   SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);
641   Buffer += SessionInfoSize;
642   Cmd.AuthorizationSize = SwapBytes32(SessionInfoSize);
643 
644   CmdSize = (UINT32)(Buffer - (UINT8 *)&Cmd);
645   Cmd.Header.paramSize = SwapBytes32(CmdSize);
646 
647   ResultBuf     = (UINT8 *) &Res;
648   ResultBufSize = sizeof(Res);
649 
650   //
651   // Call the TPM
652   //
653   Status = Tpm2SubmitCommand (
654              CmdSize,
655              (UINT8 *)&Cmd,
656              &ResultBufSize,
657              ResultBuf
658              );
659   if (EFI_ERROR(Status)) {
660     goto Done;
661   }
662 
663   if (ResultBufSize > sizeof(Res)) {
664     DEBUG ((EFI_D_ERROR, "ChangePPS: Failed ExecuteCommand: Buffer Too Small\r\n"));
665     Status = EFI_BUFFER_TOO_SMALL;
666     goto Done;
667   }
668 
669   //
670   // Validate response headers
671   //
672   RespSize = SwapBytes32(Res.Header.paramSize);
673   if (RespSize > sizeof(Res)) {
674     DEBUG ((EFI_D_ERROR, "ChangePPS: Response size too large! %d\r\n", RespSize));
675     Status = EFI_BUFFER_TOO_SMALL;
676     goto Done;
677   }
678 
679   //
680   // Fail if command failed
681   //
682   if (SwapBytes32(Res.Header.responseCode) != TPM_RC_SUCCESS) {
683     DEBUG((EFI_D_ERROR,"ChangePPS: Response Code error! 0x%08x\r\n", SwapBytes32(Res.Header.responseCode)));
684     Status = EFI_DEVICE_ERROR;
685     goto Done;
686   }
687 
688 Done:
689   //
690   // Clear AuthSession Content
691   //
692   ZeroMem (&Cmd, sizeof(Cmd));
693   ZeroMem (&Res, sizeof(Res));
694   return Status;
695 }
696 
697 /**
698   This command enables and disables use of a hierarchy.
699 
700   @param[in] AuthHandle        TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}
701   @param[in] AuthSession       Auth Session context
702   @param[in] Hierarchy         Hierarchy of the enable being modified
703   @param[in] State             YES if the enable should be SET,
704                                NO if the enable should be CLEAR
705 
706   @retval EFI_SUCCESS      Operation completed successfully.
707   @retval EFI_DEVICE_ERROR Unexpected device behavior.
708 **/
709 EFI_STATUS
710 EFIAPI
Tpm2HierarchyControl(IN TPMI_RH_HIERARCHY AuthHandle,IN TPMS_AUTH_COMMAND * AuthSession,IN TPMI_RH_HIERARCHY Hierarchy,IN TPMI_YES_NO State)711 Tpm2HierarchyControl (
712   IN TPMI_RH_HIERARCHY         AuthHandle,
713   IN TPMS_AUTH_COMMAND         *AuthSession,
714   IN TPMI_RH_HIERARCHY         Hierarchy,
715   IN TPMI_YES_NO               State
716   )
717 {
718   EFI_STATUS                       Status;
719   TPM2_HIERARCHY_CONTROL_COMMAND   Cmd;
720   TPM2_HIERARCHY_CONTROL_RESPONSE  Res;
721   UINT32                           CmdSize;
722   UINT32                           RespSize;
723   UINT8                            *Buffer;
724   UINT32                           SessionInfoSize;
725   UINT8                            *ResultBuf;
726   UINT32                           ResultBufSize;
727 
728   //
729   // Construct command
730   //
731   Cmd.Header.tag          = SwapBytes16(TPM_ST_SESSIONS);
732   Cmd.Header.paramSize    = SwapBytes32(sizeof(Cmd));
733   Cmd.Header.commandCode  = SwapBytes32(TPM_CC_HierarchyControl);
734   Cmd.AuthHandle          = SwapBytes32(AuthHandle);
735 
736   //
737   // Add in Auth session
738   //
739   Buffer = (UINT8 *)&Cmd.AuthSession;
740 
741   // sessionInfoSize
742   SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);
743   Buffer += SessionInfoSize;
744   Cmd.AuthorizationSize = SwapBytes32(SessionInfoSize);
745 
746   WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32(Hierarchy));
747   Buffer += sizeof(UINT32);
748 
749   *(UINT8 *)Buffer = State;
750   Buffer++;
751 
752   CmdSize = (UINT32)(Buffer - (UINT8 *)&Cmd);
753   Cmd.Header.paramSize = SwapBytes32(CmdSize);
754 
755   ResultBuf     = (UINT8 *) &Res;
756   ResultBufSize = sizeof(Res);
757 
758   //
759   // Call the TPM
760   //
761   Status = Tpm2SubmitCommand (
762              CmdSize,
763              (UINT8 *)&Cmd,
764              &ResultBufSize,
765              ResultBuf
766              );
767   if (EFI_ERROR(Status)) {
768     goto Done;
769   }
770 
771   if (ResultBufSize > sizeof(Res)) {
772     DEBUG ((EFI_D_ERROR, "HierarchyControl: Failed ExecuteCommand: Buffer Too Small\r\n"));
773     Status = EFI_BUFFER_TOO_SMALL;
774     goto Done;
775   }
776 
777   //
778   // Validate response headers
779   //
780   RespSize = SwapBytes32(Res.Header.paramSize);
781   if (RespSize > sizeof(Res)) {
782     DEBUG ((EFI_D_ERROR, "HierarchyControl: Response size too large! %d\r\n", RespSize));
783     Status = EFI_BUFFER_TOO_SMALL;
784     goto Done;
785   }
786 
787   //
788   // Fail if command failed
789   //
790   if (SwapBytes32(Res.Header.responseCode) != TPM_RC_SUCCESS) {
791     DEBUG((EFI_D_ERROR,"HierarchyControl: Response Code error! 0x%08x\r\n", SwapBytes32(Res.Header.responseCode)));
792     Status = EFI_DEVICE_ERROR;
793     goto Done;
794   }
795 
796 Done:
797   //
798   // Clear AuthSession Content
799   //
800   ZeroMem (&Cmd, sizeof(Cmd));
801   ZeroMem (&Res, sizeof(Res));
802   return Status;
803 }
804