1 /** @file 2 This library is used by other modules to send TPM2 command. 3 4 Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR> 5 This program and the accompanying materials 6 are licensed and made available under the terms and conditions of the BSD License 7 which accompanies this distribution. The full text of the license may be found at 8 http://opensource.org/licenses/bsd-license.php 9 10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. 12 13 **/ 14 15 #ifndef _TPM2_COMMAND_LIB_H_ 16 #define _TPM2_COMMAND_LIB_H_ 17 18 #include <IndustryStandard/Tpm20.h> 19 20 /** 21 This command starts a hash or an Event sequence. 22 If hashAlg is an implemented hash, then a hash sequence is started. 23 If hashAlg is TPM_ALG_NULL, then an Event sequence is started. 24 25 @param[in] HashAlg The hash algorithm to use for the hash sequence 26 An Event sequence starts if this is TPM_ALG_NULL. 27 @param[out] SequenceHandle A handle to reference the sequence 28 29 @retval EFI_SUCCESS Operation completed successfully. 30 @retval EFI_DEVICE_ERROR Unexpected device behavior. 31 **/ 32 EFI_STATUS 33 EFIAPI 34 Tpm2HashSequenceStart ( 35 IN TPMI_ALG_HASH HashAlg, 36 OUT TPMI_DH_OBJECT *SequenceHandle 37 ); 38 39 /** 40 This command is used to add data to a hash or HMAC sequence. 41 The amount of data in buffer may be any size up to the limits of the TPM. 42 NOTE: In all TPM, a buffer size of 1,024 octets is allowed. 43 44 @param[in] SequenceHandle Handle for the sequence object 45 @param[in] Buffer Data to be added to hash 46 47 @retval EFI_SUCCESS Operation completed successfully. 48 @retval EFI_DEVICE_ERROR Unexpected device behavior. 49 **/ 50 EFI_STATUS 51 EFIAPI 52 Tpm2SequenceUpdate ( 53 IN TPMI_DH_OBJECT SequenceHandle, 54 IN TPM2B_MAX_BUFFER *Buffer 55 ); 56 57 /** 58 This command adds the last part of data, if any, to an Event sequence and returns the result in a digest list. 59 If pcrHandle references a PCR and not TPM_RH_NULL, then the returned digest list is processed in 60 the same manner as the digest list input parameter to TPM2_PCR_Extend() with the pcrHandle in each 61 bank extended with the associated digest value. 62 63 @param[in] PcrHandle PCR to be extended with the Event data 64 @param[in] SequenceHandle Authorization for the sequence 65 @param[in] Buffer Data to be added to the Event 66 @param[out] Results List of digests computed for the PCR 67 68 @retval EFI_SUCCESS Operation completed successfully. 69 @retval EFI_DEVICE_ERROR Unexpected device behavior. 70 **/ 71 EFI_STATUS 72 EFIAPI 73 Tpm2EventSequenceComplete ( 74 IN TPMI_DH_PCR PcrHandle, 75 IN TPMI_DH_OBJECT SequenceHandle, 76 IN TPM2B_MAX_BUFFER *Buffer, 77 OUT TPML_DIGEST_VALUES *Results 78 ); 79 80 /** 81 This command adds the last part of data, if any, to a hash/HMAC sequence and returns the result. 82 83 @param[in] SequenceHandle Authorization for the sequence 84 @param[in] Buffer Data to be added to the hash/HMAC 85 @param[out] Result The returned HMAC or digest in a sized buffer 86 87 @retval EFI_SUCCESS Operation completed successfully. 88 @retval EFI_DEVICE_ERROR Unexpected device behavior. 89 **/ 90 EFI_STATUS 91 EFIAPI 92 Tpm2SequenceComplete ( 93 IN TPMI_DH_OBJECT SequenceHandle, 94 IN TPM2B_MAX_BUFFER *Buffer, 95 OUT TPM2B_DIGEST *Result 96 ); 97 98 /** 99 Send Startup command to TPM2. 100 101 @param[in] StartupType TPM_SU_CLEAR or TPM_SU_STATE 102 103 @retval EFI_SUCCESS Operation completed successfully. 104 @retval EFI_DEVICE_ERROR Unexpected device behavior. 105 **/ 106 EFI_STATUS 107 EFIAPI 108 Tpm2Startup ( 109 IN TPM_SU StartupType 110 ); 111 112 /** 113 Send Shutdown command to TPM2. 114 115 @param[in] ShutdownType TPM_SU_CLEAR or TPM_SU_STATE. 116 117 @retval EFI_SUCCESS Operation completed successfully. 118 @retval EFI_DEVICE_ERROR Unexpected device behavior. 119 **/ 120 EFI_STATUS 121 EFIAPI 122 Tpm2Shutdown ( 123 IN TPM_SU ShutdownType 124 ); 125 126 /** 127 This command causes the TPM to perform a test of its capabilities. 128 If the fullTest is YES, the TPM will test all functions. 129 If fullTest = NO, the TPM will only test those functions that have not previously been tested. 130 131 @param[in] FullTest YES if full test to be performed 132 NO if only test of untested functions required 133 134 @retval EFI_SUCCESS Operation completed successfully. 135 @retval EFI_DEVICE_ERROR Unexpected device behavior. 136 **/ 137 EFI_STATUS 138 EFIAPI 139 Tpm2SelfTest ( 140 IN TPMI_YES_NO FullTest 141 ); 142 143 /** 144 This command allows setting of the authorization policy for the platform hierarchy (platformPolicy), the 145 storage hierarchy (ownerPolicy), and and the endorsement hierarchy (endorsementPolicy). 146 147 @param[in] AuthHandle TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP} parameters to be validated 148 @param[in] AuthSession Auth Session context 149 @param[in] AuthPolicy An authorization policy hash 150 @param[in] HashAlg The hash algorithm to use for the policy 151 152 @retval EFI_SUCCESS Operation completed successfully. 153 @retval EFI_DEVICE_ERROR Unexpected device behavior. 154 **/ 155 EFI_STATUS 156 EFIAPI 157 Tpm2SetPrimaryPolicy ( 158 IN TPMI_RH_HIERARCHY_AUTH AuthHandle, 159 IN TPMS_AUTH_COMMAND *AuthSession, 160 IN TPM2B_DIGEST *AuthPolicy, 161 IN TPMI_ALG_HASH HashAlg 162 ); 163 164 /** 165 This command removes all TPM context associated with a specific Owner. 166 167 @param[in] AuthHandle TPM_RH_LOCKOUT or TPM_RH_PLATFORM+{PP} 168 @param[in] AuthSession Auth Session context 169 170 @retval EFI_SUCCESS Operation completed successfully. 171 @retval EFI_DEVICE_ERROR Unexpected device behavior. 172 **/ 173 EFI_STATUS 174 EFIAPI 175 Tpm2Clear ( 176 IN TPMI_RH_CLEAR AuthHandle, 177 IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL 178 ); 179 180 /** 181 Disables and enables the execution of TPM2_Clear(). 182 183 @param[in] AuthHandle TPM_RH_LOCKOUT or TPM_RH_PLATFORM+{PP} 184 @param[in] AuthSession Auth Session context 185 @param[in] Disable YES if the disableOwnerClear flag is to be SET, 186 NO if the flag is to be CLEAR. 187 188 @retval EFI_SUCCESS Operation completed successfully. 189 @retval EFI_DEVICE_ERROR Unexpected device behavior. 190 **/ 191 EFI_STATUS 192 EFIAPI 193 Tpm2ClearControl ( 194 IN TPMI_RH_CLEAR AuthHandle, 195 IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL 196 IN TPMI_YES_NO Disable 197 ); 198 199 /** 200 This command allows the authorization secret for a hierarchy or lockout to be changed using the current 201 authorization value as the command authorization. 202 203 @param[in] AuthHandle TPM_RH_LOCKOUT, TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP} 204 @param[in] AuthSession Auth Session context 205 @param[in] NewAuth New authorization secret 206 207 @retval EFI_SUCCESS Operation completed successfully. 208 @retval EFI_DEVICE_ERROR Unexpected device behavior. 209 **/ 210 EFI_STATUS 211 EFIAPI 212 Tpm2HierarchyChangeAuth ( 213 IN TPMI_RH_HIERARCHY_AUTH AuthHandle, 214 IN TPMS_AUTH_COMMAND *AuthSession, 215 IN TPM2B_AUTH *NewAuth 216 ); 217 218 /** 219 This replaces the current EPS with a value from the RNG and sets the Endorsement hierarchy controls to 220 their default initialization values. 221 222 @param[in] AuthHandle TPM_RH_PLATFORM+{PP} 223 @param[in] AuthSession Auth Session context 224 225 @retval EFI_SUCCESS Operation completed successfully. 226 @retval EFI_DEVICE_ERROR Unexpected device behavior. 227 **/ 228 EFI_STATUS 229 EFIAPI 230 Tpm2ChangeEPS ( 231 IN TPMI_RH_PLATFORM AuthHandle, 232 IN TPMS_AUTH_COMMAND *AuthSession 233 ); 234 235 /** 236 This replaces the current PPS with a value from the RNG and sets platformPolicy to the default 237 initialization value (the Empty Buffer). 238 239 @param[in] AuthHandle TPM_RH_PLATFORM+{PP} 240 @param[in] AuthSession Auth Session context 241 242 @retval EFI_SUCCESS Operation completed successfully. 243 @retval EFI_DEVICE_ERROR Unexpected device behavior. 244 **/ 245 EFI_STATUS 246 EFIAPI 247 Tpm2ChangePPS ( 248 IN TPMI_RH_PLATFORM AuthHandle, 249 IN TPMS_AUTH_COMMAND *AuthSession 250 ); 251 252 /** 253 This command enables and disables use of a hierarchy. 254 255 @param[in] AuthHandle TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP} 256 @param[in] AuthSession Auth Session context 257 @param[in] Hierarchy Hierarchy of the enable being modified 258 @param[in] State YES if the enable should be SET, 259 NO if the enable should be CLEAR 260 261 @retval EFI_SUCCESS Operation completed successfully. 262 @retval EFI_DEVICE_ERROR Unexpected device behavior. 263 **/ 264 EFI_STATUS 265 EFIAPI 266 Tpm2HierarchyControl ( 267 IN TPMI_RH_HIERARCHY AuthHandle, 268 IN TPMS_AUTH_COMMAND *AuthSession, 269 IN TPMI_RH_HIERARCHY Hierarchy, 270 IN TPMI_YES_NO State 271 ); 272 273 /** 274 This command cancels the effect of a TPM lockout due to a number of successive authorization failures. 275 If this command is properly authorized, the lockout counter is set to zero. 276 277 @param[in] LockHandle LockHandle 278 @param[in] AuthSession Auth Session context 279 280 @retval EFI_SUCCESS Operation completed successfully. 281 @retval EFI_DEVICE_ERROR Unexpected device behavior. 282 **/ 283 EFI_STATUS 284 EFIAPI 285 Tpm2DictionaryAttackLockReset ( 286 IN TPMI_RH_LOCKOUT LockHandle, 287 IN TPMS_AUTH_COMMAND *AuthSession 288 ); 289 290 /** 291 This command cancels the effect of a TPM lockout due to a number of successive authorization failures. 292 If this command is properly authorized, the lockout counter is set to zero. 293 294 @param[in] LockHandle LockHandle 295 @param[in] AuthSession Auth Session context 296 @param[in] NewMaxTries Count of authorization failures before the lockout is imposed 297 @param[in] NewRecoveryTime Time in seconds before the authorization failure count is automatically decremented 298 @param[in] LockoutRecovery Time in seconds after a lockoutAuth failure before use of lockoutAuth is allowed 299 300 @retval EFI_SUCCESS Operation completed successfully. 301 @retval EFI_DEVICE_ERROR Unexpected device behavior. 302 **/ 303 EFI_STATUS 304 EFIAPI 305 Tpm2DictionaryAttackParameters ( 306 IN TPMI_RH_LOCKOUT LockHandle, 307 IN TPMS_AUTH_COMMAND *AuthSession, 308 IN UINT32 NewMaxTries, 309 IN UINT32 NewRecoveryTime, 310 IN UINT32 LockoutRecovery 311 ); 312 313 /** 314 This command is used to read the public area and Name of an NV Index. 315 316 @param[in] NvIndex The NV Index. 317 @param[out] NvPublic The public area of the index. 318 @param[out] NvName The Name of the nvIndex. 319 320 @retval EFI_SUCCESS Operation completed successfully. 321 @retval EFI_DEVICE_ERROR The command was unsuccessful. 322 **/ 323 EFI_STATUS 324 EFIAPI 325 Tpm2NvReadPublic ( 326 IN TPMI_RH_NV_INDEX NvIndex, 327 OUT TPM2B_NV_PUBLIC *NvPublic, 328 OUT TPM2B_NAME *NvName 329 ); 330 331 /** 332 This command defines the attributes of an NV Index and causes the TPM to 333 reserve space to hold the data associated with the index. 334 If a definition already exists at the index, the TPM will return TPM_RC_NV_DEFINED. 335 336 @param[in] AuthHandle TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}. 337 @param[in] AuthSession Auth Session context 338 @param[in] Auth The authorization data. 339 @param[in] NvPublic The public area of the index. 340 341 @retval EFI_SUCCESS Operation completed successfully. 342 @retval EFI_DEVICE_ERROR The command was unsuccessful. 343 @retval EFI_ALREADY_STARTED The command was returned successfully, but NvIndex is already defined. 344 **/ 345 EFI_STATUS 346 EFIAPI 347 Tpm2NvDefineSpace ( 348 IN TPMI_RH_PROVISION AuthHandle, 349 IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL 350 IN TPM2B_AUTH *Auth, 351 IN TPM2B_NV_PUBLIC *NvPublic 352 ); 353 354 /** 355 This command removes an index from the TPM. 356 357 @param[in] AuthHandle TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}. 358 @param[in] NvIndex The NV Index. 359 @param[in] AuthSession Auth Session context 360 361 @retval EFI_SUCCESS Operation completed successfully. 362 @retval EFI_DEVICE_ERROR The command was unsuccessful. 363 @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found. 364 **/ 365 EFI_STATUS 366 EFIAPI 367 Tpm2NvUndefineSpace ( 368 IN TPMI_RH_PROVISION AuthHandle, 369 IN TPMI_RH_NV_INDEX NvIndex, 370 IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL 371 ); 372 373 /** 374 This command reads a value from an area in NV memory previously defined by TPM2_NV_DefineSpace(). 375 376 @param[in] AuthHandle the handle indicating the source of the authorization value. 377 @param[in] NvIndex The index to be read. 378 @param[in] AuthSession Auth Session context 379 @param[in] Size Number of bytes to read. 380 @param[in] Offset Byte offset into the area. 381 @param[in,out] OutData The data read. 382 383 @retval EFI_SUCCESS Operation completed successfully. 384 @retval EFI_DEVICE_ERROR The command was unsuccessful. 385 @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found. 386 **/ 387 EFI_STATUS 388 EFIAPI 389 Tpm2NvRead ( 390 IN TPMI_RH_NV_AUTH AuthHandle, 391 IN TPMI_RH_NV_INDEX NvIndex, 392 IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL 393 IN UINT16 Size, 394 IN UINT16 Offset, 395 IN OUT TPM2B_MAX_BUFFER *OutData 396 ); 397 398 /** 399 This command writes a value to an area in NV memory that was previously defined by TPM2_NV_DefineSpace(). 400 401 @param[in] AuthHandle the handle indicating the source of the authorization value. 402 @param[in] NvIndex The NV Index of the area to write. 403 @param[in] AuthSession Auth Session context 404 @param[in] InData The data to write. 405 @param[in] Offset The offset into the NV Area. 406 407 @retval EFI_SUCCESS Operation completed successfully. 408 @retval EFI_DEVICE_ERROR The command was unsuccessful. 409 @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found. 410 **/ 411 EFI_STATUS 412 EFIAPI 413 Tpm2NvWrite ( 414 IN TPMI_RH_NV_AUTH AuthHandle, 415 IN TPMI_RH_NV_INDEX NvIndex, 416 IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL 417 IN TPM2B_MAX_BUFFER *InData, 418 IN UINT16 Offset 419 ); 420 421 /** 422 This command may be used to prevent further reads of the Index until the next TPM2_Startup (TPM_SU_CLEAR). 423 424 @param[in] AuthHandle the handle indicating the source of the authorization value. 425 @param[in] NvIndex The NV Index of the area to lock. 426 @param[in] AuthSession Auth Session context 427 428 @retval EFI_SUCCESS Operation completed successfully. 429 @retval EFI_DEVICE_ERROR The command was unsuccessful. 430 @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found. 431 **/ 432 EFI_STATUS 433 EFIAPI 434 Tpm2NvReadLock ( 435 IN TPMI_RH_NV_AUTH AuthHandle, 436 IN TPMI_RH_NV_INDEX NvIndex, 437 IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL 438 ); 439 440 /** 441 This command may be used to inhibit further writes of the Index. 442 443 @param[in] AuthHandle the handle indicating the source of the authorization value. 444 @param[in] NvIndex The NV Index of the area to lock. 445 @param[in] AuthSession Auth Session context 446 447 @retval EFI_SUCCESS Operation completed successfully. 448 @retval EFI_DEVICE_ERROR The command was unsuccessful. 449 @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found. 450 **/ 451 EFI_STATUS 452 EFIAPI 453 Tpm2NvWriteLock ( 454 IN TPMI_RH_NV_AUTH AuthHandle, 455 IN TPMI_RH_NV_INDEX NvIndex, 456 IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL 457 ); 458 459 /** 460 The command will SET TPMA_NV_WRITELOCKED for all indexes that have their TPMA_NV_GLOBALLOCK attribute SET. 461 462 @param[in] AuthHandle TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}. 463 @param[in] AuthSession Auth Session context 464 465 @retval EFI_SUCCESS Operation completed successfully. 466 @retval EFI_DEVICE_ERROR The command was unsuccessful. 467 @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found. 468 **/ 469 EFI_STATUS 470 EFIAPI 471 Tpm2NvGlobalWriteLock ( 472 IN TPMI_RH_PROVISION AuthHandle, 473 IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL 474 ); 475 476 /** 477 This command is used to cause an update to the indicated PCR. 478 The digests parameter contains one or more tagged digest value identified by an algorithm ID. 479 For each digest, the PCR associated with pcrHandle is Extended into the bank identified by the tag (hashAlg). 480 481 @param[in] PcrHandle Handle of the PCR 482 @param[in] Digests List of tagged digest values to be extended 483 484 @retval EFI_SUCCESS Operation completed successfully. 485 @retval EFI_DEVICE_ERROR Unexpected device behavior. 486 **/ 487 EFI_STATUS 488 EFIAPI 489 Tpm2PcrExtend ( 490 IN TPMI_DH_PCR PcrHandle, 491 IN TPML_DIGEST_VALUES *Digests 492 ); 493 494 /** 495 This command is used to cause an update to the indicated PCR. 496 The data in eventData is hashed using the hash algorithm associated with each bank in which the 497 indicated PCR has been allocated. After the data is hashed, the digests list is returned. If the pcrHandle 498 references an implemented PCR and not TPM_ALG_NULL, digests list is processed as in 499 TPM2_PCR_Extend(). 500 A TPM shall support an Event.size of zero through 1,024 inclusive. 501 502 @param[in] PcrHandle Handle of the PCR 503 @param[in] EventData Event data in sized buffer 504 @param[out] Digests List of digest 505 506 @retval EFI_SUCCESS Operation completed successfully. 507 @retval EFI_DEVICE_ERROR Unexpected device behavior. 508 **/ 509 EFI_STATUS 510 EFIAPI 511 Tpm2PcrEvent ( 512 IN TPMI_DH_PCR PcrHandle, 513 IN TPM2B_EVENT *EventData, 514 OUT TPML_DIGEST_VALUES *Digests 515 ); 516 517 /** 518 This command returns the values of all PCR specified in pcrSelect. 519 520 @param[in] PcrSelectionIn The selection of PCR to read. 521 @param[out] PcrUpdateCounter The current value of the PCR update counter. 522 @param[out] PcrSelectionOut The PCR in the returned list. 523 @param[out] PcrValues The contents of the PCR indicated in pcrSelect. 524 525 @retval EFI_SUCCESS Operation completed successfully. 526 @retval EFI_DEVICE_ERROR The command was unsuccessful. 527 **/ 528 EFI_STATUS 529 EFIAPI 530 Tpm2PcrRead ( 531 IN TPML_PCR_SELECTION *PcrSelectionIn, 532 OUT UINT32 *PcrUpdateCounter, 533 OUT TPML_PCR_SELECTION *PcrSelectionOut, 534 OUT TPML_DIGEST *PcrValues 535 ); 536 537 /** 538 This command is used to set the desired PCR allocation of PCR and algorithms. 539 540 @param[in] AuthHandle TPM_RH_PLATFORM+{PP} 541 @param[in] AuthSession Auth Session context 542 @param[in] PcrAllocation The requested allocation 543 @param[out] AllocationSuccess YES if the allocation succeeded 544 @param[out] MaxPCR maximum number of PCR that may be in a bank 545 @param[out] SizeNeeded number of octets required to satisfy the request 546 @param[out] SizeAvailable Number of octets available. Computed before the allocation 547 548 @retval EFI_SUCCESS Operation completed successfully. 549 @retval EFI_DEVICE_ERROR The command was unsuccessful. 550 **/ 551 EFI_STATUS 552 EFIAPI 553 Tpm2PcrAllocate ( 554 IN TPMI_RH_PLATFORM AuthHandle, 555 IN TPMS_AUTH_COMMAND *AuthSession, 556 IN TPML_PCR_SELECTION *PcrAllocation, 557 OUT TPMI_YES_NO *AllocationSuccess, 558 OUT UINT32 *MaxPCR, 559 OUT UINT32 *SizeNeeded, 560 OUT UINT32 *SizeAvailable 561 ); 562 563 /** 564 Alloc PCR data. 565 566 @param[in] PlatformAuth platform auth value. NULL means no platform auth change. 567 @param[in] SupportedPCRBanks Supported PCR banks 568 @param[in] PCRBanks PCR banks 569 570 @retval EFI_SUCCESS Operation completed successfully. 571 **/ 572 EFI_STATUS 573 EFIAPI 574 Tpm2PcrAllocateBanks ( 575 IN TPM2B_AUTH *PlatformAuth, OPTIONAL 576 IN UINT32 SupportedPCRBanks, 577 IN UINT32 PCRBanks 578 ); 579 580 /** 581 This command returns various information regarding the TPM and its current state. 582 583 The capability parameter determines the category of data returned. The property parameter 584 selects the first value of the selected category to be returned. If there is no property 585 that corresponds to the value of property, the next higher value is returned, if it exists. 586 The moreData parameter will have a value of YES if there are more values of the requested 587 type that were not returned. 588 If no next capability exists, the TPM will return a zero-length list and moreData will have 589 a value of NO. 590 591 NOTE: 592 To simplify this function, leave returned CapabilityData for caller to unpack since there are 593 many capability categories and only few categories will be used in firmware. It means the caller 594 need swap the byte order for the feilds in CapabilityData. 595 596 @param[in] Capability Group selection; determines the format of the response. 597 @param[in] Property Further definition of information. 598 @param[in] PropertyCount Number of properties of the indicated type to return. 599 @param[out] MoreData Flag to indicate if there are more values of this type. 600 @param[out] CapabilityData The capability data. 601 602 @retval EFI_SUCCESS Operation completed successfully. 603 @retval EFI_DEVICE_ERROR The command was unsuccessful. 604 **/ 605 EFI_STATUS 606 EFIAPI 607 Tpm2GetCapability ( 608 IN TPM_CAP Capability, 609 IN UINT32 Property, 610 IN UINT32 PropertyCount, 611 OUT TPMI_YES_NO *MoreData, 612 OUT TPMS_CAPABILITY_DATA *CapabilityData 613 ); 614 615 /** 616 This command returns the information of TPM Family. 617 618 This function parse the value got from TPM2_GetCapability and return the Family. 619 620 @param[out] Family The Family of TPM. (a 4-octet character string) 621 622 @retval EFI_SUCCESS Operation completed successfully. 623 @retval EFI_DEVICE_ERROR The command was unsuccessful. 624 **/ 625 EFI_STATUS 626 EFIAPI 627 Tpm2GetCapabilityFamily ( 628 OUT CHAR8 *Family 629 ); 630 631 /** 632 This command returns the information of TPM manufacture ID. 633 634 This function parse the value got from TPM2_GetCapability and return the TPM manufacture ID. 635 636 @param[out] ManufactureId The manufacture ID of TPM. 637 638 @retval EFI_SUCCESS Operation completed successfully. 639 @retval EFI_DEVICE_ERROR The command was unsuccessful. 640 **/ 641 EFI_STATUS 642 EFIAPI 643 Tpm2GetCapabilityManufactureID ( 644 OUT UINT32 *ManufactureId 645 ); 646 647 /** 648 This command returns the information of TPM FirmwareVersion. 649 650 This function parse the value got from TPM2_GetCapability and return the TPM FirmwareVersion. 651 652 @param[out] FirmwareVersion1 The FirmwareVersion1. 653 @param[out] FirmwareVersion2 The FirmwareVersion2. 654 655 @retval EFI_SUCCESS Operation completed successfully. 656 @retval EFI_DEVICE_ERROR The command was unsuccessful. 657 **/ 658 EFI_STATUS 659 EFIAPI 660 Tpm2GetCapabilityFirmwareVersion ( 661 OUT UINT32 *FirmwareVersion1, 662 OUT UINT32 *FirmwareVersion2 663 ); 664 665 /** 666 This command returns the information of the maximum value for commandSize and responseSize in a command. 667 668 This function parse the value got from TPM2_GetCapability and return the max command size and response size 669 670 @param[out] MaxCommandSize The maximum value for commandSize in a command. 671 @param[out] MaxResponseSize The maximum value for responseSize in a command. 672 673 @retval EFI_SUCCESS Operation completed successfully. 674 @retval EFI_DEVICE_ERROR The command was unsuccessful. 675 **/ 676 EFI_STATUS 677 EFIAPI 678 Tpm2GetCapabilityMaxCommandResponseSize ( 679 OUT UINT32 *MaxCommandSize, 680 OUT UINT32 *MaxResponseSize 681 ); 682 683 /** 684 This command returns Returns a list of TPMS_ALG_PROPERTIES. Each entry is an 685 algorithm ID and a set of properties of the algorithm. 686 687 This function parse the value got from TPM2_GetCapability and return the list. 688 689 @param[out] AlgList List of algorithm. 690 691 @retval EFI_SUCCESS Operation completed successfully. 692 @retval EFI_DEVICE_ERROR The command was unsuccessful. 693 **/ 694 EFI_STATUS 695 EFIAPI 696 Tpm2GetCapabilitySupportedAlg ( 697 OUT TPML_ALG_PROPERTY *AlgList 698 ); 699 700 /** 701 This command returns the information of TPM LockoutCounter. 702 703 This function parse the value got from TPM2_GetCapability and return the LockoutCounter. 704 705 @param[out] LockoutCounter The LockoutCounter of TPM. 706 707 @retval EFI_SUCCESS Operation completed successfully. 708 @retval EFI_DEVICE_ERROR The command was unsuccessful. 709 **/ 710 EFI_STATUS 711 EFIAPI 712 Tpm2GetCapabilityLockoutCounter ( 713 OUT UINT32 *LockoutCounter 714 ); 715 716 /** 717 This command returns the information of TPM LockoutInterval. 718 719 This function parse the value got from TPM2_GetCapability and return the LockoutInterval. 720 721 @param[out] LockoutInterval The LockoutInterval of TPM. 722 723 @retval EFI_SUCCESS Operation completed successfully. 724 @retval EFI_DEVICE_ERROR The command was unsuccessful. 725 **/ 726 EFI_STATUS 727 EFIAPI 728 Tpm2GetCapabilityLockoutInterval ( 729 OUT UINT32 *LockoutInterval 730 ); 731 732 /** 733 This command returns the information of TPM InputBufferSize. 734 735 This function parse the value got from TPM2_GetCapability and return the InputBufferSize. 736 737 @param[out] InputBufferSize The InputBufferSize of TPM. 738 the maximum size of a parameter (typically, a TPM2B_MAX_BUFFER) 739 740 @retval EFI_SUCCESS Operation completed successfully. 741 @retval EFI_DEVICE_ERROR The command was unsuccessful. 742 **/ 743 EFI_STATUS 744 EFIAPI 745 Tpm2GetCapabilityInputBufferSize ( 746 OUT UINT32 *InputBufferSize 747 ); 748 749 /** 750 This command returns the information of TPM PCRs. 751 752 This function parse the value got from TPM2_GetCapability and return the PcrSelection. 753 754 @param[out] Pcrs The Pcr Selection 755 756 @retval EFI_SUCCESS Operation completed successfully. 757 @retval EFI_DEVICE_ERROR The command was unsuccessful. 758 **/ 759 EFI_STATUS 760 EFIAPI 761 Tpm2GetCapabilityPcrs ( 762 OUT TPML_PCR_SELECTION *Pcrs 763 ); 764 765 /** 766 This function will query the TPM to determine which hashing algorithms 767 are supported and which PCR banks are currently active. 768 769 @param[out] TpmHashAlgorithmBitmap A bitmask containing the algorithms supported by the TPM. 770 @param[out] ActivePcrBanks A bitmask containing the PCRs currently allocated. 771 772 @retval EFI_SUCCESS TPM was successfully queried and return values can be trusted. 773 @retval Others An error occurred, likely in communication with the TPM. 774 775 **/ 776 EFI_STATUS 777 EFIAPI 778 Tpm2GetCapabilitySupportedAndActivePcrs( 779 OUT UINT32 *TpmHashAlgorithmBitmap, 780 OUT UINT32 *ActivePcrBanks 781 ); 782 783 /** 784 This command returns the information of TPM AlgorithmSet. 785 786 This function parse the value got from TPM2_GetCapability and return the AlgorithmSet. 787 788 @param[out] AlgorithmSet The AlgorithmSet of TPM. 789 790 @retval EFI_SUCCESS Operation completed successfully. 791 @retval EFI_DEVICE_ERROR The command was unsuccessful. 792 **/ 793 EFI_STATUS 794 EFIAPI 795 Tpm2GetCapabilityAlgorithmSet ( 796 OUT UINT32 *AlgorithmSet 797 ); 798 799 /** 800 This command is used to check to see if specific combinations of algorithm parameters are supported. 801 802 @param[in] Parameters Algorithm parameters to be validated 803 804 @retval EFI_SUCCESS Operation completed successfully. 805 @retval EFI_DEVICE_ERROR Unexpected device behavior. 806 **/ 807 EFI_STATUS 808 EFIAPI 809 Tpm2TestParms ( 810 IN TPMT_PUBLIC_PARMS *Parameters 811 ); 812 813 /** 814 This command allows the platform to change the set of algorithms that are used by the TPM. 815 The algorithmSet setting is a vendor-dependent value. 816 817 @param[in] AuthHandle TPM_RH_PLATFORM 818 @param[in] AuthSession Auth Session context 819 @param[in] AlgorithmSet A TPM vendor-dependent value indicating the 820 algorithm set selection 821 822 @retval EFI_SUCCESS Operation completed successfully. 823 @retval EFI_DEVICE_ERROR Unexpected device behavior. 824 **/ 825 EFI_STATUS 826 EFIAPI 827 Tpm2SetAlgorithmSet ( 828 IN TPMI_RH_PLATFORM AuthHandle, 829 IN TPMS_AUTH_COMMAND *AuthSession, 830 IN UINT32 AlgorithmSet 831 ); 832 833 /** 834 This command is used to start an authorization session using alternative methods of 835 establishing the session key (sessionKey) that is used for authorization and encrypting value. 836 837 @param[in] TpmKey Handle of a loaded decrypt key used to encrypt salt. 838 @param[in] Bind Entity providing the authValue. 839 @param[in] NonceCaller Initial nonceCaller, sets nonce size for the session. 840 @param[in] Salt Value encrypted according to the type of tpmKey. 841 @param[in] SessionType Indicates the type of the session. 842 @param[in] Symmetric The algorithm and key size for parameter encryption. 843 @param[in] AuthHash Hash algorithm to use for the session. 844 @param[out] SessionHandle Handle for the newly created session. 845 @param[out] NonceTPM The initial nonce from the TPM, used in the computation of the sessionKey. 846 847 @retval EFI_SUCCESS Operation completed successfully. 848 @retval EFI_DEVICE_ERROR The command was unsuccessful. 849 **/ 850 EFI_STATUS 851 EFIAPI 852 Tpm2StartAuthSession ( 853 IN TPMI_DH_OBJECT TpmKey, 854 IN TPMI_DH_ENTITY Bind, 855 IN TPM2B_NONCE *NonceCaller, 856 IN TPM2B_ENCRYPTED_SECRET *Salt, 857 IN TPM_SE SessionType, 858 IN TPMT_SYM_DEF *Symmetric, 859 IN TPMI_ALG_HASH AuthHash, 860 OUT TPMI_SH_AUTH_SESSION *SessionHandle, 861 OUT TPM2B_NONCE *NonceTPM 862 ); 863 864 /** 865 This command causes all context associated with a loaded object or session to be removed from TPM memory. 866 867 @param[in] FlushHandle The handle of the item to flush. 868 869 @retval EFI_SUCCESS Operation completed successfully. 870 @retval EFI_DEVICE_ERROR The command was unsuccessful. 871 **/ 872 EFI_STATUS 873 EFIAPI 874 Tpm2FlushContext ( 875 IN TPMI_DH_CONTEXT FlushHandle 876 ); 877 878 /** 879 This command includes a secret-based authorization to a policy. 880 The caller proves knowledge of the secret value using an authorization 881 session using the authValue associated with authHandle. 882 883 @param[in] AuthHandle Handle for an entity providing the authorization 884 @param[in] PolicySession Handle for the policy session being extended. 885 @param[in] AuthSession Auth Session context 886 @param[in] NonceTPM The policy nonce for the session. 887 @param[in] CpHashA Digest of the command parameters to which this authorization is limited. 888 @param[in] PolicyRef A reference to a policy relating to the authorization. 889 @param[in] Expiration Time when authorization will expire, measured in seconds from the time that nonceTPM was generated. 890 @param[out] Timeout Time value used to indicate to the TPM when the ticket expires. 891 @param[out] PolicyTicket A ticket that includes a value indicating when the authorization expires. 892 893 @retval EFI_SUCCESS Operation completed successfully. 894 @retval EFI_DEVICE_ERROR The command was unsuccessful. 895 **/ 896 EFI_STATUS 897 EFIAPI 898 Tpm2PolicySecret ( 899 IN TPMI_DH_ENTITY AuthHandle, 900 IN TPMI_SH_POLICY PolicySession, 901 IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL 902 IN TPM2B_NONCE *NonceTPM, 903 IN TPM2B_DIGEST *CpHashA, 904 IN TPM2B_NONCE *PolicyRef, 905 IN INT32 Expiration, 906 OUT TPM2B_TIMEOUT *Timeout, 907 OUT TPMT_TK_AUTH *PolicyTicket 908 ); 909 910 /** 911 This command allows options in authorizations without requiring that the TPM evaluate all of the options. 912 If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that 913 satisfies the policy. This command will indicate that one of the required sets of conditions has been 914 satisfied. 915 916 @param[in] PolicySession Handle for the policy session being extended. 917 @param[in] HashList the list of hashes to check for a match. 918 919 @retval EFI_SUCCESS Operation completed successfully. 920 @retval EFI_DEVICE_ERROR The command was unsuccessful. 921 **/ 922 EFI_STATUS 923 EFIAPI 924 Tpm2PolicyOR ( 925 IN TPMI_SH_POLICY PolicySession, 926 IN TPML_DIGEST *HashList 927 ); 928 929 /** 930 This command indicates that the authorization will be limited to a specific command code. 931 932 @param[in] PolicySession Handle for the policy session being extended. 933 @param[in] Code The allowed commandCode. 934 935 @retval EFI_SUCCESS Operation completed successfully. 936 @retval EFI_DEVICE_ERROR The command was unsuccessful. 937 **/ 938 EFI_STATUS 939 EFIAPI 940 Tpm2PolicyCommandCode ( 941 IN TPMI_SH_POLICY PolicySession, 942 IN TPM_CC Code 943 ); 944 945 /** 946 This command returns the current policyDigest of the session. This command allows the TPM 947 to be used to perform the actions required to precompute the authPolicy for an object. 948 949 @param[in] PolicySession Handle for the policy session. 950 @param[out] PolicyHash the current value of the policyHash of policySession. 951 952 @retval EFI_SUCCESS Operation completed successfully. 953 @retval EFI_DEVICE_ERROR The command was unsuccessful. 954 **/ 955 EFI_STATUS 956 EFIAPI 957 Tpm2PolicyGetDigest ( 958 IN TPMI_SH_POLICY PolicySession, 959 OUT TPM2B_DIGEST *PolicyHash 960 ); 961 962 // 963 // Help function 964 // 965 966 /** 967 Copy AuthSessionIn to TPM2 command buffer. 968 969 @param [in] AuthSessionIn Input AuthSession data 970 @param [out] AuthSessionOut Output AuthSession data in TPM2 command buffer 971 972 @return AuthSession size 973 **/ 974 UINT32 975 EFIAPI 976 CopyAuthSessionCommand ( 977 IN TPMS_AUTH_COMMAND *AuthSessionIn, OPTIONAL 978 OUT UINT8 *AuthSessionOut 979 ); 980 981 /** 982 Copy AuthSessionIn from TPM2 response buffer. 983 984 @param [in] AuthSessionIn Input AuthSession data in TPM2 response buffer 985 @param [out] AuthSessionOut Output AuthSession data 986 987 @return AuthSession size 988 **/ 989 UINT32 990 EFIAPI 991 CopyAuthSessionResponse ( 992 IN UINT8 *AuthSessionIn, 993 OUT TPMS_AUTH_RESPONSE *AuthSessionOut OPTIONAL 994 ); 995 996 /** 997 Return size of digest. 998 999 @param[in] HashAlgo Hash algorithm 1000 1001 @return size of digest 1002 **/ 1003 UINT16 1004 EFIAPI 1005 GetHashSizeFromAlgo ( 1006 IN TPMI_ALG_HASH HashAlgo 1007 ); 1008 1009 /** 1010 Get hash mask from algorithm. 1011 1012 @param[in] HashAlgo Hash algorithm 1013 1014 @return Hash mask 1015 **/ 1016 UINT32 1017 EFIAPI 1018 GetHashMaskFromAlgo ( 1019 IN TPMI_ALG_HASH HashAlgo 1020 ); 1021 1022 /** 1023 Return if hash alg is supported in HashAlgorithmMask. 1024 1025 @param HashAlg Hash algorithm to be checked. 1026 @param HashAlgorithmMask Bitfield of allowed hash algorithms. 1027 1028 @retval TRUE Hash algorithm is supported. 1029 @retval FALSE Hash algorithm is not supported. 1030 **/ 1031 BOOLEAN 1032 EFIAPI 1033 IsHashAlgSupportedInHashAlgorithmMask( 1034 IN TPMI_ALG_HASH HashAlg, 1035 IN UINT32 HashAlgorithmMask 1036 ); 1037 1038 /** 1039 Copy TPML_DIGEST_VALUES into a buffer 1040 1041 @param[in,out] Buffer Buffer to hold copied TPML_DIGEST_VALUES compact binary. 1042 @param[in] DigestList TPML_DIGEST_VALUES to be copied. 1043 @param[in] HashAlgorithmMask HASH bits corresponding to the desired digests to copy. 1044 1045 @return The end of buffer to hold TPML_DIGEST_VALUES. 1046 **/ 1047 VOID * 1048 EFIAPI 1049 CopyDigestListToBuffer( 1050 IN OUT VOID *Buffer, 1051 IN TPML_DIGEST_VALUES *DigestList, 1052 IN UINT32 HashAlgorithmMask 1053 ); 1054 1055 /** 1056 Get TPML_DIGEST_VALUES data size. 1057 1058 @param[in] DigestList TPML_DIGEST_VALUES data. 1059 1060 @return TPML_DIGEST_VALUES data size. 1061 **/ 1062 UINT32 1063 EFIAPI 1064 GetDigestListSize( 1065 IN TPML_DIGEST_VALUES *DigestList 1066 ); 1067 1068 /** 1069 This function get digest from digest list. 1070 1071 @param[in] HashAlg Digest algorithm 1072 @param[in] DigestList Digest list 1073 @param[out] Digest Digest 1074 1075 @retval EFI_SUCCESS Digest is found and returned. 1076 @retval EFI_NOT_FOUND Digest is not found. 1077 **/ 1078 EFI_STATUS 1079 EFIAPI 1080 GetDigestFromDigestList( 1081 IN TPMI_ALG_HASH HashAlg, 1082 IN TPML_DIGEST_VALUES *DigestList, 1083 OUT VOID *Digest 1084 ); 1085 1086 #endif 1087