diff options
author | Mattias Nissler <mnissler@chromium.org> | 2017-11-21 12:17:03 +0100 |
---|---|---|
committer | Mattias Nissler <mnissler@chromium.org> | 2018-04-13 10:03:28 +0000 |
commit | 163b41233cbbfdd67da10017aab7c1ce9a6e0873 (patch) | |
tree | 6bd14c5a3eddc3e35f6a5657e51659011dde3dcf /firmware/include | |
parent | d6f52a05a3b54e3d80f4bded77f33daccbe04e23 (diff) | |
download | vboot-163b41233cbbfdd67da10017aab7c1ce9a6e0873.tar.gz |
tpm_lite: Implement ReadPubek command.
Add a TlclReadPubek library function to read the public endorsement
key.
BRANCH=None
BUG=chromium:788719
TEST=New unit tests.
Change-Id: I5f23b76b88198d656f4ba5782d2b4f25aaa082b1
Reviewed-on: https://chromium-review.googlesource.com/790413
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
Trybot-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Trybot-Ready: Mattias Nissler <mnissler@chromium.org>
Diffstat (limited to 'firmware/include')
-rw-r--r-- | firmware/include/tlcl.h | 13 | ||||
-rw-r--r-- | firmware/include/tpm1_tss_constants.h | 10 | ||||
-rw-r--r-- | firmware/include/tss_constants.h | 5 | ||||
-rw-r--r-- | firmware/include/vboot_api.h | 15 |
4 files changed, 43 insertions, 0 deletions
diff --git a/firmware/include/tlcl.h b/firmware/include/tlcl.h index b38c3d69..685925f4 100644 --- a/firmware/include/tlcl.h +++ b/firmware/include/tlcl.h @@ -230,6 +230,19 @@ uint32_t TlclGetVersion(uint32_t* vendor, uint64_t* firmware_version, */ uint32_t TlclIFXFieldUpgradeInfo(TPM_IFX_FIELDUPGRADEINFO *info); +#ifdef CHROMEOS_ENVIRONMENT +#ifndef TPM2_MODE + +/** + * Read the public half of the EK. + */ +uint32_t TlclReadPubek(uint32_t* public_exponent, + uint8_t* modulus, + uint32_t* modulus_size); + +#endif /* TPM2_MODE */ +#endif /* CHROMEOS_ENVIRONMENT */ + #ifdef __cplusplus } #endif diff --git a/firmware/include/tpm1_tss_constants.h b/firmware/include/tpm1_tss_constants.h index 97d7358f..f915fb53 100644 --- a/firmware/include/tpm1_tss_constants.h +++ b/firmware/include/tpm1_tss_constants.h @@ -55,6 +55,12 @@ typedef uint32_t TPM_CAPABILITY_AREA; #define TPM_CAP_NV_INDEX ((uint32_t) 0x00000011) #define TPM_CAP_GET_VERSION_VAL ((uint32_t) 0x0000001a) +#define TPM_ALG_RSA ((uint16_t)0x0001) + +#define TPM_ES_RSAESOAEP_SHA1_MGF1 ((uint16_t)0x0003) + +#define TPM_SS_NONE ((uint16_t)0x0001) + #define TPM_ST_CLEAR ((uint16_t) 0x0001) #define TPM_ST_STATE ((uint16_t) 0x0002) #define TPM_ST_DEACTIVATED ((uint16_t) 0x0003) @@ -77,6 +83,10 @@ typedef uint32_t TPM_CAPABILITY_AREA; #define TPM_SHA1_160_HASH_LEN 0x14 #define TPM_SHA1BASED_NONCE_LEN TPM_SHA1_160_HASH_LEN +#define TPM_AUTH_DATA_LEN 0x14 + +#define TPM_RSA_2048_LEN 0x100 + typedef struct tdTPM_DIGEST { uint8_t digest[TPM_SHA1_160_HASH_LEN]; diff --git a/firmware/include/tss_constants.h b/firmware/include/tss_constants.h index 1fe92b92..d579933e 100644 --- a/firmware/include/tss_constants.h +++ b/firmware/include/tss_constants.h @@ -23,6 +23,10 @@ #define TPM_E_READ_FAILURE ((uint32_t) 0x0000500a) /* vboot local */ #define TPM_E_STRUCT_SIZE ((uint32_t) 0x0000500b) /* vboot local */ #define TPM_E_STRUCT_VERSION ((uint32_t) 0x0000500c) /* vboot local */ +#define TPM_E_INTERNAL_ERROR ((uint32_t) 0x0000500d) /* vboot local */ +#define TPM_E_INVALID_RESPONSE ((uint32_t) 0x0000500e) /* vboot local */ +#define TPM_E_BUFFER_SIZE ((uint32_t) 0x0000500f) /* vboot local */ + /* * AP firmware relies on Tlcl returning these exact TPM1.2 error codes @@ -31,6 +35,7 @@ * either 0x100 or 0x80 bit set, so there is no confusion with actual error * codes returned from a TPM2.0 chip. */ +#define TPM_E_AUTHFAIL ((uint32_t) 0x00000001) #define TPM_E_BADINDEX ((uint32_t) 0x00000002) #define TPM_E_BAD_ORDINAL ((uint32_t) 0x0000000a) #define TPM_E_OWNER_SET ((uint32_t) 0x00000014) diff --git a/firmware/include/vboot_api.h b/firmware/include/vboot_api.h index d05fef86..04836ff8 100644 --- a/firmware/include/vboot_api.h +++ b/firmware/include/vboot_api.h @@ -419,6 +419,21 @@ VbError_t VbExTpmOpen(void); VbError_t VbExTpmSendReceive(const uint8_t *request, uint32_t request_length, uint8_t *response, uint32_t *response_length); +#ifdef CHROMEOS_ENVIRONMENT + +/** + * Obtain cryptographically secure random bytes. This function is used to + * generate random nonces for TPM auth sessions for example. As an implication, + * the generated random bytes should not be predictable for a TPM communication + * interception attack. This implies a local source of randomness should be + * used, i.e. this should not be wired to the TPM RNG directly. Otherwise, an + * attacker with communication interception abilities could launch replay + * attacks by reusing previous nonces. + */ +VbError_t VbExTpmGetRandom(uint8_t *buf, uint32_t length); + +#endif /* CHROMEOS_ENVIRONMENT */ + /*****************************************************************************/ /* Non-volatile storage */ |