diff options
| -rw-r--r-- | firmware/include/tpm1_tss_constants.h | 1 | ||||
| -rw-r--r-- | utility/tpmc.c | 23 |
2 files changed, 23 insertions, 1 deletions
diff --git a/firmware/include/tpm1_tss_constants.h b/firmware/include/tpm1_tss_constants.h index d839791d..3deef34e 100644 --- a/firmware/include/tpm1_tss_constants.h +++ b/firmware/include/tpm1_tss_constants.h @@ -18,6 +18,7 @@ #define TPM_NV_INDEX0 ((uint32_t) 0x00000000) #define TPM_NV_INDEX_LOCK ((uint32_t) 0xffffffff) +#define TPM_NV_INDEX_TRIAL ((uint32_t) 0x0000f004) #define TPM_NV_PER_READ_STCLEAR (((uint32_t)1) << 31) #define TPM_NV_PER_AUTHREAD (((uint32_t)1) << 18) diff --git a/utility/tpmc.c b/utility/tpmc.c index 0584e32e..68e374ba 100644 --- a/utility/tpmc.c +++ b/utility/tpmc.c @@ -499,7 +499,25 @@ static uint32_t HandlerIFXFieldUpgradeInfo(void) { } return result; } -#endif + +static uint32_t HandlerCheckOwnerAuth(void) { + /* Attempt to define an NVRAM space using owner auth. We're using + * TPM_NV_INDEX_TRIAL, which doesn't actually allocate a space but still + * performs the owner authorization checks. Thus the return status indicates + * whether owner authorization was successful or not. + * + * The owner_auth value below is the commonly used well-known secret, i.e. the + * SHA1 hash of 20 zero bytes. This is the owner secret that is effective + * immediately after taking TPM ownership when we haven't configured a random + * owner password yet. + */ + uint8_t owner_auth[TPM_AUTH_DATA_LEN] = { + 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f}; + return TlclDefineSpaceEx(owner_auth, sizeof(owner_auth), TPM_NV_INDEX_TRIAL, + TPM_NV_PER_OWNERWRITE, 1, NULL, 0); +} +#endif /* !TPM2_MODE */ #ifdef TPM2_MODE static uint32_t HandlerDoNothingForTPM2(void) { @@ -584,6 +602,9 @@ command_record command_table[] = { { "ifxfieldupgradeinfo", "ifxfui", TPM20_NOT_IMPLEMENTED("read and print IFX field upgrade info", HandlerIFXFieldUpgradeInfo) }, + { "checkownerauth", "chko", + TPM20_NOT_IMPLEMENTED("Check owner authorization with well-known secret", + HandlerCheckOwnerAuth) }, }; static int n_commands = sizeof(command_table) / sizeof(command_table[0]); |