tpm: disociate TPMv1.x specific and generic code

There are no changes in this commit but a new organization of the code
as follow.

* cmd/ directory:
        > move existing code from cmd/tpm.c in cmd/tpm-common.c
	> move specific code in cmd/tpm-v1.c
	> create a specific header file with generic definitions for
	  commands only called cmd/tpm-user-utils.h

* lib/ directory:
        > move existing code from lib/tpm.c in lib/tpm-common.c
	> move specific code in lib/tpm-v1.c
	> create a specific header file with generic definitions for
	  the library itself called lib/tpm-utils.h

* include/ directory:
        > move existing code from include/tpm.h in include/tpm-common.h
	> move specific code in include/tpm-v1.h

Code designated as 'common' is compiled if TPM are used. Code designated
as 'specific' is compiled only if the right specification has been
selected.

All files include tpm-common.h.
Files in cmd/ include tpm-user-utils.h.
Files in lib/ include tpm-utils.h.
Depending on the specification, files may include either (not both)
tpm-v1.h or tpm-v2.h.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
[trini: Fix a few more cases of tpm.h -> tpm-v1.h, some Kconfig logic]
Signed-off-by: Tom Rini <trini@konsulko.com>

1 files changed, 852 insertions, 0 deletions

diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c
new file mode 100644
index 0000000000..7aecb24f92
--- /dev/null
+++ b/lib/tpm-v1.c
@@ -0,0 +1,852 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2013 The Chromium OS Authors.
+ * Coypright (c) 2013 Guntermann & Drunck GmbH
+ */
+
+#include <common.h>
+#include <dm.h>
+#include <asm/unaligned.h>
+#include <u-boot/sha1.h>
+#include <tpm-common.h>
+#include <tpm-v1.h>
+#include "tpm-utils.h"
+
+#ifdef CONFIG_TPM_AUTH_SESSIONS
+
+#ifndef CONFIG_SHA1
+#error "TPM_AUTH_SESSIONS require SHA1 to be configured, too"
+#endif /* !CONFIG_SHA1 */
+
+struct session_data {
+	int		valid;
+	u32	handle;
+	u8		nonce_even[DIGEST_LENGTH];
+	u8		nonce_odd[DIGEST_LENGTH];
+};
+
+static struct session_data oiap_session = {0, };
+
+#endif /* CONFIG_TPM_AUTH_SESSIONS */
+
+u32 tpm_startup(enum tpm_startup_type mode)
+{
+	const u8 command[12] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x0,
+	};
+	const size_t mode_offset = 10;
+	u8 buf[COMMAND_BUFFER_SIZE];
+
+	if (pack_byte_string(buf, sizeof(buf), "sw",
+			     0, command, sizeof(command),
+			     mode_offset, mode))
+		return TPM_LIB_ERROR;
+
+	return tpm_sendrecv_command(buf, NULL, NULL);
+}
+
+u32 tpm_self_test_full(void)
+{
+	const u8 command[10] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50,
+	};
+	return tpm_sendrecv_command(command, NULL, NULL);
+}
+
+u32 tpm_continue_self_test(void)
+{
+	const u8 command[10] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53,
+	};
+	return tpm_sendrecv_command(command, NULL, NULL);
+}
+
+u32 tpm_nv_define_space(u32 index, u32 perm, u32 size)
+{
+	const u8 command[101] = {
+		0x0, 0xc1,		/* TPM_TAG */
+		0x0, 0x0, 0x0, 0x65,	/* parameter size */
+		0x0, 0x0, 0x0, 0xcc,	/* TPM_COMMAND_CODE */
+		/* TPM_NV_DATA_PUBLIC->... */
+		0x0, 0x18,		/* ...->TPM_STRUCTURE_TAG */
+		0, 0, 0, 0,		/* ...->TPM_NV_INDEX */
+		/* TPM_NV_DATA_PUBLIC->TPM_PCR_INFO_SHORT */
+		0x0, 0x3,
+		0, 0, 0,
+		0x1f,
+		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		/* TPM_NV_DATA_PUBLIC->TPM_PCR_INFO_SHORT */
+		0x0, 0x3,
+		0, 0, 0,
+		0x1f,
+		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		/* TPM_NV_ATTRIBUTES->... */
+		0x0, 0x17,		/* ...->TPM_STRUCTURE_TAG */
+		0, 0, 0, 0,		/* ...->attributes */
+		/* End of TPM_NV_ATTRIBUTES */
+		0,			/* bReadSTClear */
+		0,			/* bWriteSTClear */
+		0,			/* bWriteDefine */
+		0, 0, 0, 0,		/* size */
+	};
+	const size_t index_offset = 12;
+	const size_t perm_offset = 70;
+	const size_t size_offset = 77;
+	u8 buf[COMMAND_BUFFER_SIZE];
+
+	if (pack_byte_string(buf, sizeof(buf), "sddd",
+			     0, command, sizeof(command),
+			     index_offset, index,
+			     perm_offset, perm,
+			     size_offset, size))
+		return TPM_LIB_ERROR;
+
+	return tpm_sendrecv_command(buf, NULL, NULL);
+}
+
+u32 tpm_nv_read_value(u32 index, void *data, u32 count)
+{
+	const u8 command[22] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf,
+	};
+	const size_t index_offset = 10;
+	const size_t length_offset = 18;
+	const size_t data_size_offset = 10;
+	const size_t data_offset = 14;
+	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 data_size;
+	u32 err;
+
+	if (pack_byte_string(buf, sizeof(buf), "sdd",
+			     0, command, sizeof(command),
+			     index_offset, index,
+			     length_offset, count))
+		return TPM_LIB_ERROR;
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+	if (unpack_byte_string(response, response_length, "d",
+			       data_size_offset, &data_size))
+		return TPM_LIB_ERROR;
+	if (data_size > count)
+		return TPM_LIB_ERROR;
+	if (unpack_byte_string(response, response_length, "s",
+			       data_offset, data, data_size))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+u32 tpm_nv_write_value(u32 index, const void *data, u32 length)
+{
+	const u8 command[256] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd,
+	};
+	const size_t command_size_offset = 2;
+	const size_t index_offset = 10;
+	const size_t length_offset = 18;
+	const size_t data_offset = 22;
+	const size_t write_info_size = 12;
+	const u32 total_length =
+		TPM_REQUEST_HEADER_LENGTH + write_info_size + length;
+	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (pack_byte_string(buf, sizeof(buf), "sddds",
+			     0, command, sizeof(command),
+			     command_size_offset, total_length,
+			     index_offset, index,
+			     length_offset, length,
+			     data_offset, data, length))
+		return TPM_LIB_ERROR;
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+
+	return 0;
+}
+
+u32 tpm_extend(u32 index, const void *in_digest, void *out_digest)
+{
+	const u8 command[34] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14,
+	};
+	const size_t index_offset = 10;
+	const size_t in_digest_offset = 14;
+	const size_t out_digest_offset = 10;
+	u8 buf[COMMAND_BUFFER_SIZE];
+	u8 response[TPM_RESPONSE_HEADER_LENGTH + PCR_DIGEST_LENGTH];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (pack_byte_string(buf, sizeof(buf), "sds",
+			     0, command, sizeof(command),
+			     index_offset, index,
+			     in_digest_offset, in_digest,
+			     PCR_DIGEST_LENGTH))
+		return TPM_LIB_ERROR;
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+
+	if (unpack_byte_string(response, response_length, "s",
+			       out_digest_offset, out_digest,
+			       PCR_DIGEST_LENGTH))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+u32 tpm_pcr_read(u32 index, void *data, size_t count)
+{
+	const u8 command[14] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15,
+	};
+	const size_t index_offset = 10;
+	const size_t out_digest_offset = 10;
+	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (count < PCR_DIGEST_LENGTH)
+		return TPM_LIB_ERROR;
+
+	if (pack_byte_string(buf, sizeof(buf), "sd",
+			     0, command, sizeof(command),
+			     index_offset, index))
+		return TPM_LIB_ERROR;
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+	if (unpack_byte_string(response, response_length, "s",
+			       out_digest_offset, data, PCR_DIGEST_LENGTH))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+u32 tpm_tsc_physical_presence(u16 presence)
+{
+	const u8 command[12] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x0,
+	};
+	const size_t presence_offset = 10;
+	u8 buf[COMMAND_BUFFER_SIZE];
+
+	if (pack_byte_string(buf, sizeof(buf), "sw",
+			     0, command, sizeof(command),
+			     presence_offset, presence))
+		return TPM_LIB_ERROR;
+
+	return tpm_sendrecv_command(buf, NULL, NULL);
+}
+
+u32 tpm_read_pubek(void *data, size_t count)
+{
+	const u8 command[30] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c,
+	};
+	const size_t response_size_offset = 2;
+	const size_t data_offset = 10;
+	const size_t header_and_checksum_size = TPM_RESPONSE_HEADER_LENGTH + 20;
+	u8 response[COMMAND_BUFFER_SIZE + TPM_PUBEK_SIZE];
+	size_t response_length = sizeof(response);
+	u32 data_size;
+	u32 err;
+
+	err = tpm_sendrecv_command(command, response, &response_length);
+	if (err)
+		return err;
+	if (unpack_byte_string(response, response_length, "d",
+			       response_size_offset, &data_size))
+		return TPM_LIB_ERROR;
+	if (data_size < header_and_checksum_size)
+		return TPM_LIB_ERROR;
+	data_size -= header_and_checksum_size;
+	if (data_size > count)
+		return TPM_LIB_ERROR;
+	if (unpack_byte_string(response, response_length, "s",
+			       data_offset, data, data_size))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+u32 tpm_force_clear(void)
+{
+	const u8 command[10] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d,
+	};
+
+	return tpm_sendrecv_command(command, NULL, NULL);
+}
+
+u32 tpm_physical_enable(void)
+{
+	const u8 command[10] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f,
+	};
+
+	return tpm_sendrecv_command(command, NULL, NULL);
+}
+
+u32 tpm_physical_disable(void)
+{
+	const u8 command[10] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70,
+	};
+
+	return tpm_sendrecv_command(command, NULL, NULL);
+}
+
+u32 tpm_physical_set_deactivated(u8 state)
+{
+	const u8 command[11] = {
+		0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72,
+	};
+	const size_t state_offset = 10;
+	u8 buf[COMMAND_BUFFER_SIZE];
+
+	if (pack_byte_string(buf, sizeof(buf), "sb",
+			     0, command, sizeof(command),
+			     state_offset, state))
+		return TPM_LIB_ERROR;
+
+	return tpm_sendrecv_command(buf, NULL, NULL);
+}
+
+u32 tpm_get_capability(u32 cap_area, u32 sub_cap, void *cap, size_t count)
+{
+	const u8 command[22] = {
+		0x0, 0xc1,		/* TPM_TAG */
+		0x0, 0x0, 0x0, 0x16,	/* parameter size */
+		0x0, 0x0, 0x0, 0x65,	/* TPM_COMMAND_CODE */
+		0x0, 0x0, 0x0, 0x0,	/* TPM_CAPABILITY_AREA */
+		0x0, 0x0, 0x0, 0x4,	/* subcap size */
+		0x0, 0x0, 0x0, 0x0,	/* subcap value */
+	};
+	const size_t cap_area_offset = 10;
+	const size_t sub_cap_offset = 18;
+	const size_t cap_offset = 14;
+	const size_t cap_size_offset = 10;
+	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 cap_size;
+	u32 err;
+
+	if (pack_byte_string(buf, sizeof(buf), "sdd",
+			     0, command, sizeof(command),
+			     cap_area_offset, cap_area,
+			     sub_cap_offset, sub_cap))
+		return TPM_LIB_ERROR;
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+	if (unpack_byte_string(response, response_length, "d",
+			       cap_size_offset, &cap_size))
+		return TPM_LIB_ERROR;
+	if (cap_size > response_length || cap_size > count)
+		return TPM_LIB_ERROR;
+	if (unpack_byte_string(response, response_length, "s",
+			       cap_offset, cap, cap_size))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+u32 tpm_get_permanent_flags(struct tpm_permanent_flags *pflags)
+{
+	const u8 command[22] = {
+		0x0, 0xc1,		/* TPM_TAG */
+		0x0, 0x0, 0x0, 0x16,	/* parameter size */
+		0x0, 0x0, 0x0, 0x65,	/* TPM_COMMAND_CODE */
+		0x0, 0x0, 0x0, 0x4,	/* TPM_CAP_FLAG_PERM */
+		0x0, 0x0, 0x0, 0x4,	/* subcap size */
+		0x0, 0x0, 0x1, 0x8,	/* subcap value */
+	};
+	const size_t data_size_offset = TPM_HEADER_SIZE;
+	const size_t data_offset = TPM_HEADER_SIZE + sizeof(u32);
+	u8 response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 err;
+	u32 data_size;
+
+	err = tpm_sendrecv_command(command, response, &response_length);
+	if (err)
+		return err;
+	if (unpack_byte_string(response, response_length, "d",
+			       data_size_offset, &data_size))
+		return TPM_LIB_ERROR;
+	if (data_size < sizeof(*pflags))
+		return TPM_LIB_ERROR;
+	if (unpack_byte_string(response, response_length, "s",
+			       data_offset, pflags, sizeof(*pflags)))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+u32 tpm_get_permissions(u32 index, u32 *perm)
+{
+	const u8 command[22] = {
+		0x0, 0xc1,		/* TPM_TAG */
+		0x0, 0x0, 0x0, 0x16,	/* parameter size */
+		0x0, 0x0, 0x0, 0x65,	/* TPM_COMMAND_CODE */
+		0x0, 0x0, 0x0, 0x11,
+		0x0, 0x0, 0x0, 0x4,
+	};
+	const size_t index_offset = 18;
+	const size_t perm_offset = 60;
+	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (pack_byte_string(buf, sizeof(buf), "d", 0, command, sizeof(command),
+			     index_offset, index))
+		return TPM_LIB_ERROR;
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+	if (unpack_byte_string(response, response_length, "d",
+			       perm_offset, perm))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+#ifdef CONFIG_TPM_FLUSH_RESOURCES
+u32 tpm_flush_specific(u32 key_handle, u32 resource_type)
+{
+	const u8 command[18] = {
+		0x00, 0xc1,             /* TPM_TAG */
+		0x00, 0x00, 0x00, 0x12, /* parameter size */
+		0x00, 0x00, 0x00, 0xba, /* TPM_COMMAND_CODE */
+		0x00, 0x00, 0x00, 0x00, /* key handle */
+		0x00, 0x00, 0x00, 0x00, /* resource type */
+	};
+	const size_t key_handle_offset = 10;
+	const size_t resource_type_offset = 14;
+	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (pack_byte_string(buf, sizeof(buf), "sdd",
+			     0, command, sizeof(command),
+			     key_handle_offset, key_handle,
+			     resource_type_offset, resource_type))
+		return TPM_LIB_ERROR;
+
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+	return 0;
+}
+#endif /* CONFIG_TPM_FLUSH_RESOURCES */
+
+#ifdef CONFIG_TPM_AUTH_SESSIONS
+
+/**
+ * Fill an authentication block in a request.
+ * This func can create the first as well as the second auth block (for
+ * double authorized commands).
+ *
+ * @param request	pointer to the request (w/ uninitialised auth data)
+ * @param request_len0	length of the request without auth data
+ * @param handles_len	length of the handles area in request
+ * @param auth_session	pointer to the (valid) auth session to be used
+ * @param request_auth	pointer to the auth block of the request to be filled
+ * @param auth		authentication data (HMAC key)
+ */
+static u32 create_request_auth(const void *request, size_t request_len0,
+			       size_t handles_len,
+			       struct session_data *auth_session,
+			       void *request_auth, const void *auth)
+{
+	u8 hmac_data[DIGEST_LENGTH * 3 + 1];
+	sha1_context hash_ctx;
+	const size_t command_code_offset = 6;
+	const size_t auth_nonce_odd_offset = 4;
+	const size_t auth_continue_offset = 24;
+	const size_t auth_auth_offset = 25;
+
+	if (!auth_session || !auth_session->valid)
+		return TPM_LIB_ERROR;
+
+	sha1_starts(&hash_ctx);
+	sha1_update(&hash_ctx, request + command_code_offset, 4);
+	if (request_len0 > TPM_REQUEST_HEADER_LENGTH + handles_len)
+		sha1_update(&hash_ctx,
+			    request + TPM_REQUEST_HEADER_LENGTH + handles_len,
+			    request_len0 - TPM_REQUEST_HEADER_LENGTH
+			    - handles_len);
+	sha1_finish(&hash_ctx, hmac_data);
+
+	sha1_starts(&hash_ctx);
+	sha1_update(&hash_ctx, auth_session->nonce_odd, DIGEST_LENGTH);
+	sha1_update(&hash_ctx, hmac_data, sizeof(hmac_data));
+	sha1_finish(&hash_ctx, auth_session->nonce_odd);
+
+	if (pack_byte_string(request_auth, TPM_REQUEST_AUTH_LENGTH, "dsb",
+			     0, auth_session->handle,
+			     auth_nonce_odd_offset, auth_session->nonce_odd,
+			     DIGEST_LENGTH,
+			     auth_continue_offset, 1))
+		return TPM_LIB_ERROR;
+	if (pack_byte_string(hmac_data, sizeof(hmac_data), "ss",
+			     DIGEST_LENGTH,
+			     auth_session->nonce_even,
+			     DIGEST_LENGTH,
+			     2 * DIGEST_LENGTH,
+			     request_auth + auth_nonce_odd_offset,
+			     DIGEST_LENGTH + 1))
+		return TPM_LIB_ERROR;
+	sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
+		  request_auth + auth_auth_offset);
+
+	return TPM_SUCCESS;
+}
+
+/**
+ * Verify an authentication block in a response.
+ * Since this func updates the nonce_even in the session data it has to be
+ * called when receiving a succesfull AUTH response.
+ * This func can verify the first as well as the second auth block (for
+ * double authorized commands).
+ *
+ * @param command_code	command code of the request
+ * @param response	pointer to the request (w/ uninitialised auth data)
+ * @param handles_len	length of the handles area in response
+ * @param auth_session	pointer to the (valid) auth session to be used
+ * @param response_auth	pointer to the auth block of the response to be verified
+ * @param auth		authentication data (HMAC key)
+ */
+static u32 verify_response_auth(u32 command_code, const void *response,
+				size_t response_len0, size_t handles_len,
+				struct session_data *auth_session,
+				const void *response_auth, const void *auth)
+{
+	u8 hmac_data[DIGEST_LENGTH * 3 + 1];
+	u8 computed_auth[DIGEST_LENGTH];
+	sha1_context hash_ctx;
+	const size_t return_code_offset = 6;
+	const size_t auth_continue_offset = 20;
+	const size_t auth_auth_offset = 21;
+	u8 auth_continue;
+
+	if (!auth_session || !auth_session->valid)
+		return TPM_AUTHFAIL;
+	if (pack_byte_string(hmac_data, sizeof(hmac_data), "d",
+			     0, command_code))
+		return TPM_LIB_ERROR;
+	if (response_len0 < TPM_RESPONSE_HEADER_LENGTH)
+		return TPM_LIB_ERROR;
+
+	sha1_starts(&hash_ctx);
+	sha1_update(&hash_ctx, response + return_code_offset, 4);
+	sha1_update(&hash_ctx, hmac_data, 4);
+	if (response_len0 > TPM_RESPONSE_HEADER_LENGTH + handles_len)
+		sha1_update(&hash_ctx,
+			    response + TPM_RESPONSE_HEADER_LENGTH + handles_len,
+			    response_len0 - TPM_RESPONSE_HEADER_LENGTH
+			    - handles_len);
+	sha1_finish(&hash_ctx, hmac_data);
+
+	memcpy(auth_session->nonce_even, response_auth, DIGEST_LENGTH);
+	auth_continue = ((u8 *)response_auth)[auth_continue_offset];
+	if (pack_byte_string(hmac_data, sizeof(hmac_data), "ssb",
+			     DIGEST_LENGTH,
+			     response_auth,
+			     DIGEST_LENGTH,
+			     2 * DIGEST_LENGTH,
+			     auth_session->nonce_odd,
+			     DIGEST_LENGTH,
+			     3 * DIGEST_LENGTH,
+			     auth_continue))
+		return TPM_LIB_ERROR;
+
+	sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
+		  computed_auth);
+
+	if (memcmp(computed_auth, response_auth + auth_auth_offset,
+		   DIGEST_LENGTH))
+		return TPM_AUTHFAIL;
+
+	return TPM_SUCCESS;
+}
+
+u32 tpm_terminate_auth_session(u32 auth_handle)
+{
+	const u8 command[18] = {
+		0x00, 0xc1,		/* TPM_TAG */
+		0x00, 0x00, 0x00, 0x00,	/* parameter size */
+		0x00, 0x00, 0x00, 0xba,	/* TPM_COMMAND_CODE */
+		0x00, 0x00, 0x00, 0x00,	/* TPM_HANDLE */
+		0x00, 0x00, 0x00, 0x02,	/* TPM_RESOURCE_TYPE */
+	};
+	const size_t req_handle_offset = TPM_REQUEST_HEADER_LENGTH;
+	u8 request[COMMAND_BUFFER_SIZE];
+
+	if (pack_byte_string(request, sizeof(request), "sd",
+			     0, command, sizeof(command),
+			     req_handle_offset, auth_handle))
+		return TPM_LIB_ERROR;
+	if (oiap_session.valid && oiap_session.handle == auth_handle)
+		oiap_session.valid = 0;
+
+	return tpm_sendrecv_command(request, NULL, NULL);
+}
+
+u32 tpm_end_oiap(void)
+{
+	u32 err = TPM_SUCCESS;
+
+	if (oiap_session.valid)
+		err = tpm_terminate_auth_session(oiap_session.handle);
+	return err;
+}
+
+u32 tpm_oiap(u32 *auth_handle)
+{
+	const u8 command[10] = {
+		0x00, 0xc1,		/* TPM_TAG */
+		0x00, 0x00, 0x00, 0x0a,	/* parameter size */
+		0x00, 0x00, 0x00, 0x0a,	/* TPM_COMMAND_CODE */
+	};
+	const size_t res_auth_handle_offset = TPM_RESPONSE_HEADER_LENGTH;
+	const size_t res_nonce_even_offset = TPM_RESPONSE_HEADER_LENGTH + 4;
+	u8 response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (oiap_session.valid)
+		tpm_terminate_auth_session(oiap_session.handle);
+
+	err = tpm_sendrecv_command(command, response, &response_length);
+	if (err)
+		return err;
+	if (unpack_byte_string(response, response_length, "ds",
+			       res_auth_handle_offset, &oiap_session.handle,
+			       res_nonce_even_offset, &oiap_session.nonce_even,
+			       (u32)DIGEST_LENGTH))
+		return TPM_LIB_ERROR;
+	oiap_session.valid = 1;
+	if (auth_handle)
+		*auth_handle = oiap_session.handle;
+	return 0;
+}
+
+u32 tpm_load_key2_oiap(u32 parent_handle, const void *key, size_t key_length,
+		       const void *parent_key_usage_auth, u32 *key_handle)
+{
+	const u8 command[14] = {
+		0x00, 0xc2,		/* TPM_TAG */
+		0x00, 0x00, 0x00, 0x00,	/* parameter size */
+		0x00, 0x00, 0x00, 0x41,	/* TPM_COMMAND_CODE */
+		0x00, 0x00, 0x00, 0x00,	/* parent handle */
+	};
+	const size_t req_size_offset = 2;
+	const size_t req_parent_handle_offset = TPM_REQUEST_HEADER_LENGTH;
+	const size_t req_key_offset = TPM_REQUEST_HEADER_LENGTH + 4;
+	const size_t res_handle_offset = TPM_RESPONSE_HEADER_LENGTH;
+	u8 request[sizeof(command) + TPM_KEY12_MAX_LENGTH +
+		   TPM_REQUEST_AUTH_LENGTH];
+	u8 response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (!oiap_session.valid) {
+		err = tpm_oiap(NULL);
+		if (err)
+			return err;
+	}
+	if (pack_byte_string(request, sizeof(request), "sdds",
+			     0, command, sizeof(command),
+			     req_size_offset,
+			     sizeof(command) + key_length
+			     + TPM_REQUEST_AUTH_LENGTH,
+			     req_parent_handle_offset, parent_handle,
+			     req_key_offset, key, key_length
+		))
+		return TPM_LIB_ERROR;
+
+	err = create_request_auth(request, sizeof(command) + key_length, 4,
+				  &oiap_session,
+				  request + sizeof(command) + key_length,
+				  parent_key_usage_auth);
+	if (err)
+		return err;
+	err = tpm_sendrecv_command(request, response, &response_length);
+	if (err) {
+		if (err == TPM_AUTHFAIL)
+			oiap_session.valid = 0;
+		return err;
+	}
+
+	err = verify_response_auth(0x00000041, response,
+				   response_length - TPM_RESPONSE_AUTH_LENGTH,
+				   4, &oiap_session,
+				   response + response_length -
+				   TPM_RESPONSE_AUTH_LENGTH,
+				   parent_key_usage_auth);
+	if (err)
+		return err;
+
+	if (key_handle) {
+		if (unpack_byte_string(response, response_length, "d",
+				       res_handle_offset, key_handle))
+			return TPM_LIB_ERROR;
+	}
+
+	return 0;
+}
+
+u32 tpm_get_pub_key_oiap(u32 key_handle, const void *usage_auth, void *pubkey,
+			 size_t *pubkey_len)
+{
+	const u8 command[14] = {
+		0x00, 0xc2,		/* TPM_TAG */
+		0x00, 0x00, 0x00, 0x00,	/* parameter size */
+		0x00, 0x00, 0x00, 0x21,	/* TPM_COMMAND_CODE */
+		0x00, 0x00, 0x00, 0x00,	/* key handle */
+	};
+	const size_t req_size_offset = 2;
+	const size_t req_key_handle_offset = TPM_REQUEST_HEADER_LENGTH;
+	const size_t res_pubkey_offset = TPM_RESPONSE_HEADER_LENGTH;
+	u8 request[sizeof(command) + TPM_REQUEST_AUTH_LENGTH];
+	u8 response[TPM_RESPONSE_HEADER_LENGTH + TPM_PUBKEY_MAX_LENGTH +
+		    TPM_RESPONSE_AUTH_LENGTH];
+	size_t response_length = sizeof(response);
+	u32 err;
+
+	if (!oiap_session.valid) {
+		err = tpm_oiap(NULL);
+		if (err)
+			return err;
+	}
+	if (pack_byte_string(request, sizeof(request), "sdd",
+			     0, command, sizeof(command),
+			     req_size_offset,
+			     (u32)(sizeof(command)
+			     + TPM_REQUEST_AUTH_LENGTH),
+			     req_key_handle_offset, key_handle
+		))
+		return TPM_LIB_ERROR;
+	err = create_request_auth(request, sizeof(command), 4, &oiap_session,
+				  request + sizeof(command), usage_auth);
+	if (err)
+		return err;
+	err = tpm_sendrecv_command(request, response, &response_length);
+	if (err) {
+		if (err == TPM_AUTHFAIL)
+			oiap_session.valid = 0;
+		return err;
+	}
+	err = verify_response_auth(0x00000021, response,
+				   response_length - TPM_RESPONSE_AUTH_LENGTH,
+				   0, &oiap_session,
+				   response + response_length -
+				   TPM_RESPONSE_AUTH_LENGTH,
+				   usage_auth);
+	if (err)
+		return err;
+
+	if (pubkey) {
+		if ((response_length - TPM_RESPONSE_HEADER_LENGTH
+		     - TPM_RESPONSE_AUTH_LENGTH) > *pubkey_len)
+			return TPM_LIB_ERROR;
+		*pubkey_len = response_length - TPM_RESPONSE_HEADER_LENGTH
+			- TPM_RESPONSE_AUTH_LENGTH;
+		memcpy(pubkey, response + res_pubkey_offset,
+		       response_length - TPM_RESPONSE_HEADER_LENGTH
+		       - TPM_RESPONSE_AUTH_LENGTH);
+	}
+
+	return 0;
+}
+
+#ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
+u32 tpm_find_key_sha1(const u8 auth[20], const u8 pubkey_digest[20],
+		      u32 *handle)
+{
+	u16 key_count;
+	u32 key_handles[10];
+	u8 buf[288];
+	u8 *ptr;
+	u32 err;
+	u8 digest[20];
+	size_t buf_len;
+	unsigned int i;
+
+	/* fetch list of already loaded keys in the TPM */
+	err = tpm_get_capability(TPM_CAP_HANDLE, TPM_RT_KEY, buf, sizeof(buf));
+	if (err)
+		return -1;
+	key_count = get_unaligned_be16(buf);
+	ptr = buf + 2;
+	for (i = 0; i < key_count; ++i, ptr += 4)
+		key_handles[i] = get_unaligned_be32(ptr);
+
+	/* now search a(/ the) key which we can access with the given auth */
+	for (i = 0; i < key_count; ++i) {
+		buf_len = sizeof(buf);
+		err = tpm_get_pub_key_oiap(key_handles[i], auth, buf, &buf_len);
+		if (err && err != TPM_AUTHFAIL)
+			return -1;
+		if (err)
+			continue;
+		sha1_csum(buf, buf_len, digest);
+		if (!memcmp(digest, pubkey_digest, 20)) {
+			*handle = key_handles[i];
+			return 0;
+		}
+	}
+	return 1;
+}
+#endif /* CONFIG_TPM_LOAD_KEY_BY_SHA1 */
+
+#endif /* CONFIG_TPM_AUTH_SESSIONS */
+
+u32 tpm_get_random(void *data, u32 count)
+{
+	const u8 command[14] = {
+		0x0, 0xc1,		/* TPM_TAG */
+		0x0, 0x0, 0x0, 0xe,	/* parameter size */
+		0x0, 0x0, 0x0, 0x46,	/* TPM_COMMAND_CODE */
+	};
+	const size_t length_offset = 10;
+	const size_t data_size_offset = 10;
+	const size_t data_offset = 14;
+	u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	u32 data_size;
+	u8 *out = data;
+
+	while (count > 0) {
+		u32 this_bytes = min((size_t)count,
+				     sizeof(response) - data_offset);
+		u32 err;
+
+		if (pack_byte_string(buf, sizeof(buf), "sd",
+				     0, command, sizeof(command),
+				     length_offset, this_bytes))
+			return TPM_LIB_ERROR;
+		err = tpm_sendrecv_command(buf, response, &response_length);
+		if (err)
+			return err;
+		if (unpack_byte_string(response, response_length, "d",
+				       data_size_offset, &data_size))
+			return TPM_LIB_ERROR;
+		if (data_size > count)
+			return TPM_LIB_ERROR;
+		if (unpack_byte_string(response, response_length, "s",
+				       data_offset, out, data_size))
+			return TPM_LIB_ERROR;
+
+		count -= data_size;
+		out += data_size;
+	}
+
+	return 0;
+}