From 6307896c177e3afb54a42439062dce0776d31891 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 1 Oct 2018 12:22:19 -0600 Subject: tpm: Add support for SPL and TPL At present the tpm can only be used in U-Boot proper. Updated it to work in SPL and TPL also. Signed-off-by: Simon Glass --- lib/Kconfig | 22 ++++++++++++++++++++++ lib/Makefile | 10 +++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/Kconfig b/lib/Kconfig index 622f3c26c33..b711d62d32f 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -185,6 +185,28 @@ config TPM for the low-level TPM interface, but only one TPM is supported at a time by the TPM library. +config SPL_TPM + bool "Trusted Platform Module (TPM) Support in SPL" + depends on SPL_DM + help + This enables support for TPMs which can be used to provide security + features for your board. The TPM can be connected via LPC or I2C + and a sandbox TPM is provided for testing purposes. Use the 'tpm' + command to interactive the TPM. Driver model support is provided + for the low-level TPM interface, but only one TPM is supported at + a time by the TPM library. + +config TPL_TPM + bool "Trusted Platform Module (TPM) Support in TPL" + depends on TPL_DM + help + This enables support for TPMs which can be used to provide security + features for your board. The TPM can be connected via LPC or I2C + and a sandbox TPM is provided for testing purposes. Use the 'tpm' + command to interactive the TPM. Driver model support is provided + for the low-level TPM interface, but only one TPM is supported at + a time by the TPM library. + endmenu menu "Android Verified Boot" diff --git a/lib/Makefile b/lib/Makefile index f1696448506..fb6944128aa 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -45,14 +45,18 @@ obj-$(CONFIG_PHYSMEM) += physmem.o obj-y += qsort.o obj-y += rc4.o obj-$(CONFIG_SUPPORT_EMMC_RPMB) += sha256.o -obj-$(CONFIG_TPM) += tpm-common.o -obj-$(CONFIG_TPM_V1) += tpm-v1.o -obj-$(CONFIG_TPM_V2) += tpm-v2.o obj-$(CONFIG_RBTREE) += rbtree.o obj-$(CONFIG_BITREVERSE) += bitrev.o obj-y += list_sort.o endif +obj-$(CONFIG_$(SPL_TPL_)TPM) += tpm-common.o +ifeq ($(CONFIG_$(SPL_TPL_)TPM),y) +obj-y += crc8.o +obj-$(CONFIG_TPM_V1) += tpm-v1.o +obj-$(CONFIG_TPM_V2) += tpm-v2.o +endif + obj-$(CONFIG_RSA) += rsa/ obj-$(CONFIG_SHA1) += sha1.o obj-$(CONFIG_SHA256) += sha256.o -- cgit v1.2.3 From aa0ffe8eb919c85997884d4d3d44a81f92a8ab66 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 1 Oct 2018 12:22:20 -0600 Subject: serial: Allow serial to be absent in TPL At present this option applies to SPL, but it should be available in TPL also, and separately. Change to using CONFIG_IS_ENABLED(), add a new Kconfig option and fix up hang(). Signed-off-by: Simon Glass --- lib/hang.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/hang.c b/lib/hang.c index bf56f4c662a..c5a78694be6 100644 --- a/lib/hang.c +++ b/lib/hang.c @@ -20,8 +20,9 @@ */ void hang(void) { -#if !defined(CONFIG_SPL_BUILD) || (defined(CONFIG_SPL_LIBCOMMON_SUPPORT) && \ - defined(CONFIG_SPL_SERIAL_SUPPORT)) +#if !defined(CONFIG_SPL_BUILD) || \ + (CONFIG_IS_ENABLED(LIBCOMMON_SUPPORT) && \ + CONFIG_IS_ENABLED(SERIAL_SUPPORT)) puts("### ERROR ### Please RESET the board ###\n"); #endif bootstage_error(BOOTSTAGE_ID_NEED_RESET); -- cgit v1.2.3 From 5592a633a09019d7c34b76a2cd3babff63e138ea Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 1 Oct 2018 12:22:21 -0600 Subject: fdt: Allow libfdt in TPL In some cases (e.g. sandbox with verified boot) it is useful to support libfdt in TPL. Update the Kconfig to handle this. Signed-off-by: Simon Glass --- lib/Kconfig | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib') diff --git a/lib/Kconfig b/lib/Kconfig index b711d62d32f..ccab426e121 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -353,6 +353,16 @@ config SPL_OF_LIBFDT particular compatible nodes. The library operates on a flattened version of the device tree. +config TPL_OF_LIBFDT + bool "Enable the FDT library for TPL" + default y if TPL_OF_CONTROL + help + This enables the FDT library (libfdt). It provides functions for + accessing binary device tree images in memory, such as adding and + removing nodes and properties, scanning through the tree and finding + particular compatible nodes. The library operates on a flattened + version of the device tree. + config FDT_FIXUP_PARTITIONS bool "overwrite MTD partitions in DTS through defined in 'mtdparts'" depends on OF_LIBFDT -- cgit v1.2.3 From 25a3845d2b0f4808b5fb75f5e059f94b732b7ada Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 1 Oct 2018 12:22:25 -0600 Subject: fdt: Remove fdtdec_decode_region() function This function is not used in U-Boot now. Remove it along with its 'memory' version. Signed-off-by: Simon Glass --- lib/fdtdec.c | 83 ------------------------------------------------------------ 1 file changed, 83 deletions(-) (limited to 'lib') diff --git a/lib/fdtdec.c b/lib/fdtdec.c index 74196ce7f9f..b1b39254bfd 100644 --- a/lib/fdtdec.c +++ b/lib/fdtdec.c @@ -922,28 +922,6 @@ char *fdtdec_get_config_string(const void *blob, const char *prop_name) return (char *)nodep; } -int fdtdec_decode_region(const void *blob, int node, const char *prop_name, - fdt_addr_t *basep, fdt_size_t *sizep) -{ - const fdt_addr_t *cell; - int len; - - debug("%s: %s: %s\n", __func__, fdt_get_name(blob, node, NULL), - prop_name); - cell = fdt_getprop(blob, node, prop_name, &len); - if (!cell || (len < sizeof(fdt_addr_t) * 2)) { - debug("cell=%p, len=%d\n", cell, len); - return -1; - } - - *basep = fdt_addr_to_cpu(*cell); - *sizep = fdt_size_to_cpu(cell[1]); - debug("%s: base=%08lx, size=%lx\n", __func__, (ulong)*basep, - (ulong)*sizep); - - return 0; -} - u64 fdtdec_get_number(const fdt32_t *ptr, unsigned int cells) { u64 number = 0; @@ -1002,67 +980,6 @@ int fdt_get_named_resource(const void *fdt, int node, const char *property, return fdt_get_resource(fdt, node, property, index, res); } -int fdtdec_decode_memory_region(const void *blob, int config_node, - const char *mem_type, const char *suffix, - fdt_addr_t *basep, fdt_size_t *sizep) -{ - char prop_name[50]; - const char *mem; - fdt_size_t size, offset_size; - fdt_addr_t base, offset; - int node; - - if (config_node == -1) { - config_node = fdt_path_offset(blob, "/config"); - if (config_node < 0) { - debug("%s: Cannot find /config node\n", __func__); - return -ENOENT; - } - } - if (!suffix) - suffix = ""; - - snprintf(prop_name, sizeof(prop_name), "%s-memory%s", mem_type, - suffix); - mem = fdt_getprop(blob, config_node, prop_name, NULL); - if (!mem) { - debug("%s: No memory type for '%s', using /memory\n", __func__, - prop_name); - mem = "/memory"; - } - - node = fdt_path_offset(blob, mem); - if (node < 0) { - debug("%s: Failed to find node '%s': %s\n", __func__, mem, - fdt_strerror(node)); - return -ENOENT; - } - - /* - * Not strictly correct - the memory may have multiple banks. We just - * use the first - */ - if (fdtdec_decode_region(blob, node, "reg", &base, &size)) { - debug("%s: Failed to decode memory region %s\n", __func__, - mem); - return -EINVAL; - } - - snprintf(prop_name, sizeof(prop_name), "%s-offset%s", mem_type, - suffix); - if (fdtdec_decode_region(blob, config_node, prop_name, &offset, - &offset_size)) { - debug("%s: Failed to decode memory region '%s'\n", __func__, - prop_name); - return -EINVAL; - } - - *basep = base + offset; - *sizep = offset_size; - - return 0; -} - static int decode_timing_property(const void *blob, int node, const char *name, struct timing_entry *result) { -- cgit v1.2.3 From 34a5e8a2f155589e6274fbeef4be0aacf5244a27 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 1 Oct 2018 12:22:28 -0600 Subject: tpm: Tidy up logging in tpm-common.c At present this file uses logging but it should use the new macros. Update it and add a log message for an error. Signed-off-by: Simon Glass --- lib/tpm-common.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/tpm-common.c b/lib/tpm-common.c index 43b530865a0..a440639cec3 100644 --- a/lib/tpm-common.c +++ b/lib/tpm-common.c @@ -4,6 +4,8 @@ * Coypright (c) 2013 Guntermann & Drunck GmbH */ +#define LOG_CATEGORY UCLASS_TPM + #include #include #include @@ -110,6 +112,8 @@ int unpack_byte_string(const u8 *str, size_t size, const char *format, ...) if (offset + length > size) { va_end(args); + log_err("Failed to read: size=%d, offset=%x, len=%x\n", + size, offset, length); return -1; } @@ -176,10 +180,10 @@ u32 tpm_sendrecv_command(const void *command, void *response, size_t *size_ptr) ret = tpm_return_code(response); - log(LOGC_NONE, LOGL_DEBUG, "TPM response [ret:%d]: ", ret); + log_debug("TPM response [ret:%d]: ", ret); for (i = 0; i < response_length; i++) - log(LOGC_NONE, LOGL_DEBUG, "%02x ", ((u8 *)response)[i]); - log(LOGC_NONE, LOGL_DEBUG, "\n"); + log_debug("%02x ", ((u8 *)response)[i]); + log_debug("\n"); return ret; } -- cgit v1.2.3 From 6e64ec1256875f6fafa853a74108fb57fd769e98 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 1 Oct 2018 12:22:29 -0600 Subject: tpm: Add a few new commands for v1 These are needed for the 2018 version of Chromium OS vboot. Add an implementation for TPM v1, with v2 to come later. Signed-off-by: Simon Glass --- lib/tpm-v1.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c index 7aecb24f921..9d45c3d3bf6 100644 --- a/lib/tpm-v1.c +++ b/lib/tpm-v1.c @@ -4,6 +4,8 @@ * Coypright (c) 2013 Guntermann & Drunck GmbH */ +#define LOG_CATEGORY UCLASS_TPM + #include #include #include @@ -45,6 +47,11 @@ u32 tpm_startup(enum tpm_startup_type mode) return tpm_sendrecv_command(buf, NULL, NULL); } +u32 tpm_resume(void) +{ + return tpm_startup(TPM_ST_STATE); +} + u32 tpm_self_test_full(void) { const u8 command[10] = { @@ -61,6 +68,34 @@ u32 tpm_continue_self_test(void) return tpm_sendrecv_command(command, NULL, NULL); } +u32 tpm_clear_and_reenable(void) +{ + u32 ret; + + log_info("TPM: Clear and re-enable\n"); + ret = tpm_force_clear(); + if (ret != TPM_SUCCESS) { + log_err("Can't initiate a force clear\n"); + return ret; + } + +#if IS_ENABLED(CONFIG_TPM_V1) + ret = tpm_physical_enable(); + if (ret != TPM_SUCCESS) { + log_err("TPM: Can't set enabled state\n"); + return ret; + } + + ret = tpm_physical_set_deactivated(0); + if (ret != TPM_SUCCESS) { + log_err("TPM: Can't set deactivated state\n"); + return ret; + } +#endif + + return TPM_SUCCESS; +} + u32 tpm_nv_define_space(u32 index, u32 perm, u32 size) { const u8 command[101] = { @@ -104,6 +139,11 @@ u32 tpm_nv_define_space(u32 index, u32 perm, u32 size) return tpm_sendrecv_command(buf, NULL, NULL); } +u32 tpm_nv_set_locked(void) +{ + return tpm_nv_define_space(TPM_NV_INDEX_LOCK, 0, 0); +} + u32 tpm_nv_read_value(u32 index, void *data, u32 count) { const u8 command[22] = { @@ -168,6 +208,13 @@ u32 tpm_nv_write_value(u32 index, const void *data, u32 length) return 0; } +uint32_t tpm_set_global_lock(void) +{ + u32 x; + + return tpm_nv_write_value(TPM_NV_INDEX_0, (uint8_t *)&x, 0); +} + u32 tpm_extend(u32 index, const void *in_digest, void *out_digest) { const u8 command[34] = { @@ -243,6 +290,15 @@ u32 tpm_tsc_physical_presence(u16 presence) return tpm_sendrecv_command(buf, NULL, NULL); } +u32 tpm_finalise_physical_presence(void) +{ + const u8 command[12] = { + 0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0, + }; + + return tpm_sendrecv_command(command, NULL, NULL); +} + u32 tpm_read_pubek(void *data, size_t count) { const u8 command[30] = { @@ -377,13 +433,19 @@ u32 tpm_get_permanent_flags(struct tpm_permanent_flags *pflags) if (err) return err; if (unpack_byte_string(response, response_length, "d", - data_size_offset, &data_size)) + data_size_offset, &data_size)) { + log_err("Cannot unpack data size\n"); return TPM_LIB_ERROR; - if (data_size < sizeof(*pflags)) + } + if (data_size < sizeof(*pflags)) { + log_err("Data size too small\n"); return TPM_LIB_ERROR; + } if (unpack_byte_string(response, response_length, "s", - data_offset, pflags, sizeof(*pflags))) + data_offset, pflags, sizeof(*pflags))) { + log_err("Cannot unpack pflags\n"); return TPM_LIB_ERROR; + } return 0; } -- cgit v1.2.3