1 /* SPDX-License-Identifier: GPL-2.0+ */
2 /*
3  * Defines APIs and structures that allow software to interact with a
4  * TPM2 device
5  *
6  * Copyright (c) 2020 Linaro
7  * Copyright (c) 2018 Bootlin
8  *
9  * https://trustedcomputinggroup.org/resource/tss-overview-common-structures-specification/
10  *
11  * Author: Miquel Raynal <miquel.raynal@bootlin.com>
12  */
13 
14 #ifndef __TPM_V2_H
15 #define __TPM_V2_H
16 
17 #include <tpm-common.h>
18 
19 struct udevice;
20 
21 #define TPM2_DIGEST_LEN		32
22 
23 #define TPM2_SHA1_DIGEST_SIZE 20
24 #define TPM2_SHA256_DIGEST_SIZE	32
25 #define TPM2_SHA384_DIGEST_SIZE	48
26 #define TPM2_SHA512_DIGEST_SIZE	64
27 #define TPM2_SM3_256_DIGEST_SIZE 32
28 
29 #define TPM2_MAX_PCRS 32
30 #define TPM2_PCR_SELECT_MAX ((TPM2_MAX_PCRS + 7) / 8)
31 #define TPM2_MAX_CAP_BUFFER 1024
32 #define TPM2_MAX_TPM_PROPERTIES ((TPM2_MAX_CAP_BUFFER - sizeof(u32) /* TPM2_CAP */ - \
33 				 sizeof(u32)) / sizeof(struct tpms_tagged_property))
34 
35 /*
36  *  We deviate from this draft of the specification by increasing the value of
37  *  TPM2_NUM_PCR_BANKS from 3 to 16 to ensure compatibility with TPM2
38  *  implementations that have enabled a larger than typical number of PCR
39  *  banks. This larger value for TPM2_NUM_PCR_BANKS is expected to be included
40  *  in a future revision of the specification.
41  */
42 #define TPM2_NUM_PCR_BANKS 16
43 
44 /* Definition of (UINT32) TPM2_CAP Constants */
45 #define TPM2_CAP_PCRS 0x00000005U
46 #define TPM2_CAP_TPM_PROPERTIES 0x00000006U
47 
48 /* Definition of (UINT32) TPM2_PT Constants */
49 #define TPM2_PT_GROUP			(u32)(0x00000100)
50 #define TPM2_PT_FIXED			(u32)(TPM2_PT_GROUP * 1)
51 #define TPM2_PT_MANUFACTURER		(u32)(TPM2_PT_FIXED + 5)
52 #define TPM2_PT_PCR_COUNT		(u32)(TPM2_PT_FIXED + 18)
53 #define TPM2_PT_MAX_COMMAND_SIZE	(u32)(TPM2_PT_FIXED + 30)
54 #define TPM2_PT_MAX_RESPONSE_SIZE	(u32)(TPM2_PT_FIXED + 31)
55 
56 /*
57  * event types, cf.
58  * "TCG Server Management Domain Firmware Profile Specification",
59  * rev 1.00, 2020-05-01
60  */
61 #define EV_POST_CODE			((u32)0x00000001)
62 #define EV_NO_ACTION			((u32)0x00000003)
63 #define EV_SEPARATOR			((u32)0x00000004)
64 #define EV_ACTION			((u32)0x00000005)
65 #define EV_TAG				((u32)0x00000006)
66 #define EV_S_CRTM_CONTENTS		((u32)0x00000007)
67 #define EV_S_CRTM_VERSION		((u32)0x00000008)
68 #define EV_CPU_MICROCODE		((u32)0x00000009)
69 #define EV_PLATFORM_CONFIG_FLAGS	((u32)0x0000000A)
70 #define EV_TABLE_OF_DEVICES		((u32)0x0000000B)
71 #define EV_COMPACT_HASH			((u32)0x0000000C)
72 
73 /*
74  * event types, cf.
75  * "TCG PC Client Platform Firmware Profile Specification", Family "2.0"
76  * rev 1.04, June 3, 2019
77  */
78 #define EV_EFI_EVENT_BASE			((u32)0x80000000)
79 #define EV_EFI_VARIABLE_DRIVER_CONFIG		((u32)0x80000001)
80 #define EV_EFI_VARIABLE_BOOT			((u32)0x80000002)
81 #define EV_EFI_BOOT_SERVICES_APPLICATION	((u32)0x80000003)
82 #define EV_EFI_BOOT_SERVICES_DRIVER		((u32)0x80000004)
83 #define EV_EFI_RUNTIME_SERVICES_DRIVER		((u32)0x80000005)
84 #define EV_EFI_GPT_EVENT			((u32)0x80000006)
85 #define EV_EFI_ACTION				((u32)0x80000007)
86 #define EV_EFI_PLATFORM_FIRMWARE_BLOB		((u32)0x80000008)
87 #define EV_EFI_HANDOFF_TABLES			((u32)0x80000009)
88 #define EV_EFI_HCRTM_EVENT			((u32)0x80000010)
89 #define EV_EFI_VARIABLE_AUTHORITY		((u32)0x800000E0)
90 
91 /* TPMS_TAGGED_PROPERTY Structure */
92 struct tpms_tagged_property {
93 	u32 property;
94 	u32 value;
95 } __packed;
96 
97 /* TPMS_PCR_SELECTION Structure */
98 struct tpms_pcr_selection {
99 	u16 hash;
100 	u8 size_of_select;
101 	u8 pcr_select[TPM2_PCR_SELECT_MAX];
102 } __packed;
103 
104 /* TPML_PCR_SELECTION Structure */
105 struct tpml_pcr_selection {
106 	u32 count;
107 	struct tpms_pcr_selection selection[TPM2_NUM_PCR_BANKS];
108 } __packed;
109 
110 /* TPML_TAGGED_TPM_PROPERTY Structure */
111 struct tpml_tagged_tpm_property {
112 	u32 count;
113 	struct tpms_tagged_property tpm_property[TPM2_MAX_TPM_PROPERTIES];
114 } __packed;
115 
116 /* TPMU_CAPABILITIES Union */
117 union tpmu_capabilities {
118 	/*
119 	 * Non exhaustive. Only added the structs needed for our
120 	 * current code
121 	 */
122 	struct tpml_pcr_selection assigned_pcr;
123 	struct tpml_tagged_tpm_property tpm_properties;
124 } __packed;
125 
126 /* TPMS_CAPABILITY_DATA Structure */
127 struct tpms_capability_data {
128 	u32 capability;
129 	union tpmu_capabilities data;
130 } __packed;
131 
132 /**
133  * SHA1 Event Log Entry Format
134  *
135  * @pcr_index:	PCRIndex event extended to
136  * @event_type:	Type of event (see EFI specs)
137  * @digest:	Value extended into PCR index
138  * @event_size:	Size of event
139  * @event:	Event data
140  */
141 struct tcg_pcr_event {
142 	u32 pcr_index;
143 	u32 event_type;
144 	u8 digest[TPM2_SHA1_DIGEST_SIZE];
145 	u32 event_size;
146 	u8 event[];
147 } __packed;
148 
149 /**
150  * Definition of TPMU_HA Union
151  */
152 union tmpu_ha {
153 	u8 sha1[TPM2_SHA1_DIGEST_SIZE];
154 	u8 sha256[TPM2_SHA256_DIGEST_SIZE];
155 	u8 sm3_256[TPM2_SM3_256_DIGEST_SIZE];
156 	u8 sha384[TPM2_SHA384_DIGEST_SIZE];
157 	u8 sha512[TPM2_SHA512_DIGEST_SIZE];
158 } __packed;
159 
160 /**
161  * Definition of TPMT_HA Structure
162  *
163  * @hash_alg:	Hash algorithm defined in enum tpm2_algorithms
164  * @digest:	Digest value for a given algorithm
165  */
166 struct tpmt_ha {
167 	u16 hash_alg;
168 	union tmpu_ha digest;
169 } __packed;
170 
171 /**
172  * Definition of TPML_DIGEST_VALUES Structure
173  *
174  * @count:	Number of algorithms supported by hardware
175  * @digests:	struct for algorithm id and hash value
176  */
177 struct tpml_digest_values {
178 	u32 count;
179 	struct tpmt_ha digests[TPM2_NUM_PCR_BANKS];
180 } __packed;
181 
182 /**
183  * Crypto Agile Log Entry Format
184  *
185  * @pcr_index:	PCRIndex event extended to
186  * @event_type:	Type of event
187  * @digests:	List of digestsextended to PCR index
188  * @event_size: Size of the event data
189  * @event:	Event data
190  */
191 struct tcg_pcr_event2 {
192 	u32 pcr_index;
193 	u32 event_type;
194 	struct tpml_digest_values digests;
195 	u32 event_size;
196 	u8 event[];
197 } __packed;
198 
199 /**
200  * TPM2 Structure Tags for command/response buffers.
201  *
202  * @TPM2_ST_NO_SESSIONS: the command does not need an authentication.
203  * @TPM2_ST_SESSIONS: the command needs an authentication.
204  */
205 enum tpm2_structures {
206 	TPM2_ST_NO_SESSIONS	= 0x8001,
207 	TPM2_ST_SESSIONS	= 0x8002,
208 };
209 
210 /**
211  * TPM2 type of boolean.
212  */
213 enum tpm2_yes_no {
214 	TPMI_YES		= 1,
215 	TPMI_NO			= 0,
216 };
217 
218 /**
219  * TPM2 startup values.
220  *
221  * @TPM2_SU_CLEAR: reset the internal state.
222  * @TPM2_SU_STATE: restore saved state (if any).
223  */
224 enum tpm2_startup_types {
225 	TPM2_SU_CLEAR		= 0x0000,
226 	TPM2_SU_STATE		= 0x0001,
227 };
228 
229 /**
230  * TPM2 permanent handles.
231  *
232  * @TPM2_RH_OWNER: refers to the 'owner' hierarchy.
233  * @TPM2_RS_PW: indicates a password.
234  * @TPM2_RH_LOCKOUT: refers to the 'lockout' hierarchy.
235  * @TPM2_RH_ENDORSEMENT: refers to the 'endorsement' hierarchy.
236  * @TPM2_RH_PLATFORM: refers to the 'platform' hierarchy.
237  */
238 enum tpm2_handles {
239 	TPM2_RH_OWNER		= 0x40000001,
240 	TPM2_RS_PW		= 0x40000009,
241 	TPM2_RH_LOCKOUT		= 0x4000000A,
242 	TPM2_RH_ENDORSEMENT	= 0x4000000B,
243 	TPM2_RH_PLATFORM	= 0x4000000C,
244 };
245 
246 /**
247  * TPM2 command codes used at the beginning of a buffer, gives the command.
248  *
249  * @TPM2_CC_STARTUP: TPM2_Startup().
250  * @TPM2_CC_SELF_TEST: TPM2_SelfTest().
251  * @TPM2_CC_CLEAR: TPM2_Clear().
252  * @TPM2_CC_CLEARCONTROL: TPM2_ClearControl().
253  * @TPM2_CC_HIERCHANGEAUTH: TPM2_HierarchyChangeAuth().
254  * @TPM2_CC_PCR_SETAUTHPOL: TPM2_PCR_SetAuthPolicy().
255  * @TPM2_CC_DAM_RESET: TPM2_DictionaryAttackLockReset().
256  * @TPM2_CC_DAM_PARAMETERS: TPM2_DictionaryAttackParameters().
257  * @TPM2_CC_GET_CAPABILITY: TPM2_GetCapibility().
258  * @TPM2_CC_GET_RANDOM: TPM2_GetRandom().
259  * @TPM2_CC_PCR_READ: TPM2_PCR_Read().
260  * @TPM2_CC_PCR_EXTEND: TPM2_PCR_Extend().
261  * @TPM2_CC_PCR_SETAUTHVAL: TPM2_PCR_SetAuthValue().
262  */
263 enum tpm2_command_codes {
264 	TPM2_CC_STARTUP		= 0x0144,
265 	TPM2_CC_SELF_TEST	= 0x0143,
266 	TPM2_CC_HIER_CONTROL	= 0x0121,
267 	TPM2_CC_CLEAR		= 0x0126,
268 	TPM2_CC_CLEARCONTROL	= 0x0127,
269 	TPM2_CC_HIERCHANGEAUTH	= 0x0129,
270 	TPM2_CC_NV_DEFINE_SPACE	= 0x012a,
271 	TPM2_CC_PCR_SETAUTHPOL	= 0x012C,
272 	TPM2_CC_NV_WRITE	= 0x0137,
273 	TPM2_CC_NV_WRITELOCK	= 0x0138,
274 	TPM2_CC_DAM_RESET	= 0x0139,
275 	TPM2_CC_DAM_PARAMETERS	= 0x013A,
276 	TPM2_CC_NV_READ         = 0x014E,
277 	TPM2_CC_GET_CAPABILITY	= 0x017A,
278 	TPM2_CC_GET_RANDOM      = 0x017B,
279 	TPM2_CC_PCR_READ	= 0x017E,
280 	TPM2_CC_PCR_EXTEND	= 0x0182,
281 	TPM2_CC_PCR_SETAUTHVAL	= 0x0183,
282 };
283 
284 /**
285  * TPM2 return codes.
286  */
287 enum tpm2_return_codes {
288 	TPM2_RC_SUCCESS		= 0x0000,
289 	TPM2_RC_BAD_TAG		= 0x001E,
290 	TPM2_RC_FMT1		= 0x0080,
291 	TPM2_RC_HASH		= TPM2_RC_FMT1 + 0x0003,
292 	TPM2_RC_VALUE		= TPM2_RC_FMT1 + 0x0004,
293 	TPM2_RC_SIZE		= TPM2_RC_FMT1 + 0x0015,
294 	TPM2_RC_BAD_AUTH	= TPM2_RC_FMT1 + 0x0022,
295 	TPM2_RC_HANDLE		= TPM2_RC_FMT1 + 0x000B,
296 	TPM2_RC_VER1		= 0x0100,
297 	TPM2_RC_INITIALIZE	= TPM2_RC_VER1 + 0x0000,
298 	TPM2_RC_FAILURE		= TPM2_RC_VER1 + 0x0001,
299 	TPM2_RC_DISABLED	= TPM2_RC_VER1 + 0x0020,
300 	TPM2_RC_AUTH_MISSING	= TPM2_RC_VER1 + 0x0025,
301 	TPM2_RC_COMMAND_CODE	= TPM2_RC_VER1 + 0x0043,
302 	TPM2_RC_AUTHSIZE	= TPM2_RC_VER1 + 0x0044,
303 	TPM2_RC_AUTH_CONTEXT	= TPM2_RC_VER1 + 0x0045,
304 	TPM2_RC_NV_DEFINED	= TPM2_RC_VER1 + 0x004c,
305 	TPM2_RC_NEEDS_TEST	= TPM2_RC_VER1 + 0x0053,
306 	TPM2_RC_WARN		= 0x0900,
307 	TPM2_RC_TESTING		= TPM2_RC_WARN + 0x000A,
308 	TPM2_RC_REFERENCE_H0	= TPM2_RC_WARN + 0x0010,
309 	TPM2_RC_LOCKOUT		= TPM2_RC_WARN + 0x0021,
310 };
311 
312 /**
313  * TPM2 algorithms.
314  */
315 enum tpm2_algorithms {
316 	TPM2_ALG_SHA1		= 0x04,
317 	TPM2_ALG_XOR		= 0x0A,
318 	TPM2_ALG_SHA256		= 0x0B,
319 	TPM2_ALG_SHA384		= 0x0C,
320 	TPM2_ALG_SHA512		= 0x0D,
321 	TPM2_ALG_NULL		= 0x10,
322 	TPM2_ALG_SM3_256	= 0x12,
323 };
324 
325 /* NV index attributes */
326 enum tpm_index_attrs {
327 	TPMA_NV_PPWRITE		= 1UL << 0,
328 	TPMA_NV_OWNERWRITE	= 1UL << 1,
329 	TPMA_NV_AUTHWRITE	= 1UL << 2,
330 	TPMA_NV_POLICYWRITE	= 1UL << 3,
331 	TPMA_NV_COUNTER		= 1UL << 4,
332 	TPMA_NV_BITS		= 1UL << 5,
333 	TPMA_NV_EXTEND		= 1UL << 6,
334 	TPMA_NV_POLICY_DELETE	= 1UL << 10,
335 	TPMA_NV_WRITELOCKED	= 1UL << 11,
336 	TPMA_NV_WRITEALL	= 1UL << 12,
337 	TPMA_NV_WRITEDEFINE	= 1UL << 13,
338 	TPMA_NV_WRITE_STCLEAR	= 1UL << 14,
339 	TPMA_NV_GLOBALLOCK	= 1UL << 15,
340 	TPMA_NV_PPREAD		= 1UL << 16,
341 	TPMA_NV_OWNERREAD	= 1UL << 17,
342 	TPMA_NV_AUTHREAD	= 1UL << 18,
343 	TPMA_NV_POLICYREAD	= 1UL << 19,
344 	TPMA_NV_NO_DA		= 1UL << 25,
345 	TPMA_NV_ORDERLY		= 1UL << 26,
346 	TPMA_NV_CLEAR_STCLEAR	= 1UL << 27,
347 	TPMA_NV_READLOCKED	= 1UL << 28,
348 	TPMA_NV_WRITTEN		= 1UL << 29,
349 	TPMA_NV_PLATFORMCREATE	= 1UL << 30,
350 	TPMA_NV_READ_STCLEAR	= 1UL << 31,
351 
352 	TPMA_NV_MASK_READ	= TPMA_NV_PPREAD | TPMA_NV_OWNERREAD |
353 				TPMA_NV_AUTHREAD | TPMA_NV_POLICYREAD,
354 	TPMA_NV_MASK_WRITE	= TPMA_NV_PPWRITE | TPMA_NV_OWNERWRITE |
355 					TPMA_NV_AUTHWRITE | TPMA_NV_POLICYWRITE,
356 };
357 
358 enum {
359 	TPM_ACCESS_VALID		= 1 << 7,
360 	TPM_ACCESS_ACTIVE_LOCALITY	= 1 << 5,
361 	TPM_ACCESS_REQUEST_PENDING	= 1 << 2,
362 	TPM_ACCESS_REQUEST_USE		= 1 << 1,
363 	TPM_ACCESS_ESTABLISHMENT	= 1 << 0,
364 };
365 
366 enum {
367 	TPM_STS_FAMILY_SHIFT		= 26,
368 	TPM_STS_FAMILY_MASK		= 0x3 << TPM_STS_FAMILY_SHIFT,
369 	TPM_STS_FAMILY_TPM2		= 1 << TPM_STS_FAMILY_SHIFT,
370 	TPM_STS_RESE_TESTABLISMENT_BIT	= 1 << 25,
371 	TPM_STS_COMMAND_CANCEL		= 1 << 24,
372 	TPM_STS_BURST_COUNT_SHIFT	= 8,
373 	TPM_STS_BURST_COUNT_MASK	= 0xffff << TPM_STS_BURST_COUNT_SHIFT,
374 	TPM_STS_VALID			= 1 << 7,
375 	TPM_STS_COMMAND_READY		= 1 << 6,
376 	TPM_STS_GO			= 1 << 5,
377 	TPM_STS_DATA_AVAIL		= 1 << 4,
378 	TPM_STS_DATA_EXPECT		= 1 << 3,
379 	TPM_STS_SELF_TEST_DONE		= 1 << 2,
380 	TPM_STS_RESPONSE_RETRY		= 1 << 1,
381 };
382 
383 enum {
384 	TPM_CMD_COUNT_OFFSET	= 2,
385 	TPM_CMD_ORDINAL_OFFSET	= 6,
386 	TPM_MAX_BUF_SIZE	= 1260,
387 };
388 
389 enum {
390 	/* Secure storage for firmware settings */
391 	TPM_HT_PCR = 0,
392 	TPM_HT_NV_INDEX,
393 	TPM_HT_HMAC_SESSION,
394 	TPM_HT_POLICY_SESSION,
395 
396 	HR_SHIFT		= 24,
397 	HR_PCR			= TPM_HT_PCR << HR_SHIFT,
398 	HR_HMAC_SESSION		= TPM_HT_HMAC_SESSION << HR_SHIFT,
399 	HR_POLICY_SESSION	= TPM_HT_POLICY_SESSION << HR_SHIFT,
400 	HR_NV_INDEX		= TPM_HT_NV_INDEX << HR_SHIFT,
401 };
402 
403 /**
404  * Issue a TPM2_Startup command.
405  *
406  * @dev		TPM device
407  * @mode	TPM startup mode
408  *
409  * @return code of the operation
410  */
411 u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode);
412 
413 /**
414  * Issue a TPM2_SelfTest command.
415  *
416  * @dev		TPM device
417  * @full_test	Asking to perform all tests or only the untested ones
418  *
419  * @return code of the operation
420  */
421 u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test);
422 
423 /**
424  * Issue a TPM2_Clear command.
425  *
426  * @dev		TPM device
427  * @handle	Handle
428  * @pw		Password
429  * @pw_sz	Length of the password
430  *
431  * @return code of the operation
432  */
433 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
434 	       const ssize_t pw_sz);
435 
436 /**
437  * Issue a TPM_NV_DefineSpace command
438  *
439  * This allows a space to be defined with given attributes and policy
440  *
441  * @dev			TPM device
442  * @space_index		index of the area
443  * @space_size		size of area in bytes
444  * @nv_attributes	TPM_NV_ATTRIBUTES of the area
445  * @nv_policy		policy to use
446  * @nv_policy_size	size of the policy
447  * @return return code of the operation
448  */
449 u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
450 			 size_t space_size, u32 nv_attributes,
451 			 const u8 *nv_policy, size_t nv_policy_size);
452 
453 /**
454  * Issue a TPM2_PCR_Extend command.
455  *
456  * @dev		TPM device
457  * @index	Index of the PCR
458  * @algorithm	Algorithm used, defined in 'enum tpm2_algorithms'
459  * @digest	Value representing the event to be recorded
460  * @digest_len  len of the hash
461  *
462  * @return code of the operation
463  */
464 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
465 		    const u8 *digest, u32 digest_len);
466 
467 /**
468  * Read data from the secure storage
469  *
470  * @dev		TPM device
471  * @index	Index of data to read
472  * @data	Place to put data
473  * @count	Number of bytes of data
474  * @return code of the operation
475  */
476 u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
477 
478 /**
479  * Write data to the secure storage
480  *
481  * @dev		TPM device
482  * @index	Index of data to write
483  * @data	Data to write
484  * @count	Number of bytes of data
485  * @return code of the operation
486  */
487 u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
488 			u32 count);
489 
490 /**
491  * Issue a TPM2_PCR_Read command.
492  *
493  * @dev		TPM device
494  * @idx		Index of the PCR
495  * @idx_min_sz	Minimum size in bytes of the pcrSelect array
496  * @data	Output buffer for contents of the named PCR
497  * @updates	Optional out parameter: number of updates for this PCR
498  *
499  * @return code of the operation
500  */
501 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
502 		  void *data, unsigned int *updates);
503 
504 /**
505  * Issue a TPM2_GetCapability command.  This implementation is limited
506  * to query property index that is 4-byte wide.
507  *
508  * @dev		TPM device
509  * @capability	Partition of capabilities
510  * @property	Further definition of capability, limited to be 4 bytes wide
511  * @buf		Output buffer for capability information
512  * @prop_count	Size of output buffer
513  *
514  * @return code of the operation
515  */
516 u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
517 			void *buf, size_t prop_count);
518 
519 /**
520  * Issue a TPM2_DictionaryAttackLockReset command.
521  *
522  * @dev		TPM device
523  * @pw		Password
524  * @pw_sz	Length of the password
525  *
526  * @return code of the operation
527  */
528 u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz);
529 
530 /**
531  * Issue a TPM2_DictionaryAttackParameters command.
532  *
533  * @dev		TPM device
534  * @pw		Password
535  * @pw_sz	Length of the password
536  * @max_tries	Count of authorizations before lockout
537  * @recovery_time Time before decrementation of the failure count
538  * @lockout_recovery Time to wait after a lockout
539  *
540  * @return code of the operation
541  */
542 u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
543 			const ssize_t pw_sz, unsigned int max_tries,
544 			unsigned int recovery_time,
545 			unsigned int lockout_recovery);
546 
547 /**
548  * Issue a TPM2_HierarchyChangeAuth command.
549  *
550  * @dev		TPM device
551  * @handle	Handle
552  * @newpw	New password
553  * @newpw_sz	Length of the new password
554  * @oldpw	Old password
555  * @oldpw_sz	Length of the old password
556  *
557  * @return code of the operation
558  */
559 int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
560 		     const ssize_t newpw_sz, const char *oldpw,
561 		     const ssize_t oldpw_sz);
562 
563 /**
564  * Issue a TPM_PCR_SetAuthPolicy command.
565  *
566  * @dev		TPM device
567  * @pw		Platform password
568  * @pw_sz	Length of the password
569  * @index	Index of the PCR
570  * @digest	New key to access the PCR
571  *
572  * @return code of the operation
573  */
574 u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
575 			   const ssize_t pw_sz, u32 index, const char *key);
576 
577 /**
578  * Issue a TPM_PCR_SetAuthValue command.
579  *
580  * @dev		TPM device
581  * @pw		Platform password
582  * @pw_sz	Length of the password
583  * @index	Index of the PCR
584  * @digest	New key to access the PCR
585  * @key_sz	Length of the new key
586  *
587  * @return code of the operation
588  */
589 u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
590 			  const ssize_t pw_sz, u32 index, const char *key,
591 			  const ssize_t key_sz);
592 
593 /**
594  * Issue a TPM2_GetRandom command.
595  *
596  * @dev		TPM device
597  * @param data		output buffer for the random bytes
598  * @param count		size of output buffer
599  *
600  * @return return code of the operation
601  */
602 u32 tpm2_get_random(struct udevice *dev, void *data, u32 count);
603 
604 /**
605  * Lock data in the TPM
606  *
607  * Once locked the data cannot be written until after a reboot
608  *
609  * @dev		TPM device
610  * @index	Index of data to lock
611  * @return code of the operation
612  */
613 u32 tpm2_write_lock(struct udevice *dev, u32 index);
614 
615 /**
616  * Disable access to any platform data
617  *
618  * This can be called to close off access to the firmware data in the data,
619  * before calling the kernel.
620  *
621  * @dev		TPM device
622  * @return code of the operation
623  */
624 u32 tpm2_disable_platform_hierarchy(struct udevice *dev);
625 
626 #endif /* __TPM_V2_H */
627