1 /* 2 * The Initial Developer of the Original Code is International 3 * Business Machines Corporation. Portions created by IBM 4 * Corporation are Copyright (C) 2005 International Business 5 * Machines Corporation. All Rights Reserved. 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the Common Public License as published by 9 * IBM Corporation; either version 1 of the License, or (at your option) 10 * any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * Common Public License for more details. 16 * 17 * You should have received a copy of the Common Public License 18 * along with this program; if not, a copy can be viewed at 19 * http://www.opensource.org/licenses/cpl1.0.php. 20 */ 21 22 #include "tpm_tspi.h" 23 #include "tpm_utils.h" 24 25 //Controlled by input options 26 #define STATUS_CHECK 0 27 #define ENABLE 1 28 #define DISABLE 2 29 30 static int request = STATUS_CHECK; 31 static TSS_FLAG fForce = TSS_TPMSTATUS_OWNERSETDISABLE; 32 static BOOL isWellKnown = FALSE; 33 TSS_HCONTEXT hContext = 0; 34 /* 35 * Affect: Change TPM state between enabled and disabled 36 * Default: Display current status 37 * Requires: Owner auth unless force( physical presence ) is specified 38 */ 39 static void help(const char *cmd) 40 { 41 42 logCmdHelp(cmd); 43 logUnicodeCmdOption(); 44 logCmdOption("-s, --status", _("Display current state")); 45 logCmdOption("-e, --enable", _("Enable TPM")); 46 logCmdOption("-d, --disable", _("Disable TPM")); 47 logCmdOption("-f, --force", 48 _("Use physical presence authorization.")); 49 logCmdOption("-z, --well-known", 50 _("Use 20 bytes of zeros (TSS_WELL_KNOWN_SECRET) as the TPM secret authorization data")); 51 52 } 53 54 static int parse(const int aOpt, const char *aArg) 55 { 56 57 switch (aOpt) { 58 case 's': 59 logDebug(_("Changing mode to check status.\n")); 60 request = STATUS_CHECK; 61 break; 62 case 'e': 63 logDebug(_("Changing mode to enable the TPM\n")); 64 request = ENABLE; 65 break; 66 case 'd': 67 logDebug(_("Changing mode to disable the TPM\n")); 68 request = DISABLE; 69 break; 70 case 'f': 71 logDebug(_("Changing mode to use force authorization\n")); 72 fForce = TSS_TPMSTATUS_PHYSICALDISABLE; 73 break; 74 case 'z': 75 logDebug(_("Using TSS_WELL_KNOWN_SECRET to authorize the TPM command\n")); 76 isWellKnown = TRUE; 77 break; 78 default: 79 return -1; 80 } 81 return 0; 82 } 83 84 int main(int argc, char **argv) 85 { 86 87 char *szTpmPasswd = NULL; 88 int pswd_len; 89 TSS_HTPM hTpm; 90 TSS_BOOL bValue; 91 TSS_HPOLICY hTpmPolicy; 92 int iRc = -1; 93 struct option hOpts[] = { {"enable", no_argument, NULL, 'e'}, 94 {"disable", no_argument, NULL, 'd'}, 95 {"force", no_argument, NULL, 'f'}, 96 {"status", no_argument, NULL, 's'}, 97 {"well-known", no_argument, NULL, 'z'}, 98 }; 99 BYTE well_known[] = TSS_WELL_KNOWN_SECRET; 100 101 initIntlSys(); 102 103 if (genericOptHandler 104 (argc, argv, "edfsz", hOpts, 105 sizeof(hOpts) / sizeof(struct option), parse, help) != 0) 106 goto out; 107 108 //Connect to TSS and TPM 109 if (contextCreate(&hContext) != TSS_SUCCESS) 110 goto out; 111 112 if (contextConnect(hContext) != TSS_SUCCESS) 113 goto out_close; 114 115 if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) 116 goto out_close; 117 118 if ( request == STATUS_CHECK) { 119 logInfo( _("Checking current status:\n")); 120 if (isWellKnown) { 121 szTpmPasswd = (char *)well_known; 122 pswd_len = sizeof(well_known); 123 } else { 124 szTpmPasswd = GETPASSWD(_("Enter owner password: "), &pswd_len, FALSE); 125 if (!szTpmPasswd) { 126 logMsg(_("Failed to get password\n")); 127 goto out_close; 128 } 129 } 130 if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS) 131 goto out_close; 132 133 if (policySetSecret 134 (hTpmPolicy, pswd_len, 135 (BYTE *)szTpmPasswd) != TSS_SUCCESS) 136 goto out_close; 137 if (tpmGetStatus 138 (hTpm, TSS_TPMSTATUS_DISABLED, 139 &bValue) != TSS_SUCCESS) 140 goto out_close; 141 logMsg(_("Disabled status: %s\n"), logBool(mapTssBool(bValue))); 142 }else { 143 if (fForce == TSS_TPMSTATUS_OWNERSETDISABLE) { 144 if (isWellKnown) { 145 szTpmPasswd = (char *)well_known; 146 pswd_len = sizeof(well_known); 147 } else { 148 szTpmPasswd = GETPASSWD(_("Enter owner password: "), &pswd_len, 149 FALSE); 150 if (!szTpmPasswd) { 151 logMsg(_("Failed to get password\n")); 152 goto out_close; 153 } 154 } 155 156 if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS) 157 goto out_close; 158 159 if (policySetSecret 160 (hTpmPolicy, pswd_len, 161 (BYTE *)szTpmPasswd) != TSS_SUCCESS) 162 goto out_close; 163 } 164 165 //Setup complete. Attempt the command 166 if (tpmSetStatus(hTpm, fForce, (request == ENABLE) ? FALSE : TRUE ) != TSS_SUCCESS) 167 goto out_close; 168 } 169 170 //Command successful 171 iRc = 0; 172 logSuccess(argv[0]); 173 174 //Cleanup 175 out_close: 176 if (szTpmPasswd && !isWellKnown) 177 shredPasswd(szTpmPasswd); 178 179 contextClose(hContext); 180 181 out: 182 return iRc; 183 } 184