xref: /netbsd-src/crypto/external/cpl/trousers/dist/src/tcs/tcsi_admin.c (revision 325dc460fcb903ba21d515d6422d8abf39bc692e) 
1 
2 /*
3  * Licensed Materials - Property of IBM
4  *
5  * trousers - An open source TCG Software Stack
6  *
7  * (C) Copyright International Business Machines Corp. 2004, 2007
8  *
9  */
10 
11 
12 #include <stdlib.h>
13 #include <stdio.h>
14 #include <string.h>
15 #include <inttypes.h>
16 
17 #include "trousers/tss.h"
18 #include "trousers_types.h"
19 #include "tcs_tsp.h"
20 #include "tcsps.h"
21 #include "tcs_utils.h"
22 #include "tcs_int_literals.h"
23 #include "capabilities.h"
24 #include "tcslog.h"
25 #include "req_mgr.h"
26 #include "tcsd_wrap.h"
27 #include "tcsd.h"
28 
29 TSS_RESULT
30 TCSP_SetOwnerInstall_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
31 			      TSS_BOOL state)	/* in  */
32 {
33 	UINT64 offset = 0;
34 	UINT32 paramSize;
35 	TSS_RESULT result;
36 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
37 
38 	LogDebug("Entering SetOwnerInstall");
39 	if ((result = ctx_verify_context(hContext)))
40 		return result;
41 
42 	if ((result = tpm_rqu_build(TPM_ORD_SetOwnerInstall, &offset, txBlob, state, NULL)))
43 		return result;
44 
45 	if ((result = req_mgr_submit_req(txBlob)))
46 		return result;
47 
48 	result = UnloadBlob_Header(txBlob, &paramSize);
49 	LogResult("SetOwnerInstall", result);
50 	return result;
51 }
52 
53 TSS_RESULT
54 TCSP_OwnerSetDisable_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
55 			      TSS_BOOL disableState,	/* in */
56 			      TPM_AUTH * ownerAuth)	/* in, out */
57 {
58 	UINT64 offset = 0;
59 	UINT32 paramSize;
60 	TSS_RESULT result;
61 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
62 
63 	if ((result = ctx_verify_context(hContext)))
64 		goto done;
65 
66 	if ((result = auth_mgr_check(hContext, &ownerAuth->AuthHandle)))
67 		goto done;
68 
69 	if ((result = tpm_rqu_build(TPM_ORD_OwnerSetDisable, &offset, txBlob, disableState,
70 				    ownerAuth)))
71 		goto done;
72 
73 	if ((result = req_mgr_submit_req(txBlob)))
74 		goto done;
75 
76 	result = UnloadBlob_Header(txBlob, &paramSize);
77 	if (!result) {
78 		result = tpm_rsp_parse(TPM_ORD_OwnerSetDisable, txBlob, paramSize, ownerAuth);
79 	}
80 done:
81 	auth_mgr_release_auth(ownerAuth, NULL, hContext);
82 	return result;
83 }
84 
85 TSS_RESULT
86 TCSP_DisableOwnerClear_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
87 				TPM_AUTH * ownerAuth)	/* in, out */
88 {
89 	UINT64 offset = 0;
90 	UINT32 paramSize;
91 	TSS_RESULT result;
92 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
93 
94 	LogDebug("Entering DisableownerClear");
95 
96 	if ((result = ctx_verify_context(hContext)))
97 		goto done;
98 
99 	if ((result = auth_mgr_check(hContext, &ownerAuth->AuthHandle)))
100 		goto done;
101 
102 	if ((result = tpm_rqu_build(TPM_ORD_DisableOwnerClear, &offset, txBlob, ownerAuth)))
103 		goto done;
104 
105 	if ((result = req_mgr_submit_req(txBlob)))
106 		goto done;
107 
108 	result = UnloadBlob_Header(txBlob, &paramSize);
109 	if (!result) {
110 		result = tpm_rsp_parse(TPM_ORD_DisableOwnerClear, txBlob, paramSize, ownerAuth);
111 	}
112 	LogResult("DisableOwnerClear", result);
113 done:
114 	auth_mgr_release_auth(ownerAuth, NULL, hContext);
115 	return result;
116 }
117 
118 TSS_RESULT
119 TCSP_ForceClear_Internal(TCS_CONTEXT_HANDLE hContext)	/* in */
120 {
121 	UINT64 offset = 0;
122 	UINT32 paramSize;
123 	TSS_RESULT result;
124 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
125 
126 	LogDebug("Entering Force Clear");
127 	if ((result = ctx_verify_context(hContext)))
128 		return result;
129 
130 	if ((result = tpm_rqu_build(TPM_ORD_ForceClear, &offset, txBlob, NULL)))
131 		return result;
132 
133 	if ((result = req_mgr_submit_req(txBlob)))
134 		return result;
135 
136 	result = UnloadBlob_Header(txBlob, &paramSize);
137 	LogResult("Force Clear", result);
138 	return result;
139 }
140 
141 TSS_RESULT
142 TCSP_DisableForceClear_Internal(TCS_CONTEXT_HANDLE hContext)	/* in */
143 {
144 	UINT64 offset = 0;
145 	UINT32 paramSize;
146 	TSS_RESULT result;
147 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
148 
149 	LogDebug("Entering Disable Force Clear");
150 	if ((result = ctx_verify_context(hContext)))
151 		return result;
152 
153 	if ((result = tpm_rqu_build(TPM_ORD_DisableForceClear, &offset, txBlob, NULL)))
154 		return result;
155 
156 	if ((result = req_mgr_submit_req(txBlob)))
157 		return result;
158 
159 	result = UnloadBlob_Header(txBlob, &paramSize);
160 	LogResult("Disable Force Clear", result);
161 	return result;
162 }
163 
164 TSS_RESULT
165 TCSP_PhysicalPresence_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
166 			TCPA_PHYSICAL_PRESENCE fPhysicalPresence) /* in */
167 {
168 	UINT64 offset = 0;
169 	UINT32 paramSize;
170 	TSS_RESULT result = TCSERR(TSS_E_NOTIMPL);
171 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
172 	char runlevel;
173 
174 	runlevel = platform_get_runlevel();
175 
176 	if (runlevel != 's' && runlevel != 'S' && runlevel != '1') {
177 		LogInfo("Physical Presence command denied: Must be in single"
178 				" user mode.");
179 		return TCSERR(TSS_E_NOTIMPL);
180 	}
181 
182 	if ((result = ctx_verify_context(hContext)))
183 		return result;
184 
185 	if ((result = tpm_rqu_build(TSC_ORD_PhysicalPresence, &offset, txBlob, fPhysicalPresence)))
186 		return result;
187 
188 	if ((result = req_mgr_submit_req(txBlob)))
189 		return result;
190 
191 	return UnloadBlob_Header(txBlob, &paramSize);
192 }
193 
194 TSS_RESULT
195 TCSP_PhysicalDisable_Internal(TCS_CONTEXT_HANDLE hContext)	/* in */
196 {
197 	UINT64 offset = 0;
198 	UINT32 paramSize;
199 	TSS_RESULT result;
200 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
201 
202 	LogDebug("Entering Physical Disable");
203 	if ((result = ctx_verify_context(hContext)))
204 		return result;
205 
206 	if ((result = tpm_rqu_build(TPM_ORD_PhysicalDisable, &offset, txBlob, NULL)))
207 		return result;
208 
209 	if ((result = req_mgr_submit_req(txBlob)))
210 		return result;
211 
212 	result = UnloadBlob_Header(txBlob, &paramSize);
213 	LogResult("Physical Disable", result);
214 
215 	return result;
216 }
217 
218 TSS_RESULT
219 TCSP_PhysicalEnable_Internal(TCS_CONTEXT_HANDLE hContext)	/* in */
220 {
221 	UINT64 offset = 0;
222 	TSS_RESULT result;
223 	UINT32 paramSize;
224 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
225 
226 	LogDebug("Entering Physical Enable");
227 	if ((result = ctx_verify_context(hContext)))
228 		return result;
229 
230 	if ((result = tpm_rqu_build(TPM_ORD_PhysicalEnable, &offset, txBlob, NULL)))
231 		return result;
232 
233 	if ((result = req_mgr_submit_req(txBlob)))
234 		return result;
235 
236 	result = UnloadBlob_Header(txBlob, &paramSize);
237 	LogResult("Physical Enable", result);
238 
239 	return result;
240 }
241 
242 TSS_RESULT
243 TCSP_PhysicalSetDeactivated_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
244 				     TSS_BOOL state)	/* in */
245 {
246 	UINT64 offset = 0;
247 	UINT32 paramSize;
248 	TSS_RESULT result;
249 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
250 
251 	LogDebug("Entering Physical Set Deactivated");
252 	if ((result = ctx_verify_context(hContext)))
253 		return result;
254 
255 	if ((result = tpm_rqu_build(TPM_ORD_PhysicalSetDeactivated, &offset, txBlob, state, NULL)))
256 		return result;
257 
258 	if ((result = req_mgr_submit_req(txBlob)))
259 		return result;
260 
261 	result = UnloadBlob_Header(txBlob, &paramSize);
262 	LogResult("PhysicalSetDeactivated", result);
263 	return result;
264 }
265 
266 TSS_RESULT
267 TCSP_SetTempDeactivated_Internal(TCS_CONTEXT_HANDLE hContext)	/* in */
268 {
269 	UINT64 offset = 0;
270 	UINT32 paramSize;
271 	TSS_RESULT result;
272 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
273 
274 	LogDebug("Entering Set Temp Deactivated");
275 	if ((result = ctx_verify_context(hContext)))
276 		return result;
277 
278 	if ((result = tpm_rqu_build(TPM_ORD_SetTempDeactivated, &offset, txBlob, NULL)))
279 		return result;
280 
281 	if ((result = req_mgr_submit_req(txBlob)))
282 		return result;
283 
284 	result = UnloadBlob_Header(txBlob, &paramSize);
285 	LogResult("SetTempDeactivated", result);
286 
287 	return result;
288 }
289 
290 #ifdef TSS_BUILD_TSS12
291 TSS_RESULT
292 TCSP_SetTempDeactivated2_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
293 				  TPM_AUTH * operatorAuth)	/* in, out */
294 {
295 	UINT64 offset = 0;
296 	UINT32 paramSize;
297 	TSS_RESULT result;
298 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
299 
300 	LogDebug("Entering Set Temp Deactivated2");
301 	if ((result = ctx_verify_context(hContext)))
302 		return result;
303 
304 	if (operatorAuth) {
305 		if ((result = auth_mgr_check(hContext, &operatorAuth->AuthHandle)))
306 			return result;
307 	}
308 
309 	if ((result = tpm_rqu_build(TPM_ORD_SetTempDeactivated, &offset, txBlob, operatorAuth)))
310 		goto done;
311 
312 	if ((result = req_mgr_submit_req(txBlob)))
313 		goto done;
314 
315 	result = UnloadBlob_Header(txBlob, &paramSize);
316 
317 	if (!result) {
318 			result = tpm_rsp_parse(TPM_ORD_SetTempDeactivated, txBlob, paramSize,
319 					       operatorAuth);
320 	}
321 
322 	LogResult("SetTempDeactivated2", result);
323 
324 done:
325 	auth_mgr_release_auth(operatorAuth, NULL, hContext);
326 
327 	return result;
328 }
329 #endif
330 
331 TSS_RESULT
332 TCSP_FieldUpgrade_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
333 			   UINT32 dataInSize,	/* in */
334 			   BYTE * dataIn,	/* in */
335 			   UINT32 * dataOutSize,	/* out */
336 			   BYTE ** dataOut,	/* out */
337 			   TPM_AUTH * ownerAuth)	/* in, out */
338 {
339 	TSS_RESULT result;
340 	UINT32 paramSize;
341 	UINT64 offset = 0;
342 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
343 
344 	LogDebug("Field Upgrade");
345 
346 	if ((result = ctx_verify_context(hContext)))
347 		goto done;
348 
349 	if ((result = auth_mgr_check(hContext, &ownerAuth->AuthHandle)))
350 		goto done;
351 
352 	if ((result = tpm_rqu_build(TPM_ORD_FieldUpgrade, &offset, txBlob, dataInSize, dataInSize,
353 				    dataIn, ownerAuth, NULL)))
354 		return result;
355 
356 	if ((result = req_mgr_submit_req(txBlob)))
357 		goto done;
358 
359 	result = UnloadBlob_Header(txBlob, &paramSize);
360 
361 	if (!result) {
362 		result = tpm_rsp_parse(TPM_ORD_FieldUpgrade, txBlob, paramSize, dataOutSize,
363 				       dataOut, ownerAuth);
364 	}
365 	LogResult("Field Upgrade", result);
366 done:
367 	auth_mgr_release_auth(ownerAuth, NULL, hContext);
368 	return result;
369 }
370 
371 TSS_RESULT
372 TCSP_SetRedirection_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
373 			     TCS_KEY_HANDLE keyHandle,	/* in */
374 			     UINT32 c1,	/* in */
375 			     UINT32 c2,	/* in */
376 			     TPM_AUTH * privAuth)	/* in, out */
377 {
378 	TSS_RESULT result;
379 	UINT32 paramSize;
380 	UINT64 offset = 0;
381 	TCPA_KEY_HANDLE keySlot;
382 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
383 
384 	LogDebug("Set Redirection");
385 
386 	if ((result = ctx_verify_context(hContext)))
387 		goto done;
388 
389 	if (privAuth != NULL) {
390 		if ((result = auth_mgr_check(hContext, &privAuth->AuthHandle)))
391 			goto done;
392 	}
393 
394 	if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot))) {
395 		result = TCSERR(TSS_E_FAIL);
396 		goto done;
397 	}
398 
399 	if ((result = tpm_rqu_build(TPM_ORD_SetRedirection, &offset, txBlob, keySlot, c1, c2,
400 				    privAuth)))
401 		goto done;
402 
403 	if ((result = req_mgr_submit_req(txBlob)))
404 		goto done;
405 
406 	result = UnloadBlob_Header(txBlob, &paramSize);
407 
408 	if (!result) {
409 		result = tpm_rsp_parse(TPM_ORD_SetRedirection, txBlob, paramSize, privAuth);
410 	}
411 	LogResult("Set Redirection", result);
412 done:
413 	auth_mgr_release_auth(privAuth, NULL, hContext);
414 	return result;
415 }
416 
417 #ifdef TSS_BUILD_TSS12
418 TSS_RESULT
419 TCSP_ResetLockValue_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
420 			     TPM_AUTH * ownerAuth)	/* in, out */
421 {
422 	UINT64 offset = 0;
423 	UINT32 paramSize;
424 	TSS_RESULT result;
425 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
426 
427 	if ((result = ctx_verify_context(hContext)))
428 		goto done;
429 
430 	if ((result = auth_mgr_check(hContext, &ownerAuth->AuthHandle)))
431 		goto done;
432 
433 	if ((result = tpm_rqu_build(TPM_ORD_ResetLockValue, &offset, txBlob, ownerAuth)))
434 		return result;
435 
436 	if ((result = req_mgr_submit_req(txBlob)))
437 		goto done;
438 
439 	result = UnloadBlob_Header(txBlob, &paramSize);
440 	if (!result) {
441 		result = tpm_rsp_parse(TPM_ORD_ResetLockValue, txBlob, paramSize, ownerAuth);
442 	}
443 
444 done:
445 	auth_mgr_release_auth(ownerAuth, NULL, hContext);
446 	return result;
447 }
448 
449 TSS_RESULT
450 TCSP_FlushSpecific_Common(UINT32 tpmResHandle, TPM_RESOURCE_TYPE resourceType)
451 {
452 	UINT64 offset = 0;
453 	UINT32 paramSize;
454 	TSS_RESULT result;
455 	BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
456 
457 	if ((result = tpm_rqu_build(TPM_ORD_FlushSpecific, &offset, txBlob, tpmResHandle,
458 				    resourceType)))
459 		return result;
460 
461 	if ((result = req_mgr_submit_req(txBlob)))
462 		return result;
463 
464 	result = UnloadBlob_Header(txBlob, &paramSize);
465 	if (!result) {
466 		result = tpm_rsp_parse(TPM_ORD_FlushSpecific, txBlob, paramSize, NULL);
467 	}
468 
469 	return result;
470 }
471 
472 TSS_RESULT
473 TCSP_FlushSpecific_Internal(TCS_CONTEXT_HANDLE hContext,	/* in */
474 			    TCS_HANDLE hResHandle,	/* in */
475 			    TPM_RESOURCE_TYPE resourceType) /* in */
476 {
477 	UINT32 tpmResHandle;
478 	TSS_RESULT result;
479 
480 	if ((result = ctx_verify_context(hContext)))
481 		return result;
482 
483 	switch (resourceType) {
484 		case TPM_RT_KEY:
485 			if ((result = get_slot_lite(hContext, hResHandle, &tpmResHandle)))
486 				return result;
487 
488 			if ((result = ctx_remove_key_loaded(hContext, hResHandle)))
489 				return result;
490 
491 			if ((result = key_mgr_dec_ref_count(hResHandle)))
492 				return result;
493 			break;
494 		case TPM_RT_AUTH:
495 			if ((result = auth_mgr_check(hContext, &hResHandle)))
496 				return result;
497 
498 			auth_mgr_release_auth_handle(hResHandle, hContext, FALSE);
499 			/* fall through */
500 		case TPM_RT_TRANS:
501 		case TPM_RT_DAA_TPM:
502 			tpmResHandle = hResHandle;
503 			break;
504 		case TPM_RT_CONTEXT:
505 			result = TCSERR(TSS_E_NOTIMPL);
506 			goto done;
507 		default:
508 			LogDebugFn("Unknown resource type: 0x%x", resourceType);
509 			goto done;
510 	}
511 
512 	result = TCSP_FlushSpecific_Common(tpmResHandle, resourceType);
513 
514 done:
515 	return result;
516 }
517 #endif
518 
519