All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API
@ 2021-02-06 21:23 Simon Glass
  2021-02-06 21:23 ` [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL Simon Glass
                   ` (10 more replies)
  0 siblings, 11 replies; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

At present if an application wants to be written so it can work with
both TPMv1.2 and TPM2 it must use two different APIs. This is inconvenient
since it requires adding code to deal with the mismatch between the two.
It would be better to have a common API that all boards could share.

This series provides a simple API the covers some basic features and
implements them for both TPM standards.

Changes in v4:
- Use uint type for size and explain it in the commit message
- Drop unnecessary update of offset

Changes in v3:
- Add a comment to the offset and fix up the value

Changes in v2:
- Add comments for the offset value
- Add definition of TPM2_RC_NV_DEFINED return code

Simon Glass (11):
  tpm: Don't include cr50 in TPL/SPL
  tpm: Use logging in the uclass
  tpm: Add debugging of request in tpm_sendrecv_command()
  tpm: Add an API that can support v1.2 and v2
  tpm: Switch TPMv1 over to use the new API
  tpm: Add a basic API implementation for TPMv2
  tpm: Reduce duplication in a few functions
  tpm: Add an implementation of define_space
  tpm: Add TPM2 support for read/write values
  tpm: Add TPM2 support for write_lock
  tpm: Allow disabling platform hierarchy with TPM2

 board/gdsys/a38x/controlcenterdc.c    |   4 +-
 board/gdsys/a38x/hre.c                |  28 +--
 board/gdsys/a38x/keyprogram.c         |   8 +-
 board/gdsys/mpc8308/gazerbeam.c       |   4 +-
 board/gdsys/p1022/controlcenterd-id.c |  36 +--
 cmd/tpm-v1.c                          |  25 +-
 cmd/tpm_test.c                        |  40 ++--
 drivers/tpm/Makefile                  |   2 +-
 drivers/tpm/cr50_i2c.c                |   4 +-
 drivers/tpm/tpm-uclass.c              |   8 +-
 include/tpm-common.h                  |   3 +
 include/tpm-v1.h                      |  76 +++---
 include/tpm-v2.h                      |  81 +++++++
 include/tpm_api.h                     | 322 ++++++++++++++++++++++++++
 lib/Makefile                          |   1 +
 lib/tpm-common.c                      |  10 +-
 lib/tpm-v1.c                          | 115 +++++----
 lib/tpm-v2.c                          | 202 +++++++++++++++-
 lib/tpm_api.c                         | 285 +++++++++++++++++++++++
 19 files changed, 1072 insertions(+), 182 deletions(-)
 create mode 100644 include/tpm_api.h
 create mode 100644 lib/tpm_api.c

-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:10   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 02/11] tpm: Use logging in the uclass Simon Glass
                   ` (9 subsequent siblings)
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

At present the security chip is not used in these U-Boot phases. Update
the Makefile to exclude it.

Fix a few logging statements while we are here.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v1)

 drivers/tpm/Makefile   | 2 +-
 drivers/tpm/cr50_i2c.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/tpm/Makefile b/drivers/tpm/Makefile
index 8f075b9f45f..f64d20067f8 100644
--- a/drivers/tpm/Makefile
+++ b/drivers/tpm/Makefile
@@ -10,7 +10,7 @@ obj-$(CONFIG_TPM_TIS_SANDBOX) += tpm_tis_sandbox.o
 obj-$(CONFIG_TPM_ST33ZP24_I2C) += tpm_tis_st33zp24_i2c.o
 obj-$(CONFIG_TPM_ST33ZP24_SPI) += tpm_tis_st33zp24_spi.o
 
-obj-$(CONFIG_TPM2_CR50_I2C) += cr50_i2c.o
+obj-$(CONFIG_$(SPL_TPL_)TPM2_CR50_I2C) += cr50_i2c.o
 obj-$(CONFIG_TPM2_TIS_SANDBOX) += tpm2_tis_sandbox.o
 obj-$(CONFIG_TPM2_TIS_SPI) += tpm2_tis_spi.o
 obj-$(CONFIG_TPM2_FTPM_TEE) += tpm2_ftpm_tee.o
diff --git a/drivers/tpm/cr50_i2c.c b/drivers/tpm/cr50_i2c.c
index b103a6fdc39..76432bdec1f 100644
--- a/drivers/tpm/cr50_i2c.c
+++ b/drivers/tpm/cr50_i2c.c
@@ -309,7 +309,7 @@ static int cr50_i2c_recv(struct udevice *dev, u8 *buf, size_t buf_len)
 	int status;
 	int ret;
 
-	log_debug("%s: len=%x\n", __func__, buf_len);
+	log_debug("%s: buf_len=%x\n", __func__, buf_len);
 	if (buf_len < TPM_HEADER_SIZE)
 		return -E2BIG;
 
@@ -386,7 +386,7 @@ static int cr50_i2c_send(struct udevice *dev, const u8 *buf, size_t len)
 	ulong timeout;
 	int ret;
 
-	log_debug("%s: len=%x\n", __func__, len);
+	log_debug("len=%x\n", len);
 	timeout = timer_get_us() + TIMEOUT_LONG_US;
 	do {
 		ret = cr50_i2c_status(dev);
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 02/11] tpm: Use logging in the uclass
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
  2021-02-06 21:23 ` [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:10   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 03/11] tpm: Add debugging of request in tpm_sendrecv_command() Simon Glass
                   ` (8 subsequent siblings)
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

Update this to use log_debug() instead of the old debug().

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v1)

 drivers/tpm/tpm-uclass.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/tpm/tpm-uclass.c b/drivers/tpm/tpm-uclass.c
index beb0fa3f93c..35774a6289e 100644
--- a/drivers/tpm/tpm-uclass.c
+++ b/drivers/tpm/tpm-uclass.c
@@ -4,6 +4,8 @@
  * Written by Simon Glass <sjg@chromium.org>
  */
 
+#define LOG_CATEGORY UCLASS_TPM
+
 #include <common.h>
 #include <dm.h>
 #include <log.h>
@@ -87,15 +89,15 @@ int tpm_xfer(struct udevice *dev, const uint8_t *sendbuf, size_t send_size,
 	ordinal = get_unaligned_be32(sendbuf + TPM_CMD_ORDINAL_BYTE);
 
 	if (count == 0) {
-		debug("no data\n");
+		log_debug("no data\n");
 		return -ENODATA;
 	}
 	if (count > send_size) {
-		debug("invalid count value %x %zx\n", count, send_size);
+		log_debug("invalid count value %x %zx\n", count, send_size);
 		return -E2BIG;
 	}
 
-	debug("%s: Calling send\n", __func__);
+	log_debug("%s: Calling send\n", __func__);
 	ret = ops->send(dev, sendbuf, send_size);
 	if (ret < 0)
 		return ret;
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 03/11] tpm: Add debugging of request in tpm_sendrecv_command()
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
  2021-02-06 21:23 ` [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL Simon Glass
  2021-02-06 21:23 ` [PATCH v4 02/11] tpm: Use logging in the uclass Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:10   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 04/11] tpm: Add an API that can support v1.2 and v2 Simon Glass
                   ` (7 subsequent siblings)
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

The response is shown but not the request. Update the code to show both
if debugging is enabled.

Use a 'uint' type for size so it matches the register-word size on both
32- and 64-bit machines.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

Changes in v4:
- Use uint type for size and explain it in the commit message

 lib/tpm-common.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/tpm-common.c b/lib/tpm-common.c
index e4af87f76aa..4277846fdd0 100644
--- a/lib/tpm-common.c
+++ b/lib/tpm-common.c
@@ -166,6 +166,7 @@ u32 tpm_sendrecv_command(struct udevice *dev, const void *command,
 	u8 response_buffer[COMMAND_BUFFER_SIZE];
 	size_t response_length;
 	int i;
+	uint size;
 
 	if (response) {
 		response_length = *size_ptr;
@@ -174,8 +175,13 @@ u32 tpm_sendrecv_command(struct udevice *dev, const void *command,
 		response_length = sizeof(response_buffer);
 	}
 
-	err = tpm_xfer(dev, command, tpm_command_size(command),
-		       response, &response_length);
+	size = tpm_command_size(command);
+	log_debug("TPM request [size:%d]: ", size);
+	for (i = 0; i < size; i++)
+		log_debug("%02x ", ((u8 *)command)[i]);
+	log_debug("\n");
+
+	err = tpm_xfer(dev, command, size, response, &response_length);
 
 	if (err < 0)
 		return err;
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 04/11] tpm: Add an API that can support v1.2 and v2
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (2 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 03/11] tpm: Add debugging of request in tpm_sendrecv_command() Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:10   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API Simon Glass
                   ` (6 subsequent siblings)
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

There are two different TPM standards. U-Boot supports both but each has
its own set of functions. We really need a single TPM API that can call
one or the other. This is not always possible as there are some
differences between the two standards, but it is mostly possible.

Add an API to handle this. So far it is not plumbed into the build and
only supports TPMv1.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v1)

 include/tpm_api.h | 322 ++++++++++++++++++++++++++++++++++++++++++++++
 lib/tpm_api.c     | 215 +++++++++++++++++++++++++++++++
 2 files changed, 537 insertions(+)
 create mode 100644 include/tpm_api.h
 create mode 100644 lib/tpm_api.c

diff --git a/include/tpm_api.h b/include/tpm_api.h
new file mode 100644
index 00000000000..f13d98cae47
--- /dev/null
+++ b/include/tpm_api.h
@@ -0,0 +1,322 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2013 The Chromium OS Authors.
+ * Coypright (c) 2013 Guntermann & Drunck GmbH
+ */
+
+#ifndef __TPM_API_H
+#define __TPM_API_H
+
+#include <tpm-common.h>
+#include <tpm-v1.h>
+#include <tpm-v2.h>
+
+/**
+ * Issue a TPM_Startup command.
+ *
+ * @param dev		TPM device
+ * @param mode		TPM startup mode
+ * @return return code of the operation
+ */
+u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode);
+
+/**
+ * Issue a TPM_SelfTestFull command.
+ *
+ * @param dev		TPM device
+ * @return return code of the operation
+ */
+u32 tpm_self_test_full(struct udevice *dev);
+
+/**
+ * Issue a TPM_ContinueSelfTest command.
+ *
+ * @param dev		TPM device
+ * @return return code of the operation
+ */
+u32 tpm_continue_self_test(struct udevice *dev);
+
+/**
+ * Issue a TPM_NV_DefineSpace command.  The implementation is limited
+ * to specify TPM_NV_ATTRIBUTES and size of the area.  The area index
+ * could be one of the special value listed in enum tpm_nv_index.
+ *
+ * @param dev		TPM device
+ * @param index		index of the area
+ * @param perm		TPM_NV_ATTRIBUTES of the area
+ * @param size		size of the area
+ * @return return code of the operation
+ */
+u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size);
+
+/**
+ * Issue a TPM_NV_ReadValue command.  This implementation is limited
+ * to read the area from offset 0.  The area index could be one of
+ * the special value listed in enum tpm_nv_index.
+ *
+ * @param dev		TPM device
+ * @param index		index of the area
+ * @param data		output buffer of the area contents
+ * @param count		size of output buffer
+ * @return return code of the operation
+ */
+u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
+
+/**
+ * Issue a TPM_NV_WriteValue command.  This implementation is limited
+ * to write the area from offset 0.  The area index could be one of
+ * the special value listed in enum tpm_nv_index.
+ *
+ * @param dev		TPM device
+ * @param index		index of the area
+ * @param data		input buffer to be wrote to the area
+ * @param length	length of data bytes of input buffer
+ * @return return code of the operation
+ */
+u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
+		       u32 length);
+
+/**
+ * Issue a TPM_Extend command.
+ *
+ * @param dev		TPM device
+ * @param index		index of the PCR
+ * @param in_digest	160-bit value representing the event to be
+ *			recorded
+ * @param out_digest	160-bit PCR value after execution of the
+ *			command
+ * @return return code of the operation
+ */
+u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest,
+		   void *out_digest);
+
+/**
+ * Issue a TPM_PCRRead command.
+ *
+ * @param dev		TPM device
+ * @param index		index of the PCR
+ * @param data		output buffer for contents of the named PCR
+ * @param count		size of output buffer
+ * @return return code of the operation
+ */
+u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count);
+
+/**
+ * Issue a TSC_PhysicalPresence command.  TPM physical presence flag
+ * is bit-wise OR'ed of flags listed in enum tpm_physical_presence.
+ *
+ * @param dev		TPM device
+ * @param presence	TPM physical presence flag
+ * @return return code of the operation
+ */
+u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence);
+
+/**
+ * Issue a TPM_ReadPubek command.
+ *
+ * @param dev		TPM device
+ * @param data		output buffer for the public endorsement key
+ * @param count		size of output buffer
+ * @return return code of the operation
+ */
+u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count);
+
+/**
+ * Issue a TPM_ForceClear command.
+ *
+ * @param dev		TPM device
+ * @return return code of the operation
+ */
+u32 tpm_force_clear(struct udevice *dev);
+
+/**
+ * Issue a TPM_PhysicalEnable command.
+ *
+ * @param dev		TPM device
+ * @return return code of the operation
+ */
+u32 tpm_physical_enable(struct udevice *dev);
+
+/**
+ * Issue a TPM_PhysicalDisable command.
+ *
+ * @param dev		TPM device
+ * @return return code of the operation
+ */
+u32 tpm_physical_disable(struct udevice *dev);
+
+/**
+ * Issue a TPM_PhysicalSetDeactivated command.
+ *
+ * @param dev		TPM device
+ * @param state		boolean state of the deactivated flag
+ * @return return code of the operation
+ */
+u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state);
+
+/**
+ * Issue a TPM_GetCapability command.  This implementation is limited
+ * to query sub_cap index that is 4-byte wide.
+ *
+ * @param dev		TPM device
+ * @param cap_area	partition of capabilities
+ * @param sub_cap	further definition of capability, which is
+ *			limited to be 4-byte wide
+ * @param cap		output buffer for capability information
+ * @param count		size of output buffer
+ * @return return code of the operation
+ */
+u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
+		       void *cap, size_t count);
+
+/**
+ * Issue a TPM_FlushSpecific command for a AUTH resource.
+ *
+ * @param dev		TPM device
+ * @param auth_handle	handle of the auth session
+ * @return return code of the operation
+ */
+u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle);
+
+/**
+ * Issue a TPM_OIAP command to setup an object independent authorization
+ * session.
+ * Information about the session is stored internally.
+ * If there was already an OIAP session active it is terminated and a new
+ * session is set up.
+ *
+ * @param dev		TPM device
+ * @param auth_handle	pointer to the (new) auth handle or NULL.
+ * @return return code of the operation
+ */
+u32 tpm_oiap(struct udevice *dev, u32 *auth_handle);
+
+/**
+ * Ends an active OIAP session.
+ *
+ * @param dev		TPM device
+ * @return return code of the operation
+ */
+u32 tpm_end_oiap(struct udevice *dev);
+
+/**
+ * Issue a TPM_LoadKey2 (Auth1) command using an OIAP session for authenticating
+ * the usage of the parent key.
+ *
+ * @param dev		TPM device
+ * @param parent_handle	handle of the parent key.
+ * @param key		pointer to the key structure (TPM_KEY or TPM_KEY12).
+ * @param key_length	size of the key structure
+ * @param parent_key_usage_auth	usage auth for the parent key
+ * @param key_handle	pointer to the key handle
+ * @return return code of the operation
+ */
+u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
+		       size_t key_length, const void *parent_key_usage_auth,
+		       u32 *key_handle);
+
+/**
+ * Issue a TPM_GetPubKey (Auth1) command using an OIAP session for
+ * authenticating the usage of the key.
+ *
+ * @param dev		TPM device
+ * @param key_handle	handle of the key
+ * @param usage_auth	usage auth for the key
+ * @param pubkey	pointer to the pub key buffer; may be NULL if the pubkey
+ *			should not be stored.
+ * @param pubkey_len	pointer to the pub key buffer len. On entry: the size of
+ *			the provided pubkey buffer. On successful exit: the size
+ *			of the stored TPM_PUBKEY structure (iff pubkey != NULL).
+ * @return return code of the operation
+ */
+u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
+			 const void *usage_auth, void *pubkey,
+			 size_t *pubkey_len);
+
+/**
+ * Get the TPM permissions
+ *
+ * @param dev		TPM device
+ * @param perm		Returns permissions value
+ * @return return code of the operation
+ */
+u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm);
+
+/**
+ * Flush a resource with a given handle and type from the TPM
+ *
+ * @param dev		TPM device
+ * @param key_handle           handle of the resource
+ * @param resource_type                type of the resource
+ * @return return code of the operation
+ */
+u32 tpm_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type);
+
+#ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
+/**
+ * Search for a key by usage AuthData and the hash of the parent's pub key.
+ *
+ * @param dev		TPM device
+ * @param auth	        Usage auth of the key to search for
+ * @param pubkey_digest	SHA1 hash of the pub key structure of the key
+ * @param[out] handle	The handle of the key (Non-null iff found)
+ * @return 0 if key was found in TPM; != 0 if not.
+ */
+u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
+		      const u8 pubkey_digest[20], u32 *handle);
+#endif /* CONFIG_TPM_LOAD_KEY_BY_SHA1 */
+
+/**
+ * Read random bytes from the TPM RNG. The implementation deals with the fact
+ * that the TPM may legally return fewer bytes than requested by retrying
+ * until @p count bytes have been received.
+ *
+ * @param dev		TPM device
+ * @param data		output buffer for the random bytes
+ * @param count		size of output buffer
+ * @return return code of the operation
+ */
+u32 tpm_get_random(struct udevice *dev, void *data, u32 count);
+
+/**
+ * tpm_finalise_physical_presence() - Finalise physical presence
+ *
+ * @param dev		TPM device
+ * @return return code of the operation (0 = success)
+ */
+u32 tpm_finalise_physical_presence(struct udevice *dev);
+
+/**
+ * tpm_nv_enable_locking() - lock the non-volatile space
+ *
+ * @param dev		TPM device
+ * @return return code of the operation (0 = success)
+ */
+u32 tpm_nv_enable_locking(struct udevice *dev);
+
+/**
+ * tpm_set_global_lock() - set the global lock
+ *
+ * @param dev		TPM device
+ * @return return code of the operation (0 = success)
+ */
+u32 tpm_set_global_lock(struct udevice *dev);
+
+/**
+ * tpm_write_lock() - lock the non-volatile space
+ *
+ * @param dev		TPM device
+ * @param index		Index of space to lock
+ * @return return code of the operation (0 = success)
+ */
+u32 tpm_write_lock(struct udevice *dev, u32 index);
+
+/**
+ * tpm_resume() - start up the TPM from resume (after suspend)
+ *
+ * @param dev		TPM device
+ * @return return code of the operation (0 = success)
+ */
+u32 tpm_resume(struct udevice *dev);
+
+#endif /* __TPM_API_H */
diff --git a/lib/tpm_api.c b/lib/tpm_api.c
new file mode 100644
index 00000000000..758350bd18d
--- /dev/null
+++ b/lib/tpm_api.c
@@ -0,0 +1,215 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2019 Google LLC
+ */
+
+#include <common.h>
+#include <dm.h>
+#include <log.h>
+#include <tpm_api.h>
+#include <tpm-v1.h>
+#include <tpm-v2.h>
+#include <tpm_api.h>
+
+static bool is_tpm1(struct udevice *dev)
+{
+	return IS_ENABLED(CONFIG_TPM_V1) && tpm_get_version(dev) == TPM_V1;
+}
+
+u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode)
+{
+	if (is_tpm1(dev))
+		return tpm1_startup(dev, mode);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_resume(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_startup(dev, TPM_ST_STATE);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_self_test_full(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_self_test_full(dev);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_continue_self_test(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_continue_self_test(dev);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_clear_and_reenable(struct udevice *dev)
+{
+	u32 ret;
+
+	log_info("TPM: Clear and re-enable\n");
+	ret = tpm_force_clear(dev);
+	if (ret != TPM_SUCCESS) {
+		log_err("Can't initiate a force clear\n");
+		return ret;
+	}
+
+	if (is_tpm1(dev)) {
+		ret = tpm1_physical_enable(dev);
+		if (ret != TPM_SUCCESS) {
+			log_err("TPM: Can't set enabled state\n");
+			return ret;
+		}
+
+		ret = tpm1_physical_set_deactivated(dev, 0);
+		if (ret != TPM_SUCCESS) {
+			log_err("TPM: Can't set deactivated state\n");
+			return ret;
+		}
+	} else {
+		return -ENOSYS;
+	}
+
+	return TPM_SUCCESS;
+}
+
+u32 tpm_nv_enable_locking(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_nv_define_space(dev, TPM_NV_INDEX_LOCK, 0, 0);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
+{
+	if (is_tpm1(dev))
+		return tpm1_nv_read_value(dev, index, data, count);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
+		       u32 count)
+{
+	if (is_tpm1(dev))
+		return tpm1_nv_write_value(dev, index, data, count);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_set_global_lock(struct udevice *dev)
+{
+	return tpm_nv_write_value(dev, TPM_NV_INDEX_0, NULL, 0);
+}
+
+u32 tpm_write_lock(struct udevice *dev, u32 index)
+{
+	if (is_tpm1(dev))
+		return -ENOSYS;
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest,
+		   void *out_digest)
+{
+	if (is_tpm1(dev))
+		return tpm1_extend(dev, index, in_digest, out_digest);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
+{
+	if (is_tpm1(dev))
+		return tpm1_pcr_read(dev, index, data, count);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence)
+{
+	if (is_tpm1(dev))
+		return tpm1_tsc_physical_presence(dev, presence);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_finalise_physical_presence(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_finalise_physical_presence(dev);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count)
+{
+	if (is_tpm1(dev))
+		return tpm1_read_pubek(dev, data, count);
+	else
+		return -ENOSYS; /* not implemented yet */
+}
+
+u32 tpm_force_clear(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_force_clear(dev);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_physical_enable(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_physical_enable(dev);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_physical_disable(struct udevice *dev)
+{
+	if (is_tpm1(dev))
+		return tpm1_physical_disable(dev);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state)
+{
+	if (is_tpm1(dev))
+		return tpm1_physical_set_deactivated(dev, state);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
+		       void *cap, size_t count)
+{
+	if (is_tpm1(dev))
+		return tpm1_get_capability(dev, cap_area, sub_cap, cap, count);
+	else
+		return -ENOSYS;
+}
+
+u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm)
+{
+	if (is_tpm1(dev))
+		return tpm1_get_permissions(dev, index, perm);
+	else
+		return -ENOSYS; /* not implemented yet */
+}
+
+u32 tpm_get_random(struct udevice *dev, void *data, u32 count)
+{
+	if (is_tpm1(dev))
+		return tpm1_get_random(dev, data, count);
+	else
+		return -ENOSYS; /* not implemented yet */
+}
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (3 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 04/11] tpm: Add an API that can support v1.2 and v2 Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-02-07 11:44   ` Ilias Apalodimas
  2021-03-03 19:11   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 06/11] tpm: Add a basic API implementation for TPMv2 Simon Glass
                   ` (5 subsequent siblings)
  10 siblings, 2 replies; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

Take over the plain 'tpm_...' functions for use by the new TPM API. Rename
all the TPMv1 functions so they are called from the API.

Update the TPMv1 functions so that they are called from the API. Change
existing users to use the tpm1_ prefix so they don't need to go through
the API, which might introduce uncertainty.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

(no changes since v1)

 board/gdsys/a38x/controlcenterdc.c    |   4 +-
 board/gdsys/a38x/hre.c                |  28 +++----
 board/gdsys/a38x/keyprogram.c         |   8 +-
 board/gdsys/mpc8308/gazerbeam.c       |   4 +-
 board/gdsys/p1022/controlcenterd-id.c |  36 ++++----
 cmd/tpm-v1.c                          |  25 +++---
 cmd/tpm_test.c                        |  40 +++++----
 include/tpm-v1.h                      |  76 ++++++++---------
 lib/Makefile                          |   1 +
 lib/tpm-v1.c                          | 115 ++++++++++++--------------
 10 files changed, 168 insertions(+), 169 deletions(-)

diff --git a/board/gdsys/a38x/controlcenterdc.c b/board/gdsys/a38x/controlcenterdc.c
index a2287f9deb1..187ac8c4f9f 100644
--- a/board/gdsys/a38x/controlcenterdc.c
+++ b/board/gdsys/a38x/controlcenterdc.c
@@ -286,8 +286,8 @@ int last_stage_init(void)
 	ccdc_eth_init();
 #endif
 	ret = get_tpm(&tpm);
-	if (ret || tpm_init(tpm) || tpm_startup(tpm, TPM_ST_CLEAR) ||
-	    tpm_continue_self_test(tpm)) {
+	if (ret || tpm_init(tpm) || tpm1_startup(tpm, TPM_ST_CLEAR) ||
+	    tpm1_continue_self_test(tpm)) {
 		return 1;
 	}
 
diff --git a/board/gdsys/a38x/hre.c b/board/gdsys/a38x/hre.c
index 699241b3e62..de5411a6b93 100644
--- a/board/gdsys/a38x/hre.c
+++ b/board/gdsys/a38x/hre.c
@@ -107,8 +107,8 @@ static int get_tpm_nv_size(struct udevice *tpm, uint32_t index, uint32_t *size)
 	uint8_t *ptr;
 	uint16_t v16;
 
-	err = tpm_get_capability(tpm, TPM_CAP_NV_INDEX, index,
-				 info, sizeof(info));
+	err = tpm1_get_capability(tpm, TPM_CAP_NV_INDEX, index, info,
+				  sizeof(info));
 	if (err) {
 		printf("tpm_get_capability(CAP_NV_INDEX, %08x) failed: %u\n",
 		       index, err);
@@ -150,8 +150,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
 	unsigned int i;
 
 	/* fetch list of already loaded keys in the TPM */
-	err = tpm_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
-				 sizeof(buf));
+	err = tpm1_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
+				  sizeof(buf));
 	if (err)
 		return -1;
 	key_count = get_unaligned_be16(buf);
@@ -162,8 +162,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
 	/* now search a(/ the) key which we can access with the given auth */
 	for (i = 0; i < key_count; ++i) {
 		buf_len = sizeof(buf);
-		err = tpm_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
-					   &buf_len);
+		err = tpm1_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
+					    &buf_len);
 		if (err && err != TPM_AUTHFAIL)
 			return -1;
 		if (err)
@@ -192,8 +192,8 @@ static int read_common_data(struct udevice *tpm)
 	if (get_tpm_nv_size(tpm, NV_COMMON_DATA_INDEX, &size) ||
 	    size < NV_COMMON_DATA_MIN_SIZE)
 		return 1;
-	err = tpm_nv_read_value(tpm, NV_COMMON_DATA_INDEX,
-				buf, min(sizeof(buf), size));
+	err = tpm1_nv_read_value(tpm, NV_COMMON_DATA_INDEX, buf,
+				 min(sizeof(buf), size));
 	if (err) {
 		printf("tpm_nv_read_value() failed: %u\n", err);
 		return 1;
@@ -270,8 +270,8 @@ static struct h_reg *access_hreg(struct udevice *tpm, uint8_t spec,
 	if (mode & HREG_RD) {
 		if (!result->valid) {
 			if (IS_PCR_HREG(spec)) {
-				hre_tpm_err = tpm_pcr_read(tpm, HREG_IDX(spec),
-					result->digest, 20);
+				hre_tpm_err = tpm1_pcr_read(tpm, HREG_IDX(spec),
+							    result->digest, 20);
 				result->valid = (hre_tpm_err == TPM_SUCCESS);
 			} else if (IS_FIX_HREG(spec)) {
 				switch (HREG_IDX(spec)) {
@@ -357,8 +357,8 @@ static int hre_op_loadkey(struct udevice *tpm, struct h_reg *src_reg,
 		return -1;
 	if (find_key(tpm, src_reg->digest, dst_reg->digest, &parent_handle))
 		return -1;
-	hre_tpm_err = tpm_load_key2_oiap(tpm, parent_handle, key, key_size,
-					 src_reg->digest, &key_handle);
+	hre_tpm_err = tpm1_load_key2_oiap(tpm, parent_handle, key, key_size,
+					  src_reg->digest, &key_handle);
 	if (hre_tpm_err) {
 		hre_err = HRE_E_TPM_FAILURE;
 		return -1;
@@ -474,8 +474,8 @@ do_bin_func:
 	}
 
 	if (dst_reg && dst_modified && IS_PCR_HREG(dst_spec)) {
-		hre_tpm_err = tpm_extend(tpm, HREG_IDX(dst_spec),
-					 dst_reg->digest, dst_reg->digest);
+		hre_tpm_err = tpm1_extend(tpm, HREG_IDX(dst_spec),
+					  dst_reg->digest, dst_reg->digest);
 		if (hre_tpm_err) {
 			hre_err = HRE_E_TPM_FAILURE;
 			return NULL;
diff --git a/board/gdsys/a38x/keyprogram.c b/board/gdsys/a38x/keyprogram.c
index 853981aadbb..7020fae1894 100644
--- a/board/gdsys/a38x/keyprogram.c
+++ b/board/gdsys/a38x/keyprogram.c
@@ -23,15 +23,15 @@ int flush_keys(struct udevice *tpm)
 	uint i;
 
 	/* fetch list of already loaded keys in the TPM */
-	err = tpm_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
-				 sizeof(buf));
+	err = tpm1_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
+				  sizeof(buf));
 	if (err)
 		return -1;
 	key_count = get_unaligned_be16(buf);
 	ptr = buf + 2;
 	for (i = 0; i < key_count; ++i, ptr += 4) {
-		err = tpm_flush_specific(tpm, get_unaligned_be32(ptr),
-					 TPM_RT_KEY);
+		err = tpm1_flush_specific(tpm, get_unaligned_be32(ptr),
+					  TPM_RT_KEY);
 		if (err && err != TPM_KEY_OWNER_CONTROL)
 			return err;
 	}
diff --git a/board/gdsys/mpc8308/gazerbeam.c b/board/gdsys/mpc8308/gazerbeam.c
index 0e7fa1e333e..6afb87a5008 100644
--- a/board/gdsys/mpc8308/gazerbeam.c
+++ b/board/gdsys/mpc8308/gazerbeam.c
@@ -144,8 +144,8 @@ int last_stage_init(void)
 	env_set_ulong("fpga_hw_rev", fpga_hw_rev);
 
 	ret = get_tpm(&tpm);
-	if (ret || tpm_init(tpm) || tpm_startup(tpm, TPM_ST_CLEAR) ||
-	    tpm_continue_self_test(tpm)) {
+	if (ret || tpm_init(tpm) || tpm1_startup(tpm, TPM_ST_CLEAR) ||
+	    tpm1_continue_self_test(tpm)) {
 		printf("TPM init failed\n");
 	}
 
diff --git a/board/gdsys/p1022/controlcenterd-id.c b/board/gdsys/p1022/controlcenterd-id.c
index 1b5aa9042f5..87b346aa9cf 100644
--- a/board/gdsys/p1022/controlcenterd-id.c
+++ b/board/gdsys/p1022/controlcenterd-id.c
@@ -273,8 +273,8 @@ static int get_tpm_nv_size(struct udevice *tpm, uint32_t index, uint32_t *size)
 	uint8_t *ptr;
 	uint16_t v16;
 
-	err = tpm_get_capability(tpm, TPM_CAP_NV_INDEX, index,
-				 info, sizeof(info));
+	err = tpm1_get_capability(tpm, TPM_CAP_NV_INDEX, index, info,
+				  sizeof(info));
 	if (err) {
 		printf("tpm_get_capability(CAP_NV_INDEX, %08x) failed: %u\n",
 		       index, err);
@@ -315,8 +315,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
 	unsigned int i;
 
 	/* fetch list of already loaded keys in the TPM */
-	err = tpm_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
-				 sizeof(buf));
+	err = tpm1_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
+				  sizeof(buf));
 	if (err)
 		return -1;
 	key_count = get_unaligned_be16(buf);
@@ -327,8 +327,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
 	/* now search a(/ the) key which we can access with the given auth */
 	for (i = 0; i < key_count; ++i) {
 		buf_len = sizeof(buf);
-		err = tpm_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
-					   &buf_len);
+		err = tpm1_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
+					    &buf_len);
 		if (err && err != TPM_AUTHFAIL)
 			return -1;
 		if (err)
@@ -356,8 +356,8 @@ static int read_common_data(struct udevice *tpm)
 	if (get_tpm_nv_size(tpm, NV_COMMON_DATA_INDEX, &size) ||
 	    size < NV_COMMON_DATA_MIN_SIZE)
 		return 1;
-	err = tpm_nv_read_value(tpm, NV_COMMON_DATA_INDEX,
-				buf, min(sizeof(buf), size));
+	err = tpm1_nv_read_value(tpm, NV_COMMON_DATA_INDEX, buf,
+				 min(sizeof(buf), size));
 	if (err) {
 		printf("tpm_nv_read_value() failed: %u\n", err);
 		return 1;
@@ -508,8 +508,8 @@ static struct h_reg *access_hreg(struct udevice *tpm, uint8_t spec,
 	if (mode & HREG_RD) {
 		if (!result->valid) {
 			if (IS_PCR_HREG(spec)) {
-				hre_tpm_err = tpm_pcr_read(tpm, HREG_IDX(spec),
-					result->digest, 20);
+				hre_tpm_err = tpm1_pcr_read(tpm, HREG_IDX(spec),
+							    result->digest, 20);
 				result->valid = (hre_tpm_err == TPM_SUCCESS);
 			} else if (IS_FIX_HREG(spec)) {
 				switch (HREG_IDX(spec)) {
@@ -601,8 +601,8 @@ static int hre_op_loadkey(struct udevice *tpm, struct h_reg *src_reg,
 		return -1;
 	if (find_key(tpm, src_reg->digest, dst_reg->digest, &parent_handle))
 		return -1;
-	hre_tpm_err = tpm_load_key2_oiap(tpm, parent_handle, key, key_size,
-					 src_reg->digest, &key_handle);
+	hre_tpm_err = tpm1_load_key2_oiap(tpm, parent_handle, key, key_size,
+					  src_reg->digest, &key_handle);
 	if (hre_tpm_err) {
 		hre_err = HRE_E_TPM_FAILURE;
 		return -1;
@@ -718,8 +718,8 @@ do_bin_func:
 	}
 
 	if (dst_reg && dst_modified && IS_PCR_HREG(dst_spec)) {
-		hre_tpm_err = tpm_extend(tpm, HREG_IDX(dst_spec),
-					 dst_reg->digest, dst_reg->digest);
+		hre_tpm_err = tpm1_extend(tpm, HREG_IDX(dst_spec),
+					  dst_reg->digest, dst_reg->digest);
 		if (hre_tpm_err) {
 			hre_err = HRE_E_TPM_FAILURE;
 			return NULL;
@@ -964,10 +964,10 @@ static int first_stage_actions(struct udevice *tpm)
 
 	puts("CCDM S1: start actions\n");
 #ifndef CCDM_SECOND_STAGE
-	if (tpm_continue_self_test(tpm))
+	if (tpm1_continue_self_test(tpm))
 		goto failure;
 #else
-	tpm_continue_self_test(tpm);
+	tpm1_continue_self_test(tpm);
 #endif
 	mdelay(37);
 
@@ -1003,7 +1003,7 @@ static int first_stage_init(void)
 
 	puts("CCDM S1\n");
 	ret = get_tpm(&tpm);
-	if (ret || tpm_init(tpm) || tpm_startup(tpm, TPM_ST_CLEAR))
+	if (ret || tpm_init(tpm) || tpm1_startup(tpm, TPM_ST_CLEAR))
 		return 1;
 	ret = first_stage_actions(tpm);
 #ifndef CCDM_SECOND_STAGE
@@ -1061,7 +1061,7 @@ static int second_stage_init(void)
 	ret = get_tpm(&tpm);
 	if (ret || tpm_init(tpm))
 		return 1;
-	err = tpm_startup(tpm, TPM_ST_CLEAR);
+	err = tpm1_startup(tpm, TPM_ST_CLEAR);
 	if (err != TPM_INVALID_POSTINIT)
 		did_first_stage_run = false;
 
diff --git a/cmd/tpm-v1.c b/cmd/tpm-v1.c
index 0e2168aea67..3a7e35d5255 100644
--- a/cmd/tpm-v1.c
+++ b/cmd/tpm-v1.c
@@ -11,6 +11,7 @@
 #include <tpm-common.h>
 #include <tpm-v1.h>
 #include "tpm-user-utils.h"
+#include <tpm_api.h>
 
 static int do_tpm_startup(struct cmd_tbl *cmdtp, int flag, int argc,
 			  char *const argv[])
@@ -55,7 +56,7 @@ static int do_tpm_nv_define_space(struct cmd_tbl *cmdtp, int flag, int argc,
 	perm = simple_strtoul(argv[2], NULL, 0);
 	size = simple_strtoul(argv[3], NULL, 0);
 
-	return report_return_code(tpm_nv_define_space(dev, index, perm, size));
+	return report_return_code(tpm1_nv_define_space(dev, index, perm, size));
 }
 
 static int do_tpm_nv_read_value(struct cmd_tbl *cmdtp, int flag, int argc,
@@ -130,7 +131,7 @@ static int do_tpm_extend(struct cmd_tbl *cmdtp, int flag, int argc,
 		return CMD_RET_FAILURE;
 	}
 
-	rc = tpm_extend(dev, index, in_digest, out_digest);
+	rc = tpm_pcr_extend(dev, index, in_digest, out_digest);
 	if (!rc) {
 		puts("PCR value after execution of the command:\n");
 		print_byte_string(out_digest, sizeof(out_digest));
@@ -304,7 +305,7 @@ static int do_tpm_nv_define(struct cmd_tbl *cmdtp, int flag, int argc,
 	index = simple_strtoul(argv[2], NULL, 0);
 	perm = simple_strtoul(argv[3], NULL, 0);
 
-	return report_return_code(tpm_nv_define_space(dev, index, perm, size));
+	return report_return_code(tpm1_nv_define_space(dev, index, perm, size));
 }
 
 static int do_tpm_nv_read(struct cmd_tbl *cmdtp, int flag, int argc,
@@ -389,7 +390,7 @@ static int do_tpm_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
 	if (rc)
 		return rc;
 
-	err = tpm_oiap(dev, &auth_handle);
+	err = tpm1_oiap(dev, &auth_handle);
 
 	return report_return_code(err);
 }
@@ -461,8 +462,8 @@ static int do_tpm_load_key2_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
 		return CMD_RET_FAILURE;
 	parse_byte_string(argv[4], usage_auth, NULL);
 
-	err = tpm_load_key2_oiap(dev, parent_handle, key, key_len, usage_auth,
-				 &key_handle);
+	err = tpm1_load_key2_oiap(dev, parent_handle, key, key_len, usage_auth,
+				  &key_handle);
 	if (!err)
 		printf("Key handle is 0x%x\n", key_handle);
 
@@ -491,8 +492,8 @@ static int do_tpm_get_pub_key_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
 		return CMD_RET_FAILURE;
 	parse_byte_string(argv[2], usage_auth, NULL);
 
-	err = tpm_get_pub_key_oiap(dev, key_handle, usage_auth, pub_key_buffer,
-				   &pub_key_len);
+	err = tpm1_get_pub_key_oiap(dev, key_handle, usage_auth, pub_key_buffer,
+				    &pub_key_len);
 	if (!err) {
 		printf("dump of received pub key structure:\n");
 		print_byte_string(pub_key_buffer, pub_key_len);
@@ -500,7 +501,7 @@ static int do_tpm_get_pub_key_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
 	return report_return_code(err);
 }
 
-TPM_COMMAND_NO_ARG(tpm_end_oiap)
+TPM_COMMAND_NO_ARG(tpm1_end_oiap)
 
 #endif /* CONFIG_TPM_AUTH_SESSIONS */
 
@@ -562,7 +563,7 @@ static int do_tpm_flush(struct cmd_tbl *cmdtp, int flag, int argc,
 		res_count = get_unaligned_be16(buf);
 		ptr = buf + 2;
 		for (i = 0; i < res_count; ++i, ptr += 4)
-			tpm_flush_specific(dev, get_unaligned_be32(ptr), type);
+			tpm1_flush_specific(dev, get_unaligned_be32(ptr), type);
 	} else {
 		u32 handle = simple_strtoul(argv[2], NULL, 0);
 
@@ -570,7 +571,7 @@ static int do_tpm_flush(struct cmd_tbl *cmdtp, int flag, int argc,
 			printf("Illegal resource handle %s\n", argv[2]);
 			return -1;
 		}
-		tpm_flush_specific(dev, cpu_to_be32(handle), type);
+		tpm1_flush_specific(dev, cpu_to_be32(handle), type);
 	}
 
 	return 0;
@@ -691,7 +692,7 @@ static struct cmd_tbl tpm1_commands[] = {
 	U_BOOT_CMD_MKENT(oiap, 0, 1,
 			 do_tpm_oiap, "", ""),
 	U_BOOT_CMD_MKENT(end_oiap, 0, 1,
-			 do_tpm_end_oiap, "", ""),
+			 do_tpm1_end_oiap, "", ""),
 	U_BOOT_CMD_MKENT(load_key2_oiap, 0, 1,
 			 do_tpm_load_key2_oiap, "", ""),
 #ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
diff --git a/cmd/tpm_test.c b/cmd/tpm_test.c
index ebfb25cab0a..68d2107f54e 100644
--- a/cmd/tpm_test.c
+++ b/cmd/tpm_test.c
@@ -9,6 +9,7 @@
 #include <log.h>
 #include <tpm-v1.h>
 #include "tpm-user-utils.h"
+#include <tpm_api.h>
 
 /* Prints error and returns on failure */
 #define TPM_CHECK(tpm_command) do { \
@@ -49,7 +50,7 @@ static uint32_t tpm_get_flags(struct udevice *dev, uint8_t *disable,
 	struct tpm_permanent_flags pflags;
 	uint32_t result;
 
-	result = tpm_get_permanent_flags(dev, &pflags);
+	result = tpm1_get_permanent_flags(dev, &pflags);
 	if (result)
 		return result;
 	if (disable)
@@ -90,7 +91,7 @@ static int test_early_extend(struct udevice *dev)
 	tpm_init(dev);
 	TPM_CHECK(tpm_startup(dev, TPM_ST_CLEAR));
 	TPM_CHECK(tpm_continue_self_test(dev));
-	TPM_CHECK(tpm_extend(dev, 1, value_in, value_out));
+	TPM_CHECK(tpm_pcr_extend(dev, 1, value_in, value_out));
 	printf("done\n");
 	return 0;
 }
@@ -238,18 +239,18 @@ static void initialise_spaces(struct udevice *dev)
 	uint32_t perm = TPM_NV_PER_WRITE_STCLEAR | TPM_NV_PER_PPWRITE;
 
 	printf("\tInitialising spaces\n");
-	tpm_nv_set_locked(dev);  /* useful only the first time */
-	tpm_nv_define_space(dev, INDEX0, perm, 4);
+	tpm1_nv_set_locked(dev);  /* useful only the first time */
+	tpm1_nv_define_space(dev, INDEX0, perm, 4);
 	tpm_nv_write_value(dev, INDEX0, (uint8_t *)&zero, 4);
-	tpm_nv_define_space(dev, INDEX1, perm, 4);
+	tpm1_nv_define_space(dev, INDEX1, perm, 4);
 	tpm_nv_write_value(dev, INDEX1, (uint8_t *)&zero, 4);
-	tpm_nv_define_space(dev, INDEX2, perm, 4);
+	tpm1_nv_define_space(dev, INDEX2, perm, 4);
 	tpm_nv_write_value(dev, INDEX2, (uint8_t *)&zero, 4);
-	tpm_nv_define_space(dev, INDEX3, perm, 4);
+	tpm1_nv_define_space(dev, INDEX3, perm, 4);
 	tpm_nv_write_value(dev, INDEX3, (uint8_t *)&zero, 4);
 	perm = TPM_NV_PER_READ_STCLEAR | TPM_NV_PER_WRITE_STCLEAR |
 		TPM_NV_PER_PPWRITE;
-	tpm_nv_define_space(dev, INDEX_INITIALISED, perm, 1);
+	tpm1_nv_define_space(dev, INDEX_INITIALISED, perm, 1);
 }
 
 static int test_readonly(struct udevice *dev)
@@ -325,30 +326,33 @@ static int test_redefine_unowned(struct udevice *dev)
 
 	/* Redefines spaces a couple of times. */
 	perm = TPM_NV_PER_PPWRITE | TPM_NV_PER_GLOBALLOCK;
-	TPM_CHECK(tpm_nv_define_space(dev, INDEX0, perm, 2 * sizeof(uint32_t)));
-	TPM_CHECK(tpm_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t)));
+	TPM_CHECK(tpm1_nv_define_space(dev, INDEX0, perm,
+				       2 * sizeof(uint32_t)));
+	TPM_CHECK(tpm1_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t)));
 	perm = TPM_NV_PER_PPWRITE;
-	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, 2 * sizeof(uint32_t)));
-	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
+	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm,
+				       2 * sizeof(uint32_t)));
+	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
 
 	/* Sets the global lock */
 	tpm_set_global_lock(dev);
 
 	/* Verifies that index0 cannot be redefined */
-	result = tpm_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
+	result = tpm1_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
 	assert(result == TPM_AREA_LOCKED);
 
 	/* Checks that index1 can */
-	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, 2 * sizeof(uint32_t)));
-	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
+	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm,
+				       2 * sizeof(uint32_t)));
+	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
 
 	/* Turns off PP */
 	tpm_tsc_physical_presence(dev, PHYS_PRESENCE);
 
 	/* Verifies that neither index0 nor index1 can be redefined */
-	result = tpm_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
+	result = tpm1_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
 	assert(result == TPM_BAD_PRESENCE);
-	result = tpm_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t));
+	result = tpm1_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t));
 	assert(result == TPM_BAD_PRESENCE);
 
 	printf("done\n");
@@ -434,7 +438,7 @@ static int test_timing(struct udevice *dev)
 		   100);
 	TTPM_CHECK(tpm_nv_read_value(dev, INDEX0, (uint8_t *)&x, sizeof(x)),
 		   100);
-	TTPM_CHECK(tpm_extend(dev, 0, in, out), 200);
+	TTPM_CHECK(tpm_pcr_extend(dev, 0, in, out), 200);
 	TTPM_CHECK(tpm_set_global_lock(dev), 50);
 	TTPM_CHECK(tpm_tsc_physical_presence(dev, PHYS_PRESENCE), 100);
 	printf("done\n");
diff --git a/include/tpm-v1.h b/include/tpm-v1.h
index 59ad4aecf42..2e33ed4b949 100644
--- a/include/tpm-v1.h
+++ b/include/tpm-v1.h
@@ -287,7 +287,7 @@ struct __packed tpm_nv_data_public {
  * @param mode		TPM startup mode
  * @return return code of the operation
  */
-u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode);
+u32 tpm1_startup(struct udevice *dev, enum tpm_startup_type mode);
 
 /**
  * Issue a TPM_SelfTestFull command.
@@ -295,7 +295,7 @@ u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode);
  * @param dev		TPM device
  * @return return code of the operation
  */
-u32 tpm_self_test_full(struct udevice *dev);
+u32 tpm1_self_test_full(struct udevice *dev);
 
 /**
  * Issue a TPM_ContinueSelfTest command.
@@ -303,7 +303,7 @@ u32 tpm_self_test_full(struct udevice *dev);
  * @param dev		TPM device
  * @return return code of the operation
  */
-u32 tpm_continue_self_test(struct udevice *dev);
+u32 tpm1_continue_self_test(struct udevice *dev);
 
 /**
  * Issue a TPM_NV_DefineSpace command.  The implementation is limited
@@ -316,7 +316,7 @@ u32 tpm_continue_self_test(struct udevice *dev);
  * @param size		size of the area
  * @return return code of the operation
  */
-u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size);
+u32 tpm1_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size);
 
 /**
  * Issue a TPM_NV_ReadValue command.  This implementation is limited
@@ -329,7 +329,7 @@ u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size);
  * @param count		size of output buffer
  * @return return code of the operation
  */
-u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
+u32 tpm1_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
 
 /**
  * Issue a TPM_NV_WriteValue command.  This implementation is limited
@@ -342,8 +342,8 @@ u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
  * @param length	length of data bytes of input buffer
  * @return return code of the operation
  */
-u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
-		       u32 length);
+u32 tpm1_nv_write_value(struct udevice *dev, u32 index, const void *data,
+			u32 length);
 
 /**
  * Issue a TPM_Extend command.
@@ -356,8 +356,8 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
  *			command
  * @return return code of the operation
  */
-u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
-	       void *out_digest);
+u32 tpm1_extend(struct udevice *dev, u32 index, const void *in_digest,
+		void *out_digest);
 
 /**
  * Issue a TPM_PCRRead command.
@@ -368,7 +368,7 @@ u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
  * @param count		size of output buffer
  * @return return code of the operation
  */
-u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count);
+u32 tpm1_pcr_read(struct udevice *dev, u32 index, void *data, size_t count);
 
 /**
  * Issue a TSC_PhysicalPresence command.  TPM physical presence flag
@@ -378,7 +378,7 @@ u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count);
  * @param presence	TPM physical presence flag
  * @return return code of the operation
  */
-u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence);
+u32 tpm1_tsc_physical_presence(struct udevice *dev, u16 presence);
 
 /**
  * Issue a TPM_ReadPubek command.
@@ -388,7 +388,7 @@ u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence);
  * @param count		size of output buffer
  * @return return code of the operation
  */
-u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count);
+u32 tpm1_read_pubek(struct udevice *dev, void *data, size_t count);
 
 /**
  * Issue a TPM_ForceClear command.
@@ -396,7 +396,7 @@ u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count);
  * @param dev		TPM device
  * @return return code of the operation
  */
-u32 tpm_force_clear(struct udevice *dev);
+u32 tpm1_force_clear(struct udevice *dev);
 
 /**
  * Issue a TPM_PhysicalEnable command.
@@ -404,7 +404,7 @@ u32 tpm_force_clear(struct udevice *dev);
  * @param dev		TPM device
  * @return return code of the operation
  */
-u32 tpm_physical_enable(struct udevice *dev);
+u32 tpm1_physical_enable(struct udevice *dev);
 
 /**
  * Issue a TPM_PhysicalDisable command.
@@ -412,7 +412,7 @@ u32 tpm_physical_enable(struct udevice *dev);
  * @param dev		TPM device
  * @return return code of the operation
  */
-u32 tpm_physical_disable(struct udevice *dev);
+u32 tpm1_physical_disable(struct udevice *dev);
 
 /**
  * Issue a TPM_PhysicalSetDeactivated command.
@@ -421,7 +421,7 @@ u32 tpm_physical_disable(struct udevice *dev);
  * @param state		boolean state of the deactivated flag
  * @return return code of the operation
  */
-u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state);
+u32 tpm1_physical_set_deactivated(struct udevice *dev, u8 state);
 
 /**
  * Issue a TPM_GetCapability command.  This implementation is limited
@@ -435,8 +435,8 @@ u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state);
  * @param count		size of output buffer
  * @return return code of the operation
  */
-u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
-		       void *cap, size_t count);
+u32 tpm1_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
+			void *cap, size_t count);
 
 /**
  * Issue a TPM_FlushSpecific command for a AUTH resource.
@@ -445,7 +445,7 @@ u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
  * @param auth_handle	handle of the auth session
  * @return return code of the operation
  */
-u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle);
+u32 tpm1_terminate_auth_session(struct udevice *dev, u32 auth_handle);
 
 /**
  * Issue a TPM_OIAP command to setup an object independent authorization
@@ -458,7 +458,7 @@ u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle);
  * @param auth_handle	pointer to the (new) auth handle or NULL.
  * @return return code of the operation
  */
-u32 tpm_oiap(struct udevice *dev, u32 *auth_handle);
+u32 tpm1_oiap(struct udevice *dev, u32 *auth_handle);
 
 /**
  * Ends an active OIAP session.
@@ -466,7 +466,7 @@ u32 tpm_oiap(struct udevice *dev, u32 *auth_handle);
  * @param dev		TPM device
  * @return return code of the operation
  */
-u32 tpm_end_oiap(struct udevice *dev);
+u32 tpm1_end_oiap(struct udevice *dev);
 
 /**
  * Issue a TPM_LoadKey2 (Auth1) command using an OIAP session for authenticating
@@ -480,9 +480,9 @@ u32 tpm_end_oiap(struct udevice *dev);
  * @param key_handle	pointer to the key handle
  * @return return code of the operation
  */
-u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
-		       size_t key_length, const void *parent_key_usage_auth,
-		       u32 *key_handle);
+u32 tpm1_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
+			size_t key_length, const void *parent_key_usage_auth,
+			u32 *key_handle);
 
 /**
  * Issue a TPM_GetPubKey (Auth1) command using an OIAP session for
@@ -498,9 +498,9 @@ u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
  *			of the stored TPM_PUBKEY structure (iff pubkey != NULL).
  * @return return code of the operation
  */
-u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
-			 const void *usage_auth, void *pubkey,
-			 size_t *pubkey_len);
+u32 tpm1_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
+			  const void *usage_auth, void *pubkey,
+			  size_t *pubkey_len);
 
 /**
  * Get the TPM permanent flags value
@@ -509,8 +509,8 @@ u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
  * @param pflags	Place to put permanent flags
  * @return return code of the operation
  */
-u32 tpm_get_permanent_flags(struct udevice *dev,
-			    struct tpm_permanent_flags *pflags);
+u32 tpm1_get_permanent_flags(struct udevice *dev,
+			     struct tpm_permanent_flags *pflags);
 
 /**
  * Get the TPM permissions
@@ -519,7 +519,7 @@ u32 tpm_get_permanent_flags(struct udevice *dev,
  * @param perm		Returns permissions value
  * @return return code of the operation
  */
-u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm);
+u32 tpm1_get_permissions(struct udevice *dev, u32 index, u32 *perm);
 
 /**
  * Flush a resource with a given handle and type from the TPM
@@ -529,7 +529,7 @@ u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm);
  * @param resource_type                type of the resource
  * @return return code of the operation
  */
-u32 tpm_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type);
+u32 tpm1_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type);
 
 #ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
 /**
@@ -541,8 +541,8 @@ u32 tpm_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type);
  * @param[out] handle	The handle of the key (Non-null iff found)
  * @return 0 if key was found in TPM; != 0 if not.
  */
-u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
-		      const u8 pubkey_digest[20], u32 *handle);
+u32 tpm1_find_key_sha1(struct udevice *dev, const u8 auth[20],
+		       const u8 pubkey_digest[20], u32 *handle);
 #endif /* CONFIG_TPM_LOAD_KEY_BY_SHA1 */
 
 /**
@@ -555,7 +555,7 @@ u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
  * @param count		size of output buffer
  * @return return code of the operation
  */
-u32 tpm_get_random(struct udevice *dev, void *data, u32 count);
+u32 tpm1_get_random(struct udevice *dev, void *data, u32 count);
 
 /**
  * tpm_finalise_physical_presence() - Finalise physical presence
@@ -563,15 +563,15 @@ u32 tpm_get_random(struct udevice *dev, void *data, u32 count);
  * @param dev		TPM device
  * @return return code of the operation (0 = success)
  */
-u32 tpm_finalise_physical_presence(struct udevice *dev);
+u32 tpm1_finalise_physical_presence(struct udevice *dev);
 
 /**
- * tpm_nv_set_locked() - lock the non-volatile space
+ * tpm_nv_enable_locking() - lock the non-volatile space
  *
  * @param dev		TPM device
  * @return return code of the operation (0 = success)
  */
-u32 tpm_nv_set_locked(struct udevice *dev);
+u32 tpm1_nv_set_locked(struct udevice *dev);
 
 /**
  * tpm_set_global_lock() - set the global lock
@@ -587,6 +587,6 @@ u32 tpm_set_global_lock(struct udevice *dev);
  * @param dev		TPM device
  * @return return code of the operation (0 = success)
  */
-u32 tpm_resume(struct udevice *dev);
+u32 tpm1_resume(struct udevice *dev);
 
 #endif /* __TPM_V1_H */
diff --git a/lib/Makefile b/lib/Makefile
index edc1c3dd4f9..c42d4e12335 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -53,6 +53,7 @@ endif
 obj-$(CONFIG_$(SPL_TPL_)TPM) += tpm-common.o
 ifeq ($(CONFIG_$(SPL_TPL_)TPM),y)
 obj-y += crc8.o
+obj-$(CONFIG_TPM) += tpm_api.o
 obj-$(CONFIG_TPM_V1) += tpm-v1.o
 obj-$(CONFIG_TPM_V2) += tpm-v2.o
 endif
diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c
index a846fe00dd3..8dc144080ca 100644
--- a/lib/tpm-v1.c
+++ b/lib/tpm-v1.c
@@ -32,7 +32,7 @@ static struct session_data oiap_session = {0, };
 
 #endif /* CONFIG_TPM_AUTH_SESSIONS */
 
-u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode)
+u32 tpm1_startup(struct udevice *dev, enum tpm_startup_type mode)
 {
 	const u8 command[12] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x0,
@@ -48,12 +48,12 @@ u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode)
 	return tpm_sendrecv_command(dev, buf, NULL, NULL);
 }
 
-u32 tpm_resume(struct udevice *dev)
+u32 tpm1_resume(struct udevice *dev)
 {
-	return tpm_startup(dev, TPM_ST_STATE);
+	return tpm1_startup(dev, TPM_ST_STATE);
 }
 
-u32 tpm_self_test_full(struct udevice *dev)
+u32 tpm1_self_test_full(struct udevice *dev)
 {
 	const u8 command[10] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50,
@@ -61,7 +61,7 @@ u32 tpm_self_test_full(struct udevice *dev)
 	return tpm_sendrecv_command(dev, command, NULL, NULL);
 }
 
-u32 tpm_continue_self_test(struct udevice *dev)
+u32 tpm1_continue_self_test(struct udevice *dev)
 {
 	const u8 command[10] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53,
@@ -69,35 +69,33 @@ u32 tpm_continue_self_test(struct udevice *dev)
 	return tpm_sendrecv_command(dev, command, NULL, NULL);
 }
 
-u32 tpm_clear_and_reenable(struct udevice *dev)
+u32 tpm1_clear_and_reenable(struct udevice *dev)
 {
 	u32 ret;
 
 	log_info("TPM: Clear and re-enable\n");
-	ret = tpm_force_clear(dev);
+	ret = tpm1_force_clear(dev);
 	if (ret != TPM_SUCCESS) {
 		log_err("Can't initiate a force clear\n");
 		return ret;
 	}
 
-	if (tpm_get_version(dev) == TPM_V1) {
-		ret = tpm_physical_enable(dev);
-		if (ret != TPM_SUCCESS) {
-			log_err("TPM: Can't set enabled state\n");
-			return ret;
-		}
+	ret = tpm1_physical_enable(dev);
+	if (ret != TPM_SUCCESS) {
+		log_err("TPM: Can't set enabled state\n");
+		return ret;
+	}
 
-		ret = tpm_physical_set_deactivated(dev, 0);
-		if (ret != TPM_SUCCESS) {
-			log_err("TPM: Can't set deactivated state\n");
-			return ret;
-		}
+	ret = tpm1_physical_set_deactivated(dev, 0);
+	if (ret != TPM_SUCCESS) {
+		log_err("TPM: Can't set deactivated state\n");
+		return ret;
 	}
 
 	return TPM_SUCCESS;
 }
 
-u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size)
+u32 tpm1_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size)
 {
 	const u8 command[101] = {
 		0x0, 0xc1,		/* TPM_TAG */
@@ -140,12 +138,12 @@ u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size)
 	return tpm_sendrecv_command(dev, buf, NULL, NULL);
 }
 
-u32 tpm_nv_set_locked(struct udevice *dev)
+u32 tpm1_nv_set_locked(struct udevice *dev)
 {
-	return tpm_nv_define_space(dev, TPM_NV_INDEX_LOCK, 0, 0);
+	return tpm1_nv_define_space(dev, TPM_NV_INDEX_LOCK, 0, 0);
 }
 
-u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
+u32 tpm1_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
 {
 	const u8 command[22] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf,
@@ -179,8 +177,8 @@ u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
 	return 0;
 }
 
-u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
-		       u32 length)
+u32 tpm1_nv_write_value(struct udevice *dev, u32 index, const void *data,
+			u32 length)
 {
 	const u8 command[256] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd,
@@ -210,13 +208,8 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
 	return 0;
 }
 
-uint32_t tpm_set_global_lock(struct udevice *dev)
-{
-	return tpm_nv_write_value(dev, TPM_NV_INDEX_0, NULL, 0);
-}
-
-u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
-	       void *out_digest)
+u32 tpm1_extend(struct udevice *dev, u32 index, const void *in_digest,
+		void *out_digest)
 {
 	const u8 command[34] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14,
@@ -247,7 +240,7 @@ u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
 	return 0;
 }
 
-u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
+u32 tpm1_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
 {
 	const u8 command[14] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15,
@@ -275,7 +268,7 @@ u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
 	return 0;
 }
 
-u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence)
+u32 tpm1_tsc_physical_presence(struct udevice *dev, u16 presence)
 {
 	const u8 command[12] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x0,
@@ -291,7 +284,7 @@ u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence)
 	return tpm_sendrecv_command(dev, buf, NULL, NULL);
 }
 
-u32 tpm_finalise_physical_presence(struct udevice *dev)
+u32 tpm1_finalise_physical_presence(struct udevice *dev)
 {
 	const u8 command[12] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0,
@@ -300,7 +293,7 @@ u32 tpm_finalise_physical_presence(struct udevice *dev)
 	return tpm_sendrecv_command(dev, command, NULL, NULL);
 }
 
-u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count)
+u32 tpm1_read_pubek(struct udevice *dev, void *data, size_t count)
 {
 	const u8 command[30] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c,
@@ -331,7 +324,7 @@ u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count)
 	return 0;
 }
 
-u32 tpm_force_clear(struct udevice *dev)
+u32 tpm1_force_clear(struct udevice *dev)
 {
 	const u8 command[10] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d,
@@ -340,7 +333,7 @@ u32 tpm_force_clear(struct udevice *dev)
 	return tpm_sendrecv_command(dev, command, NULL, NULL);
 }
 
-u32 tpm_physical_enable(struct udevice *dev)
+u32 tpm1_physical_enable(struct udevice *dev)
 {
 	const u8 command[10] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f,
@@ -349,7 +342,7 @@ u32 tpm_physical_enable(struct udevice *dev)
 	return tpm_sendrecv_command(dev, command, NULL, NULL);
 }
 
-u32 tpm_physical_disable(struct udevice *dev)
+u32 tpm1_physical_disable(struct udevice *dev)
 {
 	const u8 command[10] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70,
@@ -358,7 +351,7 @@ u32 tpm_physical_disable(struct udevice *dev)
 	return tpm_sendrecv_command(dev, command, NULL, NULL);
 }
 
-u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state)
+u32 tpm1_physical_set_deactivated(struct udevice *dev, u8 state)
 {
 	const u8 command[11] = {
 		0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72,
@@ -374,8 +367,8 @@ u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state)
 	return tpm_sendrecv_command(dev, buf, NULL, NULL);
 }
 
-u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
-		       void *cap, size_t count)
+u32 tpm1_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
+			void *cap, size_t count)
 {
 	const u8 command[22] = {
 		0x0, 0xc1,		/* TPM_TAG */
@@ -414,8 +407,8 @@ u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
 	return 0;
 }
 
-u32 tpm_get_permanent_flags(struct udevice *dev,
-			    struct tpm_permanent_flags *pflags)
+u32 tpm1_get_permanent_flags(struct udevice *dev,
+			     struct tpm_permanent_flags *pflags)
 {
 	const u8 command[22] = {
 		0x0, 0xc1,		/* TPM_TAG */
@@ -453,7 +446,7 @@ u32 tpm_get_permanent_flags(struct udevice *dev,
 	return 0;
 }
 
-u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm)
+u32 tpm1_get_permissions(struct udevice *dev, u32 index, u32 *perm)
 {
 	const u8 command[22] = {
 		0x0, 0xc1,		/* TPM_TAG */
@@ -482,7 +475,7 @@ u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm)
 }
 
 #ifdef CONFIG_TPM_FLUSH_RESOURCES
-u32 tpm_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type)
+u32 tpm1_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type)
 {
 	const u8 command[18] = {
 		0x00, 0xc1,             /* TPM_TAG */
@@ -641,7 +634,7 @@ static u32 verify_response_auth(u32 command_code, const void *response,
 	return TPM_SUCCESS;
 }
 
-u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle)
+u32 tpm1_terminate_auth_session(struct udevice *dev, u32 auth_handle)
 {
 	const u8 command[18] = {
 		0x00, 0xc1,		/* TPM_TAG */
@@ -663,16 +656,16 @@ u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle)
 	return tpm_sendrecv_command(dev, request, NULL, NULL);
 }
 
-u32 tpm_end_oiap(struct udevice *dev)
+u32 tpm1_end_oiap(struct udevice *dev)
 {
 	u32 err = TPM_SUCCESS;
 
 	if (oiap_session.valid)
-		err = tpm_terminate_auth_session(dev, oiap_session.handle);
+		err = tpm1_terminate_auth_session(dev, oiap_session.handle);
 	return err;
 }
 
-u32 tpm_oiap(struct udevice *dev, u32 *auth_handle)
+u32 tpm1_oiap(struct udevice *dev, u32 *auth_handle)
 {
 	const u8 command[10] = {
 		0x00, 0xc1,		/* TPM_TAG */
@@ -686,7 +679,7 @@ u32 tpm_oiap(struct udevice *dev, u32 *auth_handle)
 	u32 err;
 
 	if (oiap_session.valid)
-		tpm_terminate_auth_session(dev, oiap_session.handle);
+		tpm1_terminate_auth_session(dev, oiap_session.handle);
 
 	err = tpm_sendrecv_command(dev, command, response, &response_length);
 	if (err)
@@ -702,9 +695,9 @@ u32 tpm_oiap(struct udevice *dev, u32 *auth_handle)
 	return 0;
 }
 
-u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
-		       size_t key_length, const void *parent_key_usage_auth,
-		       u32 *key_handle)
+u32 tpm1_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
+			size_t key_length, const void *parent_key_usage_auth,
+			u32 *key_handle)
 {
 	const u8 command[14] = {
 		0x00, 0xc2,		/* TPM_TAG */
@@ -723,7 +716,7 @@ u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
 	u32 err;
 
 	if (!oiap_session.valid) {
-		err = tpm_oiap(dev, NULL);
+		err = tpm1_oiap(dev, NULL);
 		if (err)
 			return err;
 	}
@@ -768,9 +761,9 @@ u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
 	return 0;
 }
 
-u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
-			 const void *usage_auth, void *pubkey,
-			 size_t *pubkey_len)
+u32 tpm1_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
+			  const void *usage_auth, void *pubkey,
+			  size_t *pubkey_len)
 {
 	const u8 command[14] = {
 		0x00, 0xc2,		/* TPM_TAG */
@@ -788,7 +781,7 @@ u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
 	u32 err;
 
 	if (!oiap_session.valid) {
-		err = tpm_oiap(dev, NULL);
+		err = tpm1_oiap(dev, NULL);
 		if (err)
 			return err;
 	}
@@ -834,8 +827,8 @@ u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
 }
 
 #ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
-u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
-		      const u8 pubkey_digest[20], u32 *handle)
+u32 tpm1_find_key_sha1(struct udevice *dev, const u8 auth[20],
+		       const u8 pubkey_digest[20], u32 *handle)
 {
 	u16 key_count;
 	u32 key_handles[10];
@@ -876,7 +869,7 @@ u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
 
 #endif /* CONFIG_TPM_AUTH_SESSIONS */
 
-u32 tpm_get_random(struct udevice *dev, void *data, u32 count)
+u32 tpm1_get_random(struct udevice *dev, void *data, u32 count)
 {
 	const u8 command[14] = {
 		0x0, 0xc1,		/* TPM_TAG */
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 06/11] tpm: Add a basic API implementation for TPMv2
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (4 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:11   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 07/11] tpm: Reduce duplication in a few functions Simon Glass
                   ` (4 subsequent siblings)
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

Add support for TPMv2 versions of API functions. So far this is not
complete as the standard is quite large, but it implements everything
currently available for TPMv2 in U-Boot.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v1)

 lib/tpm_api.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 77 insertions(+), 7 deletions(-)

diff --git a/lib/tpm_api.c b/lib/tpm_api.c
index 758350bd18d..f1553512cc5 100644
--- a/lib/tpm_api.c
+++ b/lib/tpm_api.c
@@ -16,18 +16,41 @@ static bool is_tpm1(struct udevice *dev)
 	return IS_ENABLED(CONFIG_TPM_V1) && tpm_get_version(dev) == TPM_V1;
 }
 
+static bool is_tpm2(struct udevice *dev)
+{
+	return IS_ENABLED(CONFIG_TPM_V2) && tpm_get_version(dev) == TPM_V2;
+}
+
 u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode)
 {
-	if (is_tpm1(dev))
+	if (is_tpm1(dev)) {
 		return tpm1_startup(dev, mode);
-	else
+	} else if (is_tpm2(dev)) {
+		enum tpm2_startup_types type;
+
+		switch (mode) {
+		case TPM_ST_CLEAR:
+			type = TPM2_SU_CLEAR;
+			break;
+		case TPM_ST_STATE:
+			type = TPM2_SU_STATE;
+			break;
+		default:
+		case TPM_ST_DEACTIVATED:
+			return -EINVAL;
+		}
+		return tpm2_startup(dev, type);
+	} else {
 		return -ENOSYS;
+	}
 }
 
 u32 tpm_resume(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_startup(dev, TPM_ST_STATE);
+	else if (is_tpm2(dev))
+		return tpm2_startup(dev, TPM2_SU_STATE);
 	else
 		return -ENOSYS;
 }
@@ -36,6 +59,8 @@ u32 tpm_self_test_full(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_self_test_full(dev);
+	else if (is_tpm2(dev))
+		return tpm2_self_test(dev, TPMI_YES);
 	else
 		return -ENOSYS;
 }
@@ -44,6 +69,8 @@ u32 tpm_continue_self_test(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_continue_self_test(dev);
+	else if (is_tpm2(dev))
+		return tpm2_self_test(dev, TPMI_NO);
 	else
 		return -ENOSYS;
 }
@@ -71,8 +98,6 @@ u32 tpm_clear_and_reenable(struct udevice *dev)
 			log_err("TPM: Can't set deactivated state\n");
 			return ret;
 		}
-	} else {
-		return -ENOSYS;
 	}
 
 	return TPM_SUCCESS;
@@ -82,6 +107,8 @@ u32 tpm_nv_enable_locking(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_nv_define_space(dev, TPM_NV_INDEX_LOCK, 0, 0);
+	else if (is_tpm2(dev))
+		return -ENOSYS;
 	else
 		return -ENOSYS;
 }
@@ -90,6 +117,8 @@ u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
 {
 	if (is_tpm1(dev))
 		return tpm1_nv_read_value(dev, index, data, count);
+	else if (is_tpm2(dev))
+		return -ENOSYS;
 	else
 		return -ENOSYS;
 }
@@ -99,6 +128,8 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
 {
 	if (is_tpm1(dev))
 		return tpm1_nv_write_value(dev, index, data, count);
+	else if (is_tpm2(dev))
+		return -ENOSYS;
 	else
 		return -ENOSYS;
 }
@@ -112,6 +143,8 @@ u32 tpm_write_lock(struct udevice *dev, u32 index)
 {
 	if (is_tpm1(dev))
 		return -ENOSYS;
+	else if (is_tpm2(dev))
+		return -ENOSYS;
 	else
 		return -ENOSYS;
 }
@@ -121,6 +154,9 @@ u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest,
 {
 	if (is_tpm1(dev))
 		return tpm1_extend(dev, index, in_digest, out_digest);
+	else if (is_tpm2(dev))
+		return tpm2_pcr_extend(dev, index, TPM2_ALG_SHA256, in_digest,
+				       TPM2_DIGEST_LEN);
 	else
 		return -ENOSYS;
 }
@@ -129,6 +165,8 @@ u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
 {
 	if (is_tpm1(dev))
 		return tpm1_pcr_read(dev, index, data, count);
+	else if (is_tpm2(dev))
+		return -ENOSYS;
 	else
 		return -ENOSYS;
 }
@@ -137,6 +175,13 @@ u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence)
 {
 	if (is_tpm1(dev))
 		return tpm1_tsc_physical_presence(dev, presence);
+
+	/*
+	 * Nothing to do on TPM2 for this; use platform hierarchy availability
+	 * instead.
+	 */
+	else if (is_tpm2(dev))
+		return 0;
 	else
 		return -ENOSYS;
 }
@@ -145,6 +190,10 @@ u32 tpm_finalise_physical_presence(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_finalise_physical_presence(dev);
+
+	/* Nothing needs to be done with tpm2 */
+	else if (is_tpm2(dev))
+		return 0;
 	else
 		return -ENOSYS;
 }
@@ -153,14 +202,18 @@ u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count)
 {
 	if (is_tpm1(dev))
 		return tpm1_read_pubek(dev, data, count);
-	else
+	else if (is_tpm2(dev))
 		return -ENOSYS; /* not implemented yet */
+	else
+		return -ENOSYS;
 }
 
 u32 tpm_force_clear(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_force_clear(dev);
+	else if (is_tpm2(dev))
+		return tpm2_clear(dev, TPM2_RH_PLATFORM, NULL, 0);
 	else
 		return -ENOSYS;
 }
@@ -169,6 +222,10 @@ u32 tpm_physical_enable(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_physical_enable(dev);
+
+	/* Nothing needs to be done with tpm2 */
+	else if (is_tpm2(dev))
+		return 0;
 	else
 		return -ENOSYS;
 }
@@ -177,6 +234,10 @@ u32 tpm_physical_disable(struct udevice *dev)
 {
 	if (is_tpm1(dev))
 		return tpm1_physical_disable(dev);
+
+	/* Nothing needs to be done with tpm2 */
+	else if (is_tpm2(dev))
+		return 0;
 	else
 		return -ENOSYS;
 }
@@ -185,6 +246,9 @@ u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state)
 {
 	if (is_tpm1(dev))
 		return tpm1_physical_set_deactivated(dev, state);
+	/* Nothing needs to be done with tpm2 */
+	else if (is_tpm2(dev))
+		return 0;
 	else
 		return -ENOSYS;
 }
@@ -194,6 +258,8 @@ u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
 {
 	if (is_tpm1(dev))
 		return tpm1_get_capability(dev, cap_area, sub_cap, cap, count);
+	else if (is_tpm2(dev))
+		return tpm2_get_capability(dev, cap_area, sub_cap, cap, count);
 	else
 		return -ENOSYS;
 }
@@ -202,14 +268,18 @@ u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm)
 {
 	if (is_tpm1(dev))
 		return tpm1_get_permissions(dev, index, perm);
-	else
+	else if (is_tpm2(dev))
 		return -ENOSYS; /* not implemented yet */
+	else
+		return -ENOSYS;
 }
 
 u32 tpm_get_random(struct udevice *dev, void *data, u32 count)
 {
 	if (is_tpm1(dev))
 		return tpm1_get_random(dev, data, count);
-	else
+	else if (is_tpm2(dev))
 		return -ENOSYS; /* not implemented yet */
+	else
+		return -ENOSYS;
 }
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 07/11] tpm: Reduce duplication in a few functions
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (5 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 06/11] tpm: Add a basic API implementation for TPMv2 Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:11   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 08/11] tpm: Add an implementation of define_space Simon Glass
                   ` (3 subsequent siblings)
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

Update tpm2_clear() and tpm2_pcr_extend() so that the command size
is not repeated twice. Add a small comment to the latter.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v2)

Changes in v2:
- Add comments for the offset value

 lib/tpm-v2.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 1f3deb06e48..c4e869ec5b5 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -47,9 +47,11 @@ u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test)
 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
 	       const ssize_t pw_sz)
 {
+	/* Length of the message header, up to start of password */
+	uint offset = 27;
 	u8 command_v2[COMMAND_BUFFER_SIZE] = {
 		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
-		tpm_u32(27 + pw_sz),		/* Length */
+		tpm_u32(offset + pw_sz),	/* Length */
 		tpm_u32(TPM2_CC_CLEAR),		/* Command code */
 
 		/* HANDLE */
@@ -64,7 +66,6 @@ u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
 		tpm_u16(pw_sz),			/* Size of <hmac/password> */
 		/* STRING(pw)			   <hmac/password> (if any) */
 	};
-	unsigned int offset = 27;
 	int ret;
 
 	/*
@@ -83,9 +84,11 @@ u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
 		    const u8 *digest, u32 digest_len)
 {
+	/* Length of the message header, up to start of digest */
+	uint offset = 33;
 	u8 command_v2[COMMAND_BUFFER_SIZE] = {
 		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
-		tpm_u32(33 + digest_len),	/* Length */
+		tpm_u32(offset + digest_len),	/* Length */
 		tpm_u32(TPM2_CC_PCR_EXTEND),	/* Command code */
 
 		/* HANDLE */
@@ -99,11 +102,12 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
 		0,				/* Attributes: Cont/Excl/Rst */
 		tpm_u16(0),			/* Size of <hmac/password> */
 						/* <hmac/password> (if any) */
+
+		/* hashes */
 		tpm_u32(1),			/* Count (number of hashes) */
 		tpm_u16(algorithm),	/* Algorithm of the hash */
 		/* STRING(digest)		   Digest */
 	};
-	unsigned int offset = 33;
 	int ret;
 
 	/*
@@ -112,7 +116,6 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
 	 */
 	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
 			       offset, digest, digest_len);
-	offset += digest_len;
 	if (ret)
 		return TPM_LIB_ERROR;
 
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 08/11] tpm: Add an implementation of define_space
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (6 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 07/11] tpm: Reduce duplication in a few functions Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-02-07 11:44   ` Ilias Apalodimas
  2021-03-03 19:11   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 09/11] tpm: Add TPM2 support for read/write values Simon Glass
                   ` (2 subsequent siblings)
  10 siblings, 2 replies; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

Add support for this so that the TPM can be set up for use with
Chromium OS verified boot.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

Changes in v4:
- Drop unnecessary update of offset

Changes in v3:
- Add a comment to the offset and fix up the value

 include/tpm-v2.h | 18 ++++++++++++++++++
 lib/tpm-v2.c     | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index fab6b86ca2f..2766dc72a65 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -238,6 +238,7 @@ enum tpm2_command_codes {
 	TPM2_CC_CLEAR		= 0x0126,
 	TPM2_CC_CLEARCONTROL	= 0x0127,
 	TPM2_CC_HIERCHANGEAUTH	= 0x0129,
+	TPM2_CC_NV_DEFINE_SPACE	= 0x012a,
 	TPM2_CC_PCR_SETAUTHPOL	= 0x012C,
 	TPM2_CC_DAM_RESET	= 0x0139,
 	TPM2_CC_DAM_PARAMETERS	= 0x013A,
@@ -386,6 +387,23 @@ u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test);
 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
 	       const ssize_t pw_sz);
 
+/**
+ * Issue a TPM_NV_DefineSpace command
+ *
+ * This allows a space to be defined with given attributes and policy
+ *
+ * @dev			TPM device
+ * @space_index		index of the area
+ * @space_size		size of area in bytes
+ * @nv_attributes	TPM_NV_ATTRIBUTES of the area
+ * @nv_policy		policy to use
+ * @nv_policy_size	size of the policy
+ * @return return code of the operation
+ */
+u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
+			 size_t space_size, u32 nv_attributes,
+			 const u8 *nv_policy, size_t nv_policy_size);
+
 /**
  * Issue a TPM2_PCR_Extend command.
  *
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index c4e869ec5b5..e9bf4018fed 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -81,6 +81,53 @@ u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
 	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 }
 
+u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
+			 size_t space_size, u32 nv_attributes,
+			 const u8 *nv_policy, size_t nv_policy_size)
+{
+	/*
+	 * Calculate the offset of the nv_policy piece by adding each of the
+	 * chunks below.
+	 */
+	uint offset = 10 + 8 + 13 + 14;
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		/* header 10 bytes */
+		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
+		tpm_u32(offset + nv_policy_size),/* Length */
+		tpm_u32(TPM2_CC_NV_DEFINE_SPACE),/* Command code */
+
+		/* handles 8 bytes */
+		tpm_u32(TPM2_RH_PLATFORM),	/* Primary platform seed */
+
+		/* session header 13 bytes */
+		tpm_u32(9),			/* Header size */
+		tpm_u32(TPM2_RS_PW),		/* Password authorisation */
+		tpm_u16(0),			/* nonce_size */
+		0,				/* session_attrs */
+		tpm_u16(0),			/* auth_size */
+
+		/* message 14 bytes + policy */
+		tpm_u16(12 + nv_policy_size),	/* size */
+		tpm_u32(space_index),
+		tpm_u16(TPM2_ALG_SHA256),
+		tpm_u32(nv_attributes),
+		tpm_u16(nv_policy_size),
+		/* nv_policy */
+	};
+	int ret;
+
+	/*
+	 * Fill the command structure starting from the first buffer:
+	 *     - the password (if any)
+	 */
+	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
+			       offset, nv_policy, nv_policy_size);
+	if (ret)
+		return TPM_LIB_ERROR;
+
+	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+}
+
 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
 		    const u8 *digest, u32 digest_len)
 {
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 09/11] tpm: Add TPM2 support for read/write values
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (7 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 08/11] tpm: Add an implementation of define_space Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:11   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 10/11] tpm: Add TPM2 support for write_lock Simon Glass
  2021-02-06 21:23 ` [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2 Simon Glass
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

Implement this API function for TPM2.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v1)

 include/tpm-common.h |  3 ++
 include/tpm-v2.h     | 38 ++++++++++++++++++++
 lib/tpm-v2.c         | 84 ++++++++++++++++++++++++++++++++++++++++++++
 lib/tpm_api.c        |  4 +--
 4 files changed, 127 insertions(+), 2 deletions(-)

diff --git a/include/tpm-common.h b/include/tpm-common.h
index e29b10b1766..080183779b3 100644
--- a/include/tpm-common.h
+++ b/include/tpm-common.h
@@ -53,6 +53,8 @@ enum tpm_version {
  * @buf:		Buffer used during the exchanges with the chip
  * @pcr_count:		Number of PCR per bank
  * @pcr_select_min:	Minimum size in bytes of the pcrSelect array
+ * @plat_hier_disabled:	Platform hierarchy has been disabled (TPM is locked
+ *			down until next reboot)
  */
 struct tpm_chip_priv {
 	enum tpm_version version;
@@ -64,6 +66,7 @@ struct tpm_chip_priv {
 	/* TPM v2 specific data */
 	uint pcr_count;
 	uint pcr_select_min;
+	bool plat_hier_disabled;
 };
 
 /**
diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index 2766dc72a65..6a400771af1 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -240,6 +240,7 @@ enum tpm2_command_codes {
 	TPM2_CC_HIERCHANGEAUTH	= 0x0129,
 	TPM2_CC_NV_DEFINE_SPACE	= 0x012a,
 	TPM2_CC_PCR_SETAUTHPOL	= 0x012C,
+	TPM2_CC_NV_WRITE	= 0x0137,
 	TPM2_CC_DAM_RESET	= 0x0139,
 	TPM2_CC_DAM_PARAMETERS	= 0x013A,
 	TPM2_CC_NV_READ         = 0x014E,
@@ -354,6 +355,20 @@ enum {
 	TPM_MAX_BUF_SIZE	= 1260,
 };
 
+enum {
+	/* Secure storage for firmware settings */
+	TPM_HT_PCR = 0,
+	TPM_HT_NV_INDEX,
+	TPM_HT_HMAC_SESSION,
+	TPM_HT_POLICY_SESSION,
+
+	HR_SHIFT		= 24,
+	HR_PCR			= TPM_HT_PCR << HR_SHIFT,
+	HR_HMAC_SESSION		= TPM_HT_HMAC_SESSION << HR_SHIFT,
+	HR_POLICY_SESSION	= TPM_HT_POLICY_SESSION << HR_SHIFT,
+	HR_NV_INDEX		= TPM_HT_NV_INDEX << HR_SHIFT,
+};
+
 /**
  * Issue a TPM2_Startup command.
  *
@@ -418,6 +433,29 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
 		    const u8 *digest, u32 digest_len);
 
+/**
+ * Read data from the secure storage
+ *
+ * @dev		TPM device
+ * @index	Index of data to read
+ * @data	Place to put data
+ * @count	Number of bytes of data
+ * @return code of the operation
+ */
+u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
+
+/**
+ * Write data to the secure storage
+ *
+ * @dev		TPM device
+ * @index	Index of data to write
+ * @data	Data to write
+ * @count	Number of bytes of data
+ * @return code of the operation
+ */
+u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
+			u32 count);
+
 /**
  * Issue a TPM2_PCR_Read command.
  *
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index e9bf4018fed..9f1699131e1 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -169,6 +169,90 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
 	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 }
 
+u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
+{
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		/* header 10 bytes */
+		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
+		tpm_u32(10 + 8 + 4 + 9 + 4),	/* Length */
+		tpm_u32(TPM2_CC_NV_READ),	/* Command code */
+
+		/* handles 8 bytes */
+		tpm_u32(TPM2_RH_PLATFORM),	/* Primary platform seed */
+		tpm_u32(HR_NV_INDEX + index),	/* Password authorisation */
+
+		/* AUTH_SESSION */
+		tpm_u32(9),			/* Authorization size */
+		tpm_u32(TPM2_RS_PW),		/* Session handle */
+		tpm_u16(0),			/* Size of <nonce> */
+						/* <nonce> (if any) */
+		0,				/* Attributes: Cont/Excl/Rst */
+		tpm_u16(0),			/* Size of <hmac/password> */
+						/* <hmac/password> (if any) */
+
+		tpm_u16(count),			/* Number of bytes */
+		tpm_u16(0),			/* Offset */
+	};
+	size_t response_len = COMMAND_BUFFER_SIZE;
+	u8 response[COMMAND_BUFFER_SIZE];
+	int ret;
+	u16 tag;
+	u32 size, code;
+
+	ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
+	if (ret)
+		return log_msg_ret("read", ret);
+	if (unpack_byte_string(response, response_len, "wdds",
+			       0, &tag, 2, &size, 6, &code,
+			       16, data, count))
+		return TPM_LIB_ERROR;
+
+	return 0;
+}
+
+u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
+			u32 count)
+{
+	struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
+	uint offset = 10 + 8 + 4 + 9 + 2;
+	uint len = offset + count + 2;
+	/* Use empty password auth if platform hierarchy is disabled */
+	u32 auth = priv->plat_hier_disabled ? HR_NV_INDEX + index :
+		TPM2_RH_PLATFORM;
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		/* header 10 bytes */
+		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
+		tpm_u32(len),			/* Length */
+		tpm_u32(TPM2_CC_NV_WRITE),	/* Command code */
+
+		/* handles 8 bytes */
+		tpm_u32(auth),			/* Primary platform seed */
+		tpm_u32(HR_NV_INDEX + index),	/* Password authorisation */
+
+		/* AUTH_SESSION */
+		tpm_u32(9),			/* Authorization size */
+		tpm_u32(TPM2_RS_PW),		/* Session handle */
+		tpm_u16(0),			/* Size of <nonce> */
+						/* <nonce> (if any) */
+		0,				/* Attributes: Cont/Excl/Rst */
+		tpm_u16(0),			/* Size of <hmac/password> */
+						/* <hmac/password> (if any) */
+
+		tpm_u16(count),
+	};
+	size_t response_len = COMMAND_BUFFER_SIZE;
+	u8 response[COMMAND_BUFFER_SIZE];
+	int ret;
+
+	ret = pack_byte_string(command_v2, sizeof(command_v2), "sw",
+			       offset, data, count,
+			       offset + count, 0);
+	if (ret)
+		return TPM_LIB_ERROR;
+
+	return tpm_sendrecv_command(dev, command_v2, response, &response_len);
+}
+
 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
 		  void *data, unsigned int *updates)
 {
diff --git a/lib/tpm_api.c b/lib/tpm_api.c
index f1553512cc5..687fc8bc7ee 100644
--- a/lib/tpm_api.c
+++ b/lib/tpm_api.c
@@ -118,7 +118,7 @@ u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
 	if (is_tpm1(dev))
 		return tpm1_nv_read_value(dev, index, data, count);
 	else if (is_tpm2(dev))
-		return -ENOSYS;
+		return tpm2_nv_read_value(dev, index, data, count);
 	else
 		return -ENOSYS;
 }
@@ -129,7 +129,7 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
 	if (is_tpm1(dev))
 		return tpm1_nv_write_value(dev, index, data, count);
 	else if (is_tpm2(dev))
-		return -ENOSYS;
+		return tpm2_nv_write_value(dev, index, data, count);
 	else
 		return -ENOSYS;
 }
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 10/11] tpm: Add TPM2 support for write_lock
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (8 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 09/11] tpm: Add TPM2 support for read/write values Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:11   ` Tom Rini
  2021-02-06 21:23 ` [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2 Simon Glass
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

Implement this API function for TPM2.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v1)

 include/tpm-v2.h | 12 ++++++++++++
 lib/tpm-v2.c     | 23 +++++++++++++++++++++++
 lib/tpm_api.c    |  2 +-
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index 6a400771af1..1ca1e7e2011 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -241,6 +241,7 @@ enum tpm2_command_codes {
 	TPM2_CC_NV_DEFINE_SPACE	= 0x012a,
 	TPM2_CC_PCR_SETAUTHPOL	= 0x012C,
 	TPM2_CC_NV_WRITE	= 0x0137,
+	TPM2_CC_NV_WRITELOCK	= 0x0138,
 	TPM2_CC_DAM_RESET	= 0x0139,
 	TPM2_CC_DAM_PARAMETERS	= 0x013A,
 	TPM2_CC_NV_READ         = 0x014E,
@@ -570,4 +571,15 @@ u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
  */
 u32 tpm2_get_random(struct udevice *dev, void *data, u32 count);
 
+/**
+ * Lock data in the TPM
+ *
+ * Once locked the data cannot be written until after a reboot
+ *
+ * @dev		TPM device
+ * @index	Index of data to lock
+ * @return code of the operation
+ */
+u32 tpm2_write_lock(struct udevice *dev, u32 index);
+
 #endif /* __TPM_V2_H */
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 9f1699131e1..b796004930e 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -601,3 +601,26 @@ u32 tpm2_get_random(struct udevice *dev, void *data, u32 count)
 
 	return 0;
 }
+
+u32 tpm2_write_lock(struct udevice *dev, u32 index)
+{
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		/* header 10 bytes */
+		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
+		tpm_u32(10 + 8 + 13), /* Length */
+		tpm_u32(TPM2_CC_NV_WRITELOCK), /* Command code */
+
+		/* handles 8 bytes */
+		tpm_u32(TPM2_RH_PLATFORM),	/* Primary platform seed */
+		tpm_u32(HR_NV_INDEX + index),	/* Password authorisation */
+
+		/* session header 9 bytes */
+		tpm_u32(9),			/* Header size */
+		tpm_u32(TPM2_RS_PW),		/* Password authorisation */
+		tpm_u16(0),			/* nonce_size */
+		0,				/* session_attrs */
+		tpm_u16(0),			/* auth_size */
+	};
+
+	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+}
diff --git a/lib/tpm_api.c b/lib/tpm_api.c
index 687fc8bc7ee..4c662640a92 100644
--- a/lib/tpm_api.c
+++ b/lib/tpm_api.c
@@ -144,7 +144,7 @@ u32 tpm_write_lock(struct udevice *dev, u32 index)
 	if (is_tpm1(dev))
 		return -ENOSYS;
 	else if (is_tpm2(dev))
-		return -ENOSYS;
+		return tpm2_write_lock(dev, index);
 	else
 		return -ENOSYS;
 }
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2
  2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
                   ` (9 preceding siblings ...)
  2021-02-06 21:23 ` [PATCH v4 10/11] tpm: Add TPM2 support for write_lock Simon Glass
@ 2021-02-06 21:23 ` Simon Glass
  2021-03-03 19:11   ` Tom Rini
  10 siblings, 1 reply; 25+ messages in thread
From: Simon Glass @ 2021-02-06 21:23 UTC (permalink / raw)
  To: u-boot

With TPM2 we don't actually lock the TPM once verified boot is finished.
Instead we disable the platform hierarchy which serves the same purpose.
Add an implementation of this so we can safely boot into the kernel.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---

(no changes since v2)

Changes in v2:
- Add definition of TPM2_RC_NV_DEFINED return code

 include/tpm-v2.h | 13 +++++++++++++
 lib/tpm-v2.c     | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index 1ca1e7e2011..e18c8b1ccca 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -235,6 +235,7 @@ enum tpm2_handles {
 enum tpm2_command_codes {
 	TPM2_CC_STARTUP		= 0x0144,
 	TPM2_CC_SELF_TEST	= 0x0143,
+	TPM2_CC_HIER_CONTROL	= 0x0121,
 	TPM2_CC_CLEAR		= 0x0126,
 	TPM2_CC_CLEARCONTROL	= 0x0127,
 	TPM2_CC_HIERCHANGEAUTH	= 0x0129,
@@ -272,6 +273,7 @@ enum tpm2_return_codes {
 	TPM2_RC_COMMAND_CODE	= TPM2_RC_VER1 + 0x0043,
 	TPM2_RC_AUTHSIZE	= TPM2_RC_VER1 + 0x0044,
 	TPM2_RC_AUTH_CONTEXT	= TPM2_RC_VER1 + 0x0045,
+	TPM2_RC_NV_DEFINED	= TPM2_RC_VER1 + 0x004c,
 	TPM2_RC_NEEDS_TEST	= TPM2_RC_VER1 + 0x0053,
 	TPM2_RC_WARN		= 0x0900,
 	TPM2_RC_TESTING		= TPM2_RC_WARN + 0x000A,
@@ -582,4 +584,15 @@ u32 tpm2_get_random(struct udevice *dev, void *data, u32 count);
  */
 u32 tpm2_write_lock(struct udevice *dev, u32 index);
 
+/**
+ * Disable access to any platform data
+ *
+ * This can be called to close off access to the firmware data in the data,
+ * before calling the kernel.
+ *
+ * @dev		TPM device
+ * @return code of the operation
+ */
+u32 tpm2_disable_platform_hierarchy(struct udevice *dev);
+
 #endif /* __TPM_V2_H */
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index b796004930e..235f8c20d43 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -624,3 +624,38 @@ u32 tpm2_write_lock(struct udevice *dev, u32 index)
 
 	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 }
+
+u32 tpm2_disable_platform_hierarchy(struct udevice *dev)
+{
+	struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		/* header 10 bytes */
+		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
+		tpm_u32(10 + 4 + 13 + 5),	/* Length */
+		tpm_u32(TPM2_CC_HIER_CONTROL),	/* Command code */
+
+		/* 4 bytes */
+		tpm_u32(TPM2_RH_PLATFORM),	/* Primary platform seed */
+
+		/* session header 9 bytes */
+		tpm_u32(9),			/* Header size */
+		tpm_u32(TPM2_RS_PW),		/* Password authorisation */
+		tpm_u16(0),			/* nonce_size */
+		0,				/* session_attrs */
+		tpm_u16(0),			/* auth_size */
+
+		/* payload 5 bytes */
+		tpm_u32(TPM2_RH_PLATFORM),	/* Hierarchy to disable */
+		0,				/* 0=disable */
+	};
+	int ret;
+
+	ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+	log_info("ret=%s, %x\n", dev->name, ret);
+	if (ret)
+		return ret;
+
+	priv->plat_hier_disabled = true;
+
+	return 0;
+}
-- 
2.30.0.478.g8a0d178c01-goog

^ permalink raw reply related	[flat|nested] 25+ messages in thread

* [PATCH v4 08/11] tpm: Add an implementation of define_space
  2021-02-06 21:23 ` [PATCH v4 08/11] tpm: Add an implementation of define_space Simon Glass
@ 2021-02-07 11:44   ` Ilias Apalodimas
  2021-03-03 19:11   ` Tom Rini
  1 sibling, 0 replies; 25+ messages in thread
From: Ilias Apalodimas @ 2021-02-07 11:44 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:39PM -0700, Simon Glass wrote:
> Add support for this so that the TPM can be set up for use with
> Chromium OS verified boot.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> ---
> 
> Changes in v4:
> - Drop unnecessary update of offset
> 
> Changes in v3:
> - Add a comment to the offset and fix up the value
> 
>  include/tpm-v2.h | 18 ++++++++++++++++++
>  lib/tpm-v2.c     | 47 +++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 65 insertions(+)
> 
> diff --git a/include/tpm-v2.h b/include/tpm-v2.h
> index fab6b86ca2f..2766dc72a65 100644
> --- a/include/tpm-v2.h
> +++ b/include/tpm-v2.h
> @@ -238,6 +238,7 @@ enum tpm2_command_codes {
>  	TPM2_CC_CLEAR		= 0x0126,
>  	TPM2_CC_CLEARCONTROL	= 0x0127,
>  	TPM2_CC_HIERCHANGEAUTH	= 0x0129,
> +	TPM2_CC_NV_DEFINE_SPACE	= 0x012a,
>  	TPM2_CC_PCR_SETAUTHPOL	= 0x012C,
>  	TPM2_CC_DAM_RESET	= 0x0139,
>  	TPM2_CC_DAM_PARAMETERS	= 0x013A,
> @@ -386,6 +387,23 @@ u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test);
>  u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
>  	       const ssize_t pw_sz);
>  
> +/**
> + * Issue a TPM_NV_DefineSpace command
> + *
> + * This allows a space to be defined with given attributes and policy
> + *
> + * @dev			TPM device
> + * @space_index		index of the area
> + * @space_size		size of area in bytes
> + * @nv_attributes	TPM_NV_ATTRIBUTES of the area
> + * @nv_policy		policy to use
> + * @nv_policy_size	size of the policy
> + * @return return code of the operation
> + */
> +u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
> +			 size_t space_size, u32 nv_attributes,
> +			 const u8 *nv_policy, size_t nv_policy_size);
> +
>  /**
>   * Issue a TPM2_PCR_Extend command.
>   *
> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> index c4e869ec5b5..e9bf4018fed 100644
> --- a/lib/tpm-v2.c
> +++ b/lib/tpm-v2.c
> @@ -81,6 +81,53 @@ u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
>  	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
>  }
>  
> +u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
> +			 size_t space_size, u32 nv_attributes,
> +			 const u8 *nv_policy, size_t nv_policy_size)
> +{
> +	/*
> +	 * Calculate the offset of the nv_policy piece by adding each of the
> +	 * chunks below.
> +	 */
> +	uint offset = 10 + 8 + 13 + 14;
> +	u8 command_v2[COMMAND_BUFFER_SIZE] = {
> +		/* header 10 bytes */
> +		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
> +		tpm_u32(offset + nv_policy_size),/* Length */
> +		tpm_u32(TPM2_CC_NV_DEFINE_SPACE),/* Command code */
> +
> +		/* handles 8 bytes */
> +		tpm_u32(TPM2_RH_PLATFORM),	/* Primary platform seed */
> +
> +		/* session header 13 bytes */
> +		tpm_u32(9),			/* Header size */
> +		tpm_u32(TPM2_RS_PW),		/* Password authorisation */
> +		tpm_u16(0),			/* nonce_size */
> +		0,				/* session_attrs */
> +		tpm_u16(0),			/* auth_size */
> +
> +		/* message 14 bytes + policy */
> +		tpm_u16(12 + nv_policy_size),	/* size */
> +		tpm_u32(space_index),
> +		tpm_u16(TPM2_ALG_SHA256),
> +		tpm_u32(nv_attributes),
> +		tpm_u16(nv_policy_size),
> +		/* nv_policy */
> +	};
> +	int ret;
> +
> +	/*
> +	 * Fill the command structure starting from the first buffer:
> +	 *     - the password (if any)
> +	 */
> +	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
> +			       offset, nv_policy, nv_policy_size);
> +	if (ret)
> +		return TPM_LIB_ERROR;
> +
> +	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
> +}
> +
>  u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
>  		    const u8 *digest, u32 digest_len)
>  {
> -- 
> 2.30.0.478.g8a0d178c01-goog
> 
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API
  2021-02-06 21:23 ` [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API Simon Glass
@ 2021-02-07 11:44   ` Ilias Apalodimas
  2021-03-03 19:11   ` Tom Rini
  1 sibling, 0 replies; 25+ messages in thread
From: Ilias Apalodimas @ 2021-02-07 11:44 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:36PM -0700, Simon Glass wrote:
> Take over the plain 'tpm_...' functions for use by the new TPM API. Rename
> all the TPMv1 functions so they are called from the API.
> 
> Update the TPMv1 functions so that they are called from the API. Change
> existing users to use the tpm1_ prefix so they don't need to go through
> the API, which might introduce uncertainty.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> ---
> 
> (no changes since v1)
> 
>  board/gdsys/a38x/controlcenterdc.c    |   4 +-
>  board/gdsys/a38x/hre.c                |  28 +++----
>  board/gdsys/a38x/keyprogram.c         |   8 +-
>  board/gdsys/mpc8308/gazerbeam.c       |   4 +-
>  board/gdsys/p1022/controlcenterd-id.c |  36 ++++----
>  cmd/tpm-v1.c                          |  25 +++---
>  cmd/tpm_test.c                        |  40 +++++----
>  include/tpm-v1.h                      |  76 ++++++++---------
>  lib/Makefile                          |   1 +
>  lib/tpm-v1.c                          | 115 ++++++++++++--------------
>  10 files changed, 168 insertions(+), 169 deletions(-)
> 
> diff --git a/board/gdsys/a38x/controlcenterdc.c b/board/gdsys/a38x/controlcenterdc.c
> index a2287f9deb1..187ac8c4f9f 100644
> --- a/board/gdsys/a38x/controlcenterdc.c
> +++ b/board/gdsys/a38x/controlcenterdc.c
> @@ -286,8 +286,8 @@ int last_stage_init(void)
>  	ccdc_eth_init();
>  #endif
>  	ret = get_tpm(&tpm);
> -	if (ret || tpm_init(tpm) || tpm_startup(tpm, TPM_ST_CLEAR) ||
> -	    tpm_continue_self_test(tpm)) {
> +	if (ret || tpm_init(tpm) || tpm1_startup(tpm, TPM_ST_CLEAR) ||
> +	    tpm1_continue_self_test(tpm)) {
>  		return 1;
>  	}
>  
> diff --git a/board/gdsys/a38x/hre.c b/board/gdsys/a38x/hre.c
> index 699241b3e62..de5411a6b93 100644
> --- a/board/gdsys/a38x/hre.c
> +++ b/board/gdsys/a38x/hre.c
> @@ -107,8 +107,8 @@ static int get_tpm_nv_size(struct udevice *tpm, uint32_t index, uint32_t *size)
>  	uint8_t *ptr;
>  	uint16_t v16;
>  
> -	err = tpm_get_capability(tpm, TPM_CAP_NV_INDEX, index,
> -				 info, sizeof(info));
> +	err = tpm1_get_capability(tpm, TPM_CAP_NV_INDEX, index, info,
> +				  sizeof(info));
>  	if (err) {
>  		printf("tpm_get_capability(CAP_NV_INDEX, %08x) failed: %u\n",
>  		       index, err);
> @@ -150,8 +150,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
>  	unsigned int i;
>  
>  	/* fetch list of already loaded keys in the TPM */
> -	err = tpm_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
> -				 sizeof(buf));
> +	err = tpm1_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
> +				  sizeof(buf));
>  	if (err)
>  		return -1;
>  	key_count = get_unaligned_be16(buf);
> @@ -162,8 +162,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
>  	/* now search a(/ the) key which we can access with the given auth */
>  	for (i = 0; i < key_count; ++i) {
>  		buf_len = sizeof(buf);
> -		err = tpm_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
> -					   &buf_len);
> +		err = tpm1_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
> +					    &buf_len);
>  		if (err && err != TPM_AUTHFAIL)
>  			return -1;
>  		if (err)
> @@ -192,8 +192,8 @@ static int read_common_data(struct udevice *tpm)
>  	if (get_tpm_nv_size(tpm, NV_COMMON_DATA_INDEX, &size) ||
>  	    size < NV_COMMON_DATA_MIN_SIZE)
>  		return 1;
> -	err = tpm_nv_read_value(tpm, NV_COMMON_DATA_INDEX,
> -				buf, min(sizeof(buf), size));
> +	err = tpm1_nv_read_value(tpm, NV_COMMON_DATA_INDEX, buf,
> +				 min(sizeof(buf), size));
>  	if (err) {
>  		printf("tpm_nv_read_value() failed: %u\n", err);
>  		return 1;
> @@ -270,8 +270,8 @@ static struct h_reg *access_hreg(struct udevice *tpm, uint8_t spec,
>  	if (mode & HREG_RD) {
>  		if (!result->valid) {
>  			if (IS_PCR_HREG(spec)) {
> -				hre_tpm_err = tpm_pcr_read(tpm, HREG_IDX(spec),
> -					result->digest, 20);
> +				hre_tpm_err = tpm1_pcr_read(tpm, HREG_IDX(spec),
> +							    result->digest, 20);
>  				result->valid = (hre_tpm_err == TPM_SUCCESS);
>  			} else if (IS_FIX_HREG(spec)) {
>  				switch (HREG_IDX(spec)) {
> @@ -357,8 +357,8 @@ static int hre_op_loadkey(struct udevice *tpm, struct h_reg *src_reg,
>  		return -1;
>  	if (find_key(tpm, src_reg->digest, dst_reg->digest, &parent_handle))
>  		return -1;
> -	hre_tpm_err = tpm_load_key2_oiap(tpm, parent_handle, key, key_size,
> -					 src_reg->digest, &key_handle);
> +	hre_tpm_err = tpm1_load_key2_oiap(tpm, parent_handle, key, key_size,
> +					  src_reg->digest, &key_handle);
>  	if (hre_tpm_err) {
>  		hre_err = HRE_E_TPM_FAILURE;
>  		return -1;
> @@ -474,8 +474,8 @@ do_bin_func:
>  	}
>  
>  	if (dst_reg && dst_modified && IS_PCR_HREG(dst_spec)) {
> -		hre_tpm_err = tpm_extend(tpm, HREG_IDX(dst_spec),
> -					 dst_reg->digest, dst_reg->digest);
> +		hre_tpm_err = tpm1_extend(tpm, HREG_IDX(dst_spec),
> +					  dst_reg->digest, dst_reg->digest);
>  		if (hre_tpm_err) {
>  			hre_err = HRE_E_TPM_FAILURE;
>  			return NULL;
> diff --git a/board/gdsys/a38x/keyprogram.c b/board/gdsys/a38x/keyprogram.c
> index 853981aadbb..7020fae1894 100644
> --- a/board/gdsys/a38x/keyprogram.c
> +++ b/board/gdsys/a38x/keyprogram.c
> @@ -23,15 +23,15 @@ int flush_keys(struct udevice *tpm)
>  	uint i;
>  
>  	/* fetch list of already loaded keys in the TPM */
> -	err = tpm_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
> -				 sizeof(buf));
> +	err = tpm1_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
> +				  sizeof(buf));
>  	if (err)
>  		return -1;
>  	key_count = get_unaligned_be16(buf);
>  	ptr = buf + 2;
>  	for (i = 0; i < key_count; ++i, ptr += 4) {
> -		err = tpm_flush_specific(tpm, get_unaligned_be32(ptr),
> -					 TPM_RT_KEY);
> +		err = tpm1_flush_specific(tpm, get_unaligned_be32(ptr),
> +					  TPM_RT_KEY);
>  		if (err && err != TPM_KEY_OWNER_CONTROL)
>  			return err;
>  	}
> diff --git a/board/gdsys/mpc8308/gazerbeam.c b/board/gdsys/mpc8308/gazerbeam.c
> index 0e7fa1e333e..6afb87a5008 100644
> --- a/board/gdsys/mpc8308/gazerbeam.c
> +++ b/board/gdsys/mpc8308/gazerbeam.c
> @@ -144,8 +144,8 @@ int last_stage_init(void)
>  	env_set_ulong("fpga_hw_rev", fpga_hw_rev);
>  
>  	ret = get_tpm(&tpm);
> -	if (ret || tpm_init(tpm) || tpm_startup(tpm, TPM_ST_CLEAR) ||
> -	    tpm_continue_self_test(tpm)) {
> +	if (ret || tpm_init(tpm) || tpm1_startup(tpm, TPM_ST_CLEAR) ||
> +	    tpm1_continue_self_test(tpm)) {
>  		printf("TPM init failed\n");
>  	}
>  
> diff --git a/board/gdsys/p1022/controlcenterd-id.c b/board/gdsys/p1022/controlcenterd-id.c
> index 1b5aa9042f5..87b346aa9cf 100644
> --- a/board/gdsys/p1022/controlcenterd-id.c
> +++ b/board/gdsys/p1022/controlcenterd-id.c
> @@ -273,8 +273,8 @@ static int get_tpm_nv_size(struct udevice *tpm, uint32_t index, uint32_t *size)
>  	uint8_t *ptr;
>  	uint16_t v16;
>  
> -	err = tpm_get_capability(tpm, TPM_CAP_NV_INDEX, index,
> -				 info, sizeof(info));
> +	err = tpm1_get_capability(tpm, TPM_CAP_NV_INDEX, index, info,
> +				  sizeof(info));
>  	if (err) {
>  		printf("tpm_get_capability(CAP_NV_INDEX, %08x) failed: %u\n",
>  		       index, err);
> @@ -315,8 +315,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
>  	unsigned int i;
>  
>  	/* fetch list of already loaded keys in the TPM */
> -	err = tpm_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
> -				 sizeof(buf));
> +	err = tpm1_get_capability(tpm, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
> +				  sizeof(buf));
>  	if (err)
>  		return -1;
>  	key_count = get_unaligned_be16(buf);
> @@ -327,8 +327,8 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20],
>  	/* now search a(/ the) key which we can access with the given auth */
>  	for (i = 0; i < key_count; ++i) {
>  		buf_len = sizeof(buf);
> -		err = tpm_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
> -					   &buf_len);
> +		err = tpm1_get_pub_key_oiap(tpm, key_handles[i], auth, buf,
> +					    &buf_len);
>  		if (err && err != TPM_AUTHFAIL)
>  			return -1;
>  		if (err)
> @@ -356,8 +356,8 @@ static int read_common_data(struct udevice *tpm)
>  	if (get_tpm_nv_size(tpm, NV_COMMON_DATA_INDEX, &size) ||
>  	    size < NV_COMMON_DATA_MIN_SIZE)
>  		return 1;
> -	err = tpm_nv_read_value(tpm, NV_COMMON_DATA_INDEX,
> -				buf, min(sizeof(buf), size));
> +	err = tpm1_nv_read_value(tpm, NV_COMMON_DATA_INDEX, buf,
> +				 min(sizeof(buf), size));
>  	if (err) {
>  		printf("tpm_nv_read_value() failed: %u\n", err);
>  		return 1;
> @@ -508,8 +508,8 @@ static struct h_reg *access_hreg(struct udevice *tpm, uint8_t spec,
>  	if (mode & HREG_RD) {
>  		if (!result->valid) {
>  			if (IS_PCR_HREG(spec)) {
> -				hre_tpm_err = tpm_pcr_read(tpm, HREG_IDX(spec),
> -					result->digest, 20);
> +				hre_tpm_err = tpm1_pcr_read(tpm, HREG_IDX(spec),
> +							    result->digest, 20);
>  				result->valid = (hre_tpm_err == TPM_SUCCESS);
>  			} else if (IS_FIX_HREG(spec)) {
>  				switch (HREG_IDX(spec)) {
> @@ -601,8 +601,8 @@ static int hre_op_loadkey(struct udevice *tpm, struct h_reg *src_reg,
>  		return -1;
>  	if (find_key(tpm, src_reg->digest, dst_reg->digest, &parent_handle))
>  		return -1;
> -	hre_tpm_err = tpm_load_key2_oiap(tpm, parent_handle, key, key_size,
> -					 src_reg->digest, &key_handle);
> +	hre_tpm_err = tpm1_load_key2_oiap(tpm, parent_handle, key, key_size,
> +					  src_reg->digest, &key_handle);
>  	if (hre_tpm_err) {
>  		hre_err = HRE_E_TPM_FAILURE;
>  		return -1;
> @@ -718,8 +718,8 @@ do_bin_func:
>  	}
>  
>  	if (dst_reg && dst_modified && IS_PCR_HREG(dst_spec)) {
> -		hre_tpm_err = tpm_extend(tpm, HREG_IDX(dst_spec),
> -					 dst_reg->digest, dst_reg->digest);
> +		hre_tpm_err = tpm1_extend(tpm, HREG_IDX(dst_spec),
> +					  dst_reg->digest, dst_reg->digest);
>  		if (hre_tpm_err) {
>  			hre_err = HRE_E_TPM_FAILURE;
>  			return NULL;
> @@ -964,10 +964,10 @@ static int first_stage_actions(struct udevice *tpm)
>  
>  	puts("CCDM S1: start actions\n");
>  #ifndef CCDM_SECOND_STAGE
> -	if (tpm_continue_self_test(tpm))
> +	if (tpm1_continue_self_test(tpm))
>  		goto failure;
>  #else
> -	tpm_continue_self_test(tpm);
> +	tpm1_continue_self_test(tpm);
>  #endif
>  	mdelay(37);
>  
> @@ -1003,7 +1003,7 @@ static int first_stage_init(void)
>  
>  	puts("CCDM S1\n");
>  	ret = get_tpm(&tpm);
> -	if (ret || tpm_init(tpm) || tpm_startup(tpm, TPM_ST_CLEAR))
> +	if (ret || tpm_init(tpm) || tpm1_startup(tpm, TPM_ST_CLEAR))
>  		return 1;
>  	ret = first_stage_actions(tpm);
>  #ifndef CCDM_SECOND_STAGE
> @@ -1061,7 +1061,7 @@ static int second_stage_init(void)
>  	ret = get_tpm(&tpm);
>  	if (ret || tpm_init(tpm))
>  		return 1;
> -	err = tpm_startup(tpm, TPM_ST_CLEAR);
> +	err = tpm1_startup(tpm, TPM_ST_CLEAR);
>  	if (err != TPM_INVALID_POSTINIT)
>  		did_first_stage_run = false;
>  
> diff --git a/cmd/tpm-v1.c b/cmd/tpm-v1.c
> index 0e2168aea67..3a7e35d5255 100644
> --- a/cmd/tpm-v1.c
> +++ b/cmd/tpm-v1.c
> @@ -11,6 +11,7 @@
>  #include <tpm-common.h>
>  #include <tpm-v1.h>
>  #include "tpm-user-utils.h"
> +#include <tpm_api.h>
>  
>  static int do_tpm_startup(struct cmd_tbl *cmdtp, int flag, int argc,
>  			  char *const argv[])
> @@ -55,7 +56,7 @@ static int do_tpm_nv_define_space(struct cmd_tbl *cmdtp, int flag, int argc,
>  	perm = simple_strtoul(argv[2], NULL, 0);
>  	size = simple_strtoul(argv[3], NULL, 0);
>  
> -	return report_return_code(tpm_nv_define_space(dev, index, perm, size));
> +	return report_return_code(tpm1_nv_define_space(dev, index, perm, size));
>  }
>  
>  static int do_tpm_nv_read_value(struct cmd_tbl *cmdtp, int flag, int argc,
> @@ -130,7 +131,7 @@ static int do_tpm_extend(struct cmd_tbl *cmdtp, int flag, int argc,
>  		return CMD_RET_FAILURE;
>  	}
>  
> -	rc = tpm_extend(dev, index, in_digest, out_digest);
> +	rc = tpm_pcr_extend(dev, index, in_digest, out_digest);
>  	if (!rc) {
>  		puts("PCR value after execution of the command:\n");
>  		print_byte_string(out_digest, sizeof(out_digest));
> @@ -304,7 +305,7 @@ static int do_tpm_nv_define(struct cmd_tbl *cmdtp, int flag, int argc,
>  	index = simple_strtoul(argv[2], NULL, 0);
>  	perm = simple_strtoul(argv[3], NULL, 0);
>  
> -	return report_return_code(tpm_nv_define_space(dev, index, perm, size));
> +	return report_return_code(tpm1_nv_define_space(dev, index, perm, size));
>  }
>  
>  static int do_tpm_nv_read(struct cmd_tbl *cmdtp, int flag, int argc,
> @@ -389,7 +390,7 @@ static int do_tpm_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
>  	if (rc)
>  		return rc;
>  
> -	err = tpm_oiap(dev, &auth_handle);
> +	err = tpm1_oiap(dev, &auth_handle);
>  
>  	return report_return_code(err);
>  }
> @@ -461,8 +462,8 @@ static int do_tpm_load_key2_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
>  		return CMD_RET_FAILURE;
>  	parse_byte_string(argv[4], usage_auth, NULL);
>  
> -	err = tpm_load_key2_oiap(dev, parent_handle, key, key_len, usage_auth,
> -				 &key_handle);
> +	err = tpm1_load_key2_oiap(dev, parent_handle, key, key_len, usage_auth,
> +				  &key_handle);
>  	if (!err)
>  		printf("Key handle is 0x%x\n", key_handle);
>  
> @@ -491,8 +492,8 @@ static int do_tpm_get_pub_key_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
>  		return CMD_RET_FAILURE;
>  	parse_byte_string(argv[2], usage_auth, NULL);
>  
> -	err = tpm_get_pub_key_oiap(dev, key_handle, usage_auth, pub_key_buffer,
> -				   &pub_key_len);
> +	err = tpm1_get_pub_key_oiap(dev, key_handle, usage_auth, pub_key_buffer,
> +				    &pub_key_len);
>  	if (!err) {
>  		printf("dump of received pub key structure:\n");
>  		print_byte_string(pub_key_buffer, pub_key_len);
> @@ -500,7 +501,7 @@ static int do_tpm_get_pub_key_oiap(struct cmd_tbl *cmdtp, int flag, int argc,
>  	return report_return_code(err);
>  }
>  
> -TPM_COMMAND_NO_ARG(tpm_end_oiap)
> +TPM_COMMAND_NO_ARG(tpm1_end_oiap)
>  
>  #endif /* CONFIG_TPM_AUTH_SESSIONS */
>  
> @@ -562,7 +563,7 @@ static int do_tpm_flush(struct cmd_tbl *cmdtp, int flag, int argc,
>  		res_count = get_unaligned_be16(buf);
>  		ptr = buf + 2;
>  		for (i = 0; i < res_count; ++i, ptr += 4)
> -			tpm_flush_specific(dev, get_unaligned_be32(ptr), type);
> +			tpm1_flush_specific(dev, get_unaligned_be32(ptr), type);
>  	} else {
>  		u32 handle = simple_strtoul(argv[2], NULL, 0);
>  
> @@ -570,7 +571,7 @@ static int do_tpm_flush(struct cmd_tbl *cmdtp, int flag, int argc,
>  			printf("Illegal resource handle %s\n", argv[2]);
>  			return -1;
>  		}
> -		tpm_flush_specific(dev, cpu_to_be32(handle), type);
> +		tpm1_flush_specific(dev, cpu_to_be32(handle), type);
>  	}
>  
>  	return 0;
> @@ -691,7 +692,7 @@ static struct cmd_tbl tpm1_commands[] = {
>  	U_BOOT_CMD_MKENT(oiap, 0, 1,
>  			 do_tpm_oiap, "", ""),
>  	U_BOOT_CMD_MKENT(end_oiap, 0, 1,
> -			 do_tpm_end_oiap, "", ""),
> +			 do_tpm1_end_oiap, "", ""),
>  	U_BOOT_CMD_MKENT(load_key2_oiap, 0, 1,
>  			 do_tpm_load_key2_oiap, "", ""),
>  #ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
> diff --git a/cmd/tpm_test.c b/cmd/tpm_test.c
> index ebfb25cab0a..68d2107f54e 100644
> --- a/cmd/tpm_test.c
> +++ b/cmd/tpm_test.c
> @@ -9,6 +9,7 @@
>  #include <log.h>
>  #include <tpm-v1.h>
>  #include "tpm-user-utils.h"
> +#include <tpm_api.h>
>  
>  /* Prints error and returns on failure */
>  #define TPM_CHECK(tpm_command) do { \
> @@ -49,7 +50,7 @@ static uint32_t tpm_get_flags(struct udevice *dev, uint8_t *disable,
>  	struct tpm_permanent_flags pflags;
>  	uint32_t result;
>  
> -	result = tpm_get_permanent_flags(dev, &pflags);
> +	result = tpm1_get_permanent_flags(dev, &pflags);
>  	if (result)
>  		return result;
>  	if (disable)
> @@ -90,7 +91,7 @@ static int test_early_extend(struct udevice *dev)
>  	tpm_init(dev);
>  	TPM_CHECK(tpm_startup(dev, TPM_ST_CLEAR));
>  	TPM_CHECK(tpm_continue_self_test(dev));
> -	TPM_CHECK(tpm_extend(dev, 1, value_in, value_out));
> +	TPM_CHECK(tpm_pcr_extend(dev, 1, value_in, value_out));
>  	printf("done\n");
>  	return 0;
>  }
> @@ -238,18 +239,18 @@ static void initialise_spaces(struct udevice *dev)
>  	uint32_t perm = TPM_NV_PER_WRITE_STCLEAR | TPM_NV_PER_PPWRITE;
>  
>  	printf("\tInitialising spaces\n");
> -	tpm_nv_set_locked(dev);  /* useful only the first time */
> -	tpm_nv_define_space(dev, INDEX0, perm, 4);
> +	tpm1_nv_set_locked(dev);  /* useful only the first time */
> +	tpm1_nv_define_space(dev, INDEX0, perm, 4);
>  	tpm_nv_write_value(dev, INDEX0, (uint8_t *)&zero, 4);
> -	tpm_nv_define_space(dev, INDEX1, perm, 4);
> +	tpm1_nv_define_space(dev, INDEX1, perm, 4);
>  	tpm_nv_write_value(dev, INDEX1, (uint8_t *)&zero, 4);
> -	tpm_nv_define_space(dev, INDEX2, perm, 4);
> +	tpm1_nv_define_space(dev, INDEX2, perm, 4);
>  	tpm_nv_write_value(dev, INDEX2, (uint8_t *)&zero, 4);
> -	tpm_nv_define_space(dev, INDEX3, perm, 4);
> +	tpm1_nv_define_space(dev, INDEX3, perm, 4);
>  	tpm_nv_write_value(dev, INDEX3, (uint8_t *)&zero, 4);
>  	perm = TPM_NV_PER_READ_STCLEAR | TPM_NV_PER_WRITE_STCLEAR |
>  		TPM_NV_PER_PPWRITE;
> -	tpm_nv_define_space(dev, INDEX_INITIALISED, perm, 1);
> +	tpm1_nv_define_space(dev, INDEX_INITIALISED, perm, 1);
>  }
>  
>  static int test_readonly(struct udevice *dev)
> @@ -325,30 +326,33 @@ static int test_redefine_unowned(struct udevice *dev)
>  
>  	/* Redefines spaces a couple of times. */
>  	perm = TPM_NV_PER_PPWRITE | TPM_NV_PER_GLOBALLOCK;
> -	TPM_CHECK(tpm_nv_define_space(dev, INDEX0, perm, 2 * sizeof(uint32_t)));
> -	TPM_CHECK(tpm_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t)));
> +	TPM_CHECK(tpm1_nv_define_space(dev, INDEX0, perm,
> +				       2 * sizeof(uint32_t)));
> +	TPM_CHECK(tpm1_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t)));
>  	perm = TPM_NV_PER_PPWRITE;
> -	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, 2 * sizeof(uint32_t)));
> -	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
> +	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm,
> +				       2 * sizeof(uint32_t)));
> +	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
>  
>  	/* Sets the global lock */
>  	tpm_set_global_lock(dev);
>  
>  	/* Verifies that index0 cannot be redefined */
> -	result = tpm_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
> +	result = tpm1_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
>  	assert(result == TPM_AREA_LOCKED);
>  
>  	/* Checks that index1 can */
> -	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, 2 * sizeof(uint32_t)));
> -	TPM_CHECK(tpm_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
> +	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm,
> +				       2 * sizeof(uint32_t)));
> +	TPM_CHECK(tpm1_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t)));
>  
>  	/* Turns off PP */
>  	tpm_tsc_physical_presence(dev, PHYS_PRESENCE);
>  
>  	/* Verifies that neither index0 nor index1 can be redefined */
> -	result = tpm_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
> +	result = tpm1_nv_define_space(dev, INDEX0, perm, sizeof(uint32_t));
>  	assert(result == TPM_BAD_PRESENCE);
> -	result = tpm_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t));
> +	result = tpm1_nv_define_space(dev, INDEX1, perm, sizeof(uint32_t));
>  	assert(result == TPM_BAD_PRESENCE);
>  
>  	printf("done\n");
> @@ -434,7 +438,7 @@ static int test_timing(struct udevice *dev)
>  		   100);
>  	TTPM_CHECK(tpm_nv_read_value(dev, INDEX0, (uint8_t *)&x, sizeof(x)),
>  		   100);
> -	TTPM_CHECK(tpm_extend(dev, 0, in, out), 200);
> +	TTPM_CHECK(tpm_pcr_extend(dev, 0, in, out), 200);
>  	TTPM_CHECK(tpm_set_global_lock(dev), 50);
>  	TTPM_CHECK(tpm_tsc_physical_presence(dev, PHYS_PRESENCE), 100);
>  	printf("done\n");
> diff --git a/include/tpm-v1.h b/include/tpm-v1.h
> index 59ad4aecf42..2e33ed4b949 100644
> --- a/include/tpm-v1.h
> +++ b/include/tpm-v1.h
> @@ -287,7 +287,7 @@ struct __packed tpm_nv_data_public {
>   * @param mode		TPM startup mode
>   * @return return code of the operation
>   */
> -u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode);
> +u32 tpm1_startup(struct udevice *dev, enum tpm_startup_type mode);
>  
>  /**
>   * Issue a TPM_SelfTestFull command.
> @@ -295,7 +295,7 @@ u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode);
>   * @param dev		TPM device
>   * @return return code of the operation
>   */
> -u32 tpm_self_test_full(struct udevice *dev);
> +u32 tpm1_self_test_full(struct udevice *dev);
>  
>  /**
>   * Issue a TPM_ContinueSelfTest command.
> @@ -303,7 +303,7 @@ u32 tpm_self_test_full(struct udevice *dev);
>   * @param dev		TPM device
>   * @return return code of the operation
>   */
> -u32 tpm_continue_self_test(struct udevice *dev);
> +u32 tpm1_continue_self_test(struct udevice *dev);
>  
>  /**
>   * Issue a TPM_NV_DefineSpace command.  The implementation is limited
> @@ -316,7 +316,7 @@ u32 tpm_continue_self_test(struct udevice *dev);
>   * @param size		size of the area
>   * @return return code of the operation
>   */
> -u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size);
> +u32 tpm1_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size);
>  
>  /**
>   * Issue a TPM_NV_ReadValue command.  This implementation is limited
> @@ -329,7 +329,7 @@ u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size);
>   * @param count		size of output buffer
>   * @return return code of the operation
>   */
> -u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
> +u32 tpm1_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
>  
>  /**
>   * Issue a TPM_NV_WriteValue command.  This implementation is limited
> @@ -342,8 +342,8 @@ u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
>   * @param length	length of data bytes of input buffer
>   * @return return code of the operation
>   */
> -u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
> -		       u32 length);
> +u32 tpm1_nv_write_value(struct udevice *dev, u32 index, const void *data,
> +			u32 length);
>  
>  /**
>   * Issue a TPM_Extend command.
> @@ -356,8 +356,8 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
>   *			command
>   * @return return code of the operation
>   */
> -u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
> -	       void *out_digest);
> +u32 tpm1_extend(struct udevice *dev, u32 index, const void *in_digest,
> +		void *out_digest);
>  
>  /**
>   * Issue a TPM_PCRRead command.
> @@ -368,7 +368,7 @@ u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
>   * @param count		size of output buffer
>   * @return return code of the operation
>   */
> -u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count);
> +u32 tpm1_pcr_read(struct udevice *dev, u32 index, void *data, size_t count);
>  
>  /**
>   * Issue a TSC_PhysicalPresence command.  TPM physical presence flag
> @@ -378,7 +378,7 @@ u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count);
>   * @param presence	TPM physical presence flag
>   * @return return code of the operation
>   */
> -u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence);
> +u32 tpm1_tsc_physical_presence(struct udevice *dev, u16 presence);
>  
>  /**
>   * Issue a TPM_ReadPubek command.
> @@ -388,7 +388,7 @@ u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence);
>   * @param count		size of output buffer
>   * @return return code of the operation
>   */
> -u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count);
> +u32 tpm1_read_pubek(struct udevice *dev, void *data, size_t count);
>  
>  /**
>   * Issue a TPM_ForceClear command.
> @@ -396,7 +396,7 @@ u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count);
>   * @param dev		TPM device
>   * @return return code of the operation
>   */
> -u32 tpm_force_clear(struct udevice *dev);
> +u32 tpm1_force_clear(struct udevice *dev);
>  
>  /**
>   * Issue a TPM_PhysicalEnable command.
> @@ -404,7 +404,7 @@ u32 tpm_force_clear(struct udevice *dev);
>   * @param dev		TPM device
>   * @return return code of the operation
>   */
> -u32 tpm_physical_enable(struct udevice *dev);
> +u32 tpm1_physical_enable(struct udevice *dev);
>  
>  /**
>   * Issue a TPM_PhysicalDisable command.
> @@ -412,7 +412,7 @@ u32 tpm_physical_enable(struct udevice *dev);
>   * @param dev		TPM device
>   * @return return code of the operation
>   */
> -u32 tpm_physical_disable(struct udevice *dev);
> +u32 tpm1_physical_disable(struct udevice *dev);
>  
>  /**
>   * Issue a TPM_PhysicalSetDeactivated command.
> @@ -421,7 +421,7 @@ u32 tpm_physical_disable(struct udevice *dev);
>   * @param state		boolean state of the deactivated flag
>   * @return return code of the operation
>   */
> -u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state);
> +u32 tpm1_physical_set_deactivated(struct udevice *dev, u8 state);
>  
>  /**
>   * Issue a TPM_GetCapability command.  This implementation is limited
> @@ -435,8 +435,8 @@ u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state);
>   * @param count		size of output buffer
>   * @return return code of the operation
>   */
> -u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
> -		       void *cap, size_t count);
> +u32 tpm1_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
> +			void *cap, size_t count);
>  
>  /**
>   * Issue a TPM_FlushSpecific command for a AUTH resource.
> @@ -445,7 +445,7 @@ u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
>   * @param auth_handle	handle of the auth session
>   * @return return code of the operation
>   */
> -u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle);
> +u32 tpm1_terminate_auth_session(struct udevice *dev, u32 auth_handle);
>  
>  /**
>   * Issue a TPM_OIAP command to setup an object independent authorization
> @@ -458,7 +458,7 @@ u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle);
>   * @param auth_handle	pointer to the (new) auth handle or NULL.
>   * @return return code of the operation
>   */
> -u32 tpm_oiap(struct udevice *dev, u32 *auth_handle);
> +u32 tpm1_oiap(struct udevice *dev, u32 *auth_handle);
>  
>  /**
>   * Ends an active OIAP session.
> @@ -466,7 +466,7 @@ u32 tpm_oiap(struct udevice *dev, u32 *auth_handle);
>   * @param dev		TPM device
>   * @return return code of the operation
>   */
> -u32 tpm_end_oiap(struct udevice *dev);
> +u32 tpm1_end_oiap(struct udevice *dev);
>  
>  /**
>   * Issue a TPM_LoadKey2 (Auth1) command using an OIAP session for authenticating
> @@ -480,9 +480,9 @@ u32 tpm_end_oiap(struct udevice *dev);
>   * @param key_handle	pointer to the key handle
>   * @return return code of the operation
>   */
> -u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
> -		       size_t key_length, const void *parent_key_usage_auth,
> -		       u32 *key_handle);
> +u32 tpm1_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
> +			size_t key_length, const void *parent_key_usage_auth,
> +			u32 *key_handle);
>  
>  /**
>   * Issue a TPM_GetPubKey (Auth1) command using an OIAP session for
> @@ -498,9 +498,9 @@ u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
>   *			of the stored TPM_PUBKEY structure (iff pubkey != NULL).
>   * @return return code of the operation
>   */
> -u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
> -			 const void *usage_auth, void *pubkey,
> -			 size_t *pubkey_len);
> +u32 tpm1_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
> +			  const void *usage_auth, void *pubkey,
> +			  size_t *pubkey_len);
>  
>  /**
>   * Get the TPM permanent flags value
> @@ -509,8 +509,8 @@ u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
>   * @param pflags	Place to put permanent flags
>   * @return return code of the operation
>   */
> -u32 tpm_get_permanent_flags(struct udevice *dev,
> -			    struct tpm_permanent_flags *pflags);
> +u32 tpm1_get_permanent_flags(struct udevice *dev,
> +			     struct tpm_permanent_flags *pflags);
>  
>  /**
>   * Get the TPM permissions
> @@ -519,7 +519,7 @@ u32 tpm_get_permanent_flags(struct udevice *dev,
>   * @param perm		Returns permissions value
>   * @return return code of the operation
>   */
> -u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm);
> +u32 tpm1_get_permissions(struct udevice *dev, u32 index, u32 *perm);
>  
>  /**
>   * Flush a resource with a given handle and type from the TPM
> @@ -529,7 +529,7 @@ u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm);
>   * @param resource_type                type of the resource
>   * @return return code of the operation
>   */
> -u32 tpm_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type);
> +u32 tpm1_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type);
>  
>  #ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
>  /**
> @@ -541,8 +541,8 @@ u32 tpm_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type);
>   * @param[out] handle	The handle of the key (Non-null iff found)
>   * @return 0 if key was found in TPM; != 0 if not.
>   */
> -u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
> -		      const u8 pubkey_digest[20], u32 *handle);
> +u32 tpm1_find_key_sha1(struct udevice *dev, const u8 auth[20],
> +		       const u8 pubkey_digest[20], u32 *handle);
>  #endif /* CONFIG_TPM_LOAD_KEY_BY_SHA1 */
>  
>  /**
> @@ -555,7 +555,7 @@ u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
>   * @param count		size of output buffer
>   * @return return code of the operation
>   */
> -u32 tpm_get_random(struct udevice *dev, void *data, u32 count);
> +u32 tpm1_get_random(struct udevice *dev, void *data, u32 count);
>  
>  /**
>   * tpm_finalise_physical_presence() - Finalise physical presence
> @@ -563,15 +563,15 @@ u32 tpm_get_random(struct udevice *dev, void *data, u32 count);
>   * @param dev		TPM device
>   * @return return code of the operation (0 = success)
>   */
> -u32 tpm_finalise_physical_presence(struct udevice *dev);
> +u32 tpm1_finalise_physical_presence(struct udevice *dev);
>  
>  /**
> - * tpm_nv_set_locked() - lock the non-volatile space
> + * tpm_nv_enable_locking() - lock the non-volatile space
>   *
>   * @param dev		TPM device
>   * @return return code of the operation (0 = success)
>   */
> -u32 tpm_nv_set_locked(struct udevice *dev);
> +u32 tpm1_nv_set_locked(struct udevice *dev);
>  
>  /**
>   * tpm_set_global_lock() - set the global lock
> @@ -587,6 +587,6 @@ u32 tpm_set_global_lock(struct udevice *dev);
>   * @param dev		TPM device
>   * @return return code of the operation (0 = success)
>   */
> -u32 tpm_resume(struct udevice *dev);
> +u32 tpm1_resume(struct udevice *dev);
>  
>  #endif /* __TPM_V1_H */
> diff --git a/lib/Makefile b/lib/Makefile
> index edc1c3dd4f9..c42d4e12335 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -53,6 +53,7 @@ endif
>  obj-$(CONFIG_$(SPL_TPL_)TPM) += tpm-common.o
>  ifeq ($(CONFIG_$(SPL_TPL_)TPM),y)
>  obj-y += crc8.o
> +obj-$(CONFIG_TPM) += tpm_api.o
>  obj-$(CONFIG_TPM_V1) += tpm-v1.o
>  obj-$(CONFIG_TPM_V2) += tpm-v2.o
>  endif
> diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c
> index a846fe00dd3..8dc144080ca 100644
> --- a/lib/tpm-v1.c
> +++ b/lib/tpm-v1.c
> @@ -32,7 +32,7 @@ static struct session_data oiap_session = {0, };
>  
>  #endif /* CONFIG_TPM_AUTH_SESSIONS */
>  
> -u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode)
> +u32 tpm1_startup(struct udevice *dev, enum tpm_startup_type mode)
>  {
>  	const u8 command[12] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x0,
> @@ -48,12 +48,12 @@ u32 tpm_startup(struct udevice *dev, enum tpm_startup_type mode)
>  	return tpm_sendrecv_command(dev, buf, NULL, NULL);
>  }
>  
> -u32 tpm_resume(struct udevice *dev)
> +u32 tpm1_resume(struct udevice *dev)
>  {
> -	return tpm_startup(dev, TPM_ST_STATE);
> +	return tpm1_startup(dev, TPM_ST_STATE);
>  }
>  
> -u32 tpm_self_test_full(struct udevice *dev)
> +u32 tpm1_self_test_full(struct udevice *dev)
>  {
>  	const u8 command[10] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50,
> @@ -61,7 +61,7 @@ u32 tpm_self_test_full(struct udevice *dev)
>  	return tpm_sendrecv_command(dev, command, NULL, NULL);
>  }
>  
> -u32 tpm_continue_self_test(struct udevice *dev)
> +u32 tpm1_continue_self_test(struct udevice *dev)
>  {
>  	const u8 command[10] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53,
> @@ -69,35 +69,33 @@ u32 tpm_continue_self_test(struct udevice *dev)
>  	return tpm_sendrecv_command(dev, command, NULL, NULL);
>  }
>  
> -u32 tpm_clear_and_reenable(struct udevice *dev)
> +u32 tpm1_clear_and_reenable(struct udevice *dev)
>  {
>  	u32 ret;
>  
>  	log_info("TPM: Clear and re-enable\n");
> -	ret = tpm_force_clear(dev);
> +	ret = tpm1_force_clear(dev);
>  	if (ret != TPM_SUCCESS) {
>  		log_err("Can't initiate a force clear\n");
>  		return ret;
>  	}
>  
> -	if (tpm_get_version(dev) == TPM_V1) {
> -		ret = tpm_physical_enable(dev);
> -		if (ret != TPM_SUCCESS) {
> -			log_err("TPM: Can't set enabled state\n");
> -			return ret;
> -		}
> +	ret = tpm1_physical_enable(dev);
> +	if (ret != TPM_SUCCESS) {
> +		log_err("TPM: Can't set enabled state\n");
> +		return ret;
> +	}
>  
> -		ret = tpm_physical_set_deactivated(dev, 0);
> -		if (ret != TPM_SUCCESS) {
> -			log_err("TPM: Can't set deactivated state\n");
> -			return ret;
> -		}
> +	ret = tpm1_physical_set_deactivated(dev, 0);
> +	if (ret != TPM_SUCCESS) {
> +		log_err("TPM: Can't set deactivated state\n");
> +		return ret;
>  	}
>  
>  	return TPM_SUCCESS;
>  }
>  
> -u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size)
> +u32 tpm1_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size)
>  {
>  	const u8 command[101] = {
>  		0x0, 0xc1,		/* TPM_TAG */
> @@ -140,12 +138,12 @@ u32 tpm_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size)
>  	return tpm_sendrecv_command(dev, buf, NULL, NULL);
>  }
>  
> -u32 tpm_nv_set_locked(struct udevice *dev)
> +u32 tpm1_nv_set_locked(struct udevice *dev)
>  {
> -	return tpm_nv_define_space(dev, TPM_NV_INDEX_LOCK, 0, 0);
> +	return tpm1_nv_define_space(dev, TPM_NV_INDEX_LOCK, 0, 0);
>  }
>  
> -u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
> +u32 tpm1_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
>  {
>  	const u8 command[22] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf,
> @@ -179,8 +177,8 @@ u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
>  	return 0;
>  }
>  
> -u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
> -		       u32 length)
> +u32 tpm1_nv_write_value(struct udevice *dev, u32 index, const void *data,
> +			u32 length)
>  {
>  	const u8 command[256] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd,
> @@ -210,13 +208,8 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
>  	return 0;
>  }
>  
> -uint32_t tpm_set_global_lock(struct udevice *dev)
> -{
> -	return tpm_nv_write_value(dev, TPM_NV_INDEX_0, NULL, 0);
> -}
> -
> -u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
> -	       void *out_digest)
> +u32 tpm1_extend(struct udevice *dev, u32 index, const void *in_digest,
> +		void *out_digest)
>  {
>  	const u8 command[34] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14,
> @@ -247,7 +240,7 @@ u32 tpm_extend(struct udevice *dev, u32 index, const void *in_digest,
>  	return 0;
>  }
>  
> -u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
> +u32 tpm1_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
>  {
>  	const u8 command[14] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15,
> @@ -275,7 +268,7 @@ u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
>  	return 0;
>  }
>  
> -u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence)
> +u32 tpm1_tsc_physical_presence(struct udevice *dev, u16 presence)
>  {
>  	const u8 command[12] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x0,
> @@ -291,7 +284,7 @@ u32 tpm_tsc_physical_presence(struct udevice *dev, u16 presence)
>  	return tpm_sendrecv_command(dev, buf, NULL, NULL);
>  }
>  
> -u32 tpm_finalise_physical_presence(struct udevice *dev)
> +u32 tpm1_finalise_physical_presence(struct udevice *dev)
>  {
>  	const u8 command[12] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0,
> @@ -300,7 +293,7 @@ u32 tpm_finalise_physical_presence(struct udevice *dev)
>  	return tpm_sendrecv_command(dev, command, NULL, NULL);
>  }
>  
> -u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count)
> +u32 tpm1_read_pubek(struct udevice *dev, void *data, size_t count)
>  {
>  	const u8 command[30] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c,
> @@ -331,7 +324,7 @@ u32 tpm_read_pubek(struct udevice *dev, void *data, size_t count)
>  	return 0;
>  }
>  
> -u32 tpm_force_clear(struct udevice *dev)
> +u32 tpm1_force_clear(struct udevice *dev)
>  {
>  	const u8 command[10] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d,
> @@ -340,7 +333,7 @@ u32 tpm_force_clear(struct udevice *dev)
>  	return tpm_sendrecv_command(dev, command, NULL, NULL);
>  }
>  
> -u32 tpm_physical_enable(struct udevice *dev)
> +u32 tpm1_physical_enable(struct udevice *dev)
>  {
>  	const u8 command[10] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f,
> @@ -349,7 +342,7 @@ u32 tpm_physical_enable(struct udevice *dev)
>  	return tpm_sendrecv_command(dev, command, NULL, NULL);
>  }
>  
> -u32 tpm_physical_disable(struct udevice *dev)
> +u32 tpm1_physical_disable(struct udevice *dev)
>  {
>  	const u8 command[10] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70,
> @@ -358,7 +351,7 @@ u32 tpm_physical_disable(struct udevice *dev)
>  	return tpm_sendrecv_command(dev, command, NULL, NULL);
>  }
>  
> -u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state)
> +u32 tpm1_physical_set_deactivated(struct udevice *dev, u8 state)
>  {
>  	const u8 command[11] = {
>  		0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72,
> @@ -374,8 +367,8 @@ u32 tpm_physical_set_deactivated(struct udevice *dev, u8 state)
>  	return tpm_sendrecv_command(dev, buf, NULL, NULL);
>  }
>  
> -u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
> -		       void *cap, size_t count)
> +u32 tpm1_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
> +			void *cap, size_t count)
>  {
>  	const u8 command[22] = {
>  		0x0, 0xc1,		/* TPM_TAG */
> @@ -414,8 +407,8 @@ u32 tpm_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
>  	return 0;
>  }
>  
> -u32 tpm_get_permanent_flags(struct udevice *dev,
> -			    struct tpm_permanent_flags *pflags)
> +u32 tpm1_get_permanent_flags(struct udevice *dev,
> +			     struct tpm_permanent_flags *pflags)
>  {
>  	const u8 command[22] = {
>  		0x0, 0xc1,		/* TPM_TAG */
> @@ -453,7 +446,7 @@ u32 tpm_get_permanent_flags(struct udevice *dev,
>  	return 0;
>  }
>  
> -u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm)
> +u32 tpm1_get_permissions(struct udevice *dev, u32 index, u32 *perm)
>  {
>  	const u8 command[22] = {
>  		0x0, 0xc1,		/* TPM_TAG */
> @@ -482,7 +475,7 @@ u32 tpm_get_permissions(struct udevice *dev, u32 index, u32 *perm)
>  }
>  
>  #ifdef CONFIG_TPM_FLUSH_RESOURCES
> -u32 tpm_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type)
> +u32 tpm1_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type)
>  {
>  	const u8 command[18] = {
>  		0x00, 0xc1,             /* TPM_TAG */
> @@ -641,7 +634,7 @@ static u32 verify_response_auth(u32 command_code, const void *response,
>  	return TPM_SUCCESS;
>  }
>  
> -u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle)
> +u32 tpm1_terminate_auth_session(struct udevice *dev, u32 auth_handle)
>  {
>  	const u8 command[18] = {
>  		0x00, 0xc1,		/* TPM_TAG */
> @@ -663,16 +656,16 @@ u32 tpm_terminate_auth_session(struct udevice *dev, u32 auth_handle)
>  	return tpm_sendrecv_command(dev, request, NULL, NULL);
>  }
>  
> -u32 tpm_end_oiap(struct udevice *dev)
> +u32 tpm1_end_oiap(struct udevice *dev)
>  {
>  	u32 err = TPM_SUCCESS;
>  
>  	if (oiap_session.valid)
> -		err = tpm_terminate_auth_session(dev, oiap_session.handle);
> +		err = tpm1_terminate_auth_session(dev, oiap_session.handle);
>  	return err;
>  }
>  
> -u32 tpm_oiap(struct udevice *dev, u32 *auth_handle)
> +u32 tpm1_oiap(struct udevice *dev, u32 *auth_handle)
>  {
>  	const u8 command[10] = {
>  		0x00, 0xc1,		/* TPM_TAG */
> @@ -686,7 +679,7 @@ u32 tpm_oiap(struct udevice *dev, u32 *auth_handle)
>  	u32 err;
>  
>  	if (oiap_session.valid)
> -		tpm_terminate_auth_session(dev, oiap_session.handle);
> +		tpm1_terminate_auth_session(dev, oiap_session.handle);
>  
>  	err = tpm_sendrecv_command(dev, command, response, &response_length);
>  	if (err)
> @@ -702,9 +695,9 @@ u32 tpm_oiap(struct udevice *dev, u32 *auth_handle)
>  	return 0;
>  }
>  
> -u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
> -		       size_t key_length, const void *parent_key_usage_auth,
> -		       u32 *key_handle)
> +u32 tpm1_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
> +			size_t key_length, const void *parent_key_usage_auth,
> +			u32 *key_handle)
>  {
>  	const u8 command[14] = {
>  		0x00, 0xc2,		/* TPM_TAG */
> @@ -723,7 +716,7 @@ u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
>  	u32 err;
>  
>  	if (!oiap_session.valid) {
> -		err = tpm_oiap(dev, NULL);
> +		err = tpm1_oiap(dev, NULL);
>  		if (err)
>  			return err;
>  	}
> @@ -768,9 +761,9 @@ u32 tpm_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
>  	return 0;
>  }
>  
> -u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
> -			 const void *usage_auth, void *pubkey,
> -			 size_t *pubkey_len)
> +u32 tpm1_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
> +			  const void *usage_auth, void *pubkey,
> +			  size_t *pubkey_len)
>  {
>  	const u8 command[14] = {
>  		0x00, 0xc2,		/* TPM_TAG */
> @@ -788,7 +781,7 @@ u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
>  	u32 err;
>  
>  	if (!oiap_session.valid) {
> -		err = tpm_oiap(dev, NULL);
> +		err = tpm1_oiap(dev, NULL);
>  		if (err)
>  			return err;
>  	}
> @@ -834,8 +827,8 @@ u32 tpm_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
>  }
>  
>  #ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
> -u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
> -		      const u8 pubkey_digest[20], u32 *handle)
> +u32 tpm1_find_key_sha1(struct udevice *dev, const u8 auth[20],
> +		       const u8 pubkey_digest[20], u32 *handle)
>  {
>  	u16 key_count;
>  	u32 key_handles[10];
> @@ -876,7 +869,7 @@ u32 tpm_find_key_sha1(struct udevice *dev, const u8 auth[20],
>  
>  #endif /* CONFIG_TPM_AUTH_SESSIONS */
>  
> -u32 tpm_get_random(struct udevice *dev, void *data, u32 count)
> +u32 tpm1_get_random(struct udevice *dev, void *data, u32 count)
>  {
>  	const u8 command[14] = {
>  		0x0, 0xc1,		/* TPM_TAG */
> -- 
> 2.30.0.478.g8a0d178c01-goog
> 

Overall this makes sense so 
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

p.s: We can slowly start changing drivers and the EFI TCG code to using the
unified API at some point. 

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL
  2021-02-06 21:23 ` [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL Simon Glass
@ 2021-03-03 19:10   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:10 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:32PM -0700, Simon Glass wrote:

> At present the security chip is not used in these U-Boot phases. Update
> the Makefile to exclude it.
> 
> Fix a few logging statements while we are here.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/4ec73b1a/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 02/11] tpm: Use logging in the uclass
  2021-02-06 21:23 ` [PATCH v4 02/11] tpm: Use logging in the uclass Simon Glass
@ 2021-03-03 19:10   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:10 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:33PM -0700, Simon Glass wrote:

> Update this to use log_debug() instead of the old debug().
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/fe8d1d09/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 03/11] tpm: Add debugging of request in tpm_sendrecv_command()
  2021-02-06 21:23 ` [PATCH v4 03/11] tpm: Add debugging of request in tpm_sendrecv_command() Simon Glass
@ 2021-03-03 19:10   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:10 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:34PM -0700, Simon Glass wrote:

> The response is shown but not the request. Update the code to show both
> if debugging is enabled.
> 
> Use a 'uint' type for size so it matches the register-word size on both
> 32- and 64-bit machines.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/5b509dd0/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 04/11] tpm: Add an API that can support v1.2 and v2
  2021-02-06 21:23 ` [PATCH v4 04/11] tpm: Add an API that can support v1.2 and v2 Simon Glass
@ 2021-03-03 19:10   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:10 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:35PM -0700, Simon Glass wrote:

> There are two different TPM standards. U-Boot supports both but each has
> its own set of functions. We really need a single TPM API that can call
> one or the other. This is not always possible as there are some
> differences between the two standards, but it is mostly possible.
> 
> Add an API to handle this. So far it is not plumbed into the build and
> only supports TPMv1.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/6672e15c/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API
  2021-02-06 21:23 ` [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API Simon Glass
  2021-02-07 11:44   ` Ilias Apalodimas
@ 2021-03-03 19:11   ` Tom Rini
  1 sibling, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:11 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:36PM -0700, Simon Glass wrote:

> Take over the plain 'tpm_...' functions for use by the new TPM API. Rename
> all the TPMv1 functions so they are called from the API.
> 
> Update the TPMv1 functions so that they are called from the API. Change
> existing users to use the tpm1_ prefix so they don't need to go through
> the API, which might introduce uncertainty.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/0e406e6f/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 06/11] tpm: Add a basic API implementation for TPMv2
  2021-02-06 21:23 ` [PATCH v4 06/11] tpm: Add a basic API implementation for TPMv2 Simon Glass
@ 2021-03-03 19:11   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:11 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:37PM -0700, Simon Glass wrote:

> Add support for TPMv2 versions of API functions. So far this is not
> complete as the standard is quite large, but it implements everything
> currently available for TPMv2 in U-Boot.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/88e7328a/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 07/11] tpm: Reduce duplication in a few functions
  2021-02-06 21:23 ` [PATCH v4 07/11] tpm: Reduce duplication in a few functions Simon Glass
@ 2021-03-03 19:11   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:11 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:38PM -0700, Simon Glass wrote:

> Update tpm2_clear() and tpm2_pcr_extend() so that the command size
> is not repeated twice. Add a small comment to the latter.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/d76e754e/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 08/11] tpm: Add an implementation of define_space
  2021-02-06 21:23 ` [PATCH v4 08/11] tpm: Add an implementation of define_space Simon Glass
  2021-02-07 11:44   ` Ilias Apalodimas
@ 2021-03-03 19:11   ` Tom Rini
  1 sibling, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:11 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:39PM -0700, Simon Glass wrote:

> Add support for this so that the TPM can be set up for use with
> Chromium OS verified boot.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/7c0cf6ce/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 09/11] tpm: Add TPM2 support for read/write values
  2021-02-06 21:23 ` [PATCH v4 09/11] tpm: Add TPM2 support for read/write values Simon Glass
@ 2021-03-03 19:11   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:11 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:40PM -0700, Simon Glass wrote:

> Implement this API function for TPM2.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/a1b10d0c/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 10/11] tpm: Add TPM2 support for write_lock
  2021-02-06 21:23 ` [PATCH v4 10/11] tpm: Add TPM2 support for write_lock Simon Glass
@ 2021-03-03 19:11   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:11 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:41PM -0700, Simon Glass wrote:

> Implement this API function for TPM2.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/c7652c9d/attachment.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

* [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2
  2021-02-06 21:23 ` [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2 Simon Glass
@ 2021-03-03 19:11   ` Tom Rini
  0 siblings, 0 replies; 25+ messages in thread
From: Tom Rini @ 2021-03-03 19:11 UTC (permalink / raw)
  To: u-boot

On Sat, Feb 06, 2021 at 02:23:42PM -0700, Simon Glass wrote:

> With TPM2 we don't actually lock the TPM once verified boot is finished.
> Instead we disable the platform hierarchy which serves the same purpose.
> Add an implementation of this so we can safely boot into the kernel.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210303/ee4a3920/attachment-0001.sig>

^ permalink raw reply	[flat|nested] 25+ messages in thread

end of thread, other threads:[~2021-03-03 19:11 UTC | newest]

Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
2021-02-06 21:23 ` [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL Simon Glass
2021-03-03 19:10   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 02/11] tpm: Use logging in the uclass Simon Glass
2021-03-03 19:10   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 03/11] tpm: Add debugging of request in tpm_sendrecv_command() Simon Glass
2021-03-03 19:10   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 04/11] tpm: Add an API that can support v1.2 and v2 Simon Glass
2021-03-03 19:10   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API Simon Glass
2021-02-07 11:44   ` Ilias Apalodimas
2021-03-03 19:11   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 06/11] tpm: Add a basic API implementation for TPMv2 Simon Glass
2021-03-03 19:11   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 07/11] tpm: Reduce duplication in a few functions Simon Glass
2021-03-03 19:11   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 08/11] tpm: Add an implementation of define_space Simon Glass
2021-02-07 11:44   ` Ilias Apalodimas
2021-03-03 19:11   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 09/11] tpm: Add TPM2 support for read/write values Simon Glass
2021-03-03 19:11   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 10/11] tpm: Add TPM2 support for write_lock Simon Glass
2021-03-03 19:11   ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2 Simon Glass
2021-03-03 19:11   ` Tom Rini

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.