* Read from TPM2 NV Index
@ 2021-11-07 16:44 Harshvardhan Patel
2021-11-17 11:05 ` Ilias Apalodimas
0 siblings, 1 reply; 2+ messages in thread
From: Harshvardhan Patel @ 2021-11-07 16:44 UTC (permalink / raw)
To: u-boot
Hi All,
I am working with Infineon TPM SLB9670 connected to a Raspberry Pi 4 via
the GPIO Header. I want to perform a simple NV Index read operation from NV
Index 1 in U-Boot. This NV Index was defined and written to in Linux
userspace using tpm2-tools (following the man page here -
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvwrite.1.md
):
$ tpm2_nvdefine -Q 1 -C o -s 32 -a "ownerread|policywrite|ownerwrite"
$ echo "please123abc" > nv.test_w
$ tpm2_nvwrite -Q 1 -C o -i nv.test_w
After the above definition and write operation, I am able to read the data
back from the NV Indices using TPM2 tools. However, it seems I'm unable to
do so in U-Boot. Following is the code snippet I'm using for reading NV
Index 1.
struct udevice *dev = NULL;
void *data = NULL;
get_tpm(&dev);
status = tpm2_nv_read_value(dev, 1, data, 270);
However, the status code in the above case is "329" or "0x149".
Further I did notice that the hierarchy used in the tpm2-tools command is
the Owner Hierarchy. However the lib/tpm-v2.c code by-default sets
TPM2_RH_PLATFORM as the hierarchy. So I made the following changes:
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 235f8c20d4..a9644c2f8b 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -178,12 +178,12 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32
index, void *data, u32 count)
tpm_u32(TPM2_CC_NV_READ), /* Command code */
/* handles 8 bytes */
- tpm_u32(TPM2_RH_PLATFORM), /* Primary platform seed */
+ tpm_u32(TPM2_RH_OWNER), /* Primary platform seed */
tpm_u32(HR_NV_INDEX + index), /* Password authorisation */
/* AUTH_SESSION */
tpm_u32(9), /* Authorization size */
- tpm_u32(TPM2_RS_PW), /* Session handle */
+ tpm_u32(TPM2_RH_OWNER), /* Session handle */
tpm_u16(0), /* Size of <nonce> */
/* <nonce> (if any) */
0, /* Attributes:
Cont/Excl/Rst */
The status code in this case changes to "2436" or "0x984".
Please let me know if I am missing something in the above API call? What
changes do I have to make in order to read the value stored at an NV Index
from U-Boot space?
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: Read from TPM2 NV Index
2021-11-07 16:44 Read from TPM2 NV Index Harshvardhan Patel
@ 2021-11-17 11:05 ` Ilias Apalodimas
0 siblings, 0 replies; 2+ messages in thread
From: Ilias Apalodimas @ 2021-11-17 11:05 UTC (permalink / raw)
To: Harshvardhan Patel; +Cc: u-boot
Hi Harshvardhan
On Sun, 7 Nov 2021 at 18:45, Harshvardhan Patel
<harshvardhan1621@gmail.com> wrote:
>
> Hi All,
>
> I am working with Infineon TPM SLB9670 connected to a Raspberry Pi 4 via
> the GPIO Header. I want to perform a simple NV Index read operation from NV
> Index 1 in U-Boot. This NV Index was defined and written to in Linux
> userspace using tpm2-tools (following the man page here -
> https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvwrite.1.md
> ):
>
> $ tpm2_nvdefine -Q 1 -C o -s 32 -a "ownerread|policywrite|ownerwrite"
> $ echo "please123abc" > nv.test_w
> $ tpm2_nvwrite -Q 1 -C o -i nv.test_w
>
> After the above definition and write operation, I am able to read the data
> back from the NV Indices using TPM2 tools. However, it seems I'm unable to
> do so in U-Boot. Following is the code snippet I'm using for reading NV
> Index 1.
>
> struct udevice *dev = NULL;
> void *data = NULL;
> get_tpm(&dev);
> status = tpm2_nv_read_value(dev, 1, data, 270);
> However, the status code in the above case is "329" or "0x149".
>
> Further I did notice that the hierarchy used in the tpm2-tools command is
> the Owner Hierarchy. However the lib/tpm-v2.c code by-default sets
> TPM2_RH_PLATFORM as the hierarchy. So I made the following changes:
>
> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> index 235f8c20d4..a9644c2f8b 100644
> --- a/lib/tpm-v2.c
> +++ b/lib/tpm-v2.c
> @@ -178,12 +178,12 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32
> index, void *data, u32 count)
> tpm_u32(TPM2_CC_NV_READ), /* Command code */
>
> /* handles 8 bytes */
> - tpm_u32(TPM2_RH_PLATFORM), /* Primary platform seed */
> + tpm_u32(TPM2_RH_OWNER), /* Primary platform seed */
> tpm_u32(HR_NV_INDEX + index), /* Password authorisation */
>
> /* AUTH_SESSION */
> tpm_u32(9), /* Authorization size */
> - tpm_u32(TPM2_RS_PW), /* Session handle */
> + tpm_u32(TPM2_RH_OWNER), /* Session handle */
> tpm_u16(0), /* Size of <nonce> */
> /* <nonce> (if any) */
> 0, /* Attributes:
> Cont/Excl/Rst */
>
We should add options for defining the hierarchy in nv_read instead of
hardcoding it.
> The status code in this case changes to "2436" or "0x984".
>
> Please let me know if I am missing something in the above API call? What
> changes do I have to make in order to read the value stored at an NV Index
> from U-Boot space?
I guess this means this is still an error? I haven't played around
with u-boot nv_read too much so I am afraid we'll need a bit more
debugging to figure out what's going on.
Cheers
/Ilias
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-17 11:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-07 16:44 Read from TPM2 NV Index Harshvardhan Patel
2021-11-17 11:05 ` Ilias Apalodimas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).