Hi All,
I am working with Infineon TPM SLB9670 connected to a Raspberry Pi 4 via the GPIO Header. I want to perform a simple NV Index read operation from NV Index 1 in U-Boot. This NV Index was defined and written to in Linux userspace using tpm2-tools (following the man page here - https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvwrite.1.m... ):
$ tpm2_nvdefine -Q 1 -C o -s 32 -a "ownerread|policywrite|ownerwrite" $ echo "please123abc" > nv.test_w $ tpm2_nvwrite -Q 1 -C o -i nv.test_w
After the above definition and write operation, I am able to read the data back from the NV Indices using TPM2 tools. However, it seems I'm unable to do so in U-Boot. Following is the code snippet I'm using for reading NV Index 1.
struct udevice *dev = NULL; void *data = NULL; get_tpm(&dev); status = tpm2_nv_read_value(dev, 1, data, 270); However, the status code in the above case is "329" or "0x149".
Further I did notice that the hierarchy used in the tpm2-tools command is the Owner Hierarchy. However the lib/tpm-v2.c code by-default sets TPM2_RH_PLATFORM as the hierarchy. So I made the following changes:
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 235f8c20d4..a9644c2f8b 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -178,12 +178,12 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count) tpm_u32(TPM2_CC_NV_READ), /* Command code */
/* handles 8 bytes */ - tpm_u32(TPM2_RH_PLATFORM), /* Primary platform seed */ + tpm_u32(TPM2_RH_OWNER), /* Primary platform seed */ tpm_u32(HR_NV_INDEX + index), /* Password authorisation */
/* AUTH_SESSION */ tpm_u32(9), /* Authorization size */ - tpm_u32(TPM2_RS_PW), /* Session handle */ + tpm_u32(TPM2_RH_OWNER), /* Session handle */ tpm_u16(0), /* Size of <nonce> */ /* <nonce> (if any) */ 0, /* Attributes: Cont/Excl/Rst */
The status code in this case changes to "2436" or "0x984".
Please let me know if I am missing something in the above API call? What changes do I have to make in order to read the value stored at an NV Index from U-Boot space?
Hi Harshvardhan
On Sun, 7 Nov 2021 at 18:45, Harshvardhan Patel harshvardhan1621@gmail.com wrote:
Hi All,
I am working with Infineon TPM SLB9670 connected to a Raspberry Pi 4 via the GPIO Header. I want to perform a simple NV Index read operation from NV Index 1 in U-Boot. This NV Index was defined and written to in Linux userspace using tpm2-tools (following the man page here - https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvwrite.1.m... ):
$ tpm2_nvdefine -Q 1 -C o -s 32 -a "ownerread|policywrite|ownerwrite" $ echo "please123abc" > nv.test_w $ tpm2_nvwrite -Q 1 -C o -i nv.test_w
After the above definition and write operation, I am able to read the data back from the NV Indices using TPM2 tools. However, it seems I'm unable to do so in U-Boot. Following is the code snippet I'm using for reading NV Index 1.
struct udevice *dev = NULL; void *data = NULL; get_tpm(&dev); status = tpm2_nv_read_value(dev, 1, data, 270); However, the status code in the above case is "329" or "0x149".
Further I did notice that the hierarchy used in the tpm2-tools command is the Owner Hierarchy. However the lib/tpm-v2.c code by-default sets TPM2_RH_PLATFORM as the hierarchy. So I made the following changes:
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 235f8c20d4..a9644c2f8b 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -178,12 +178,12 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count) tpm_u32(TPM2_CC_NV_READ), /* Command code */
/* handles 8 bytes */
tpm_u32(TPM2_RH_PLATFORM), /* Primary platform seed */
tpm_u32(TPM2_RH_OWNER), /* Primary platform seed */ tpm_u32(HR_NV_INDEX + index), /* Password authorisation */ /* AUTH_SESSION */ tpm_u32(9), /* Authorization size */
tpm_u32(TPM2_RS_PW), /* Session handle */
tpm_u32(TPM2_RH_OWNER), /* Session handle */ tpm_u16(0), /* Size of <nonce> */ /* <nonce> (if any) */ 0, /* Attributes:Cont/Excl/Rst */
We should add options for defining the hierarchy in nv_read instead of hardcoding it.
The status code in this case changes to "2436" or "0x984".
Please let me know if I am missing something in the above API call? What changes do I have to make in order to read the value stored at an NV Index from U-Boot space?
I guess this means this is still an error? I haven't played around with u-boot nv_read too much so I am afraid we'll need a bit more debugging to figure out what's going on.
Cheers /Ilias
participants (2)
-
Harshvardhan Patel -
Ilias Apalodimas