lockout_recovery));
}
+static int do_tpm_change_auth(cmd_tbl_t *cmdtp, int flag, int argc,
+ char *const argv[])
+{
+ u32 handle;
+ const char *newpw = argv[2];
+ const char *oldpw = (argc == 3) ? NULL : argv[3];
+ const ssize_t newpw_sz = strlen(newpw);
+ const ssize_t oldpw_sz = oldpw ? strlen(oldpw) : 0;
+
+ if (argc < 3 || argc > 4)
+ return CMD_RET_USAGE;
+
+ if (newpw_sz > TPM2_DIGEST_LEN || oldpw_sz > TPM2_DIGEST_LEN)
+ return -EINVAL;
+
+ if (!strcasecmp("TPM2_RH_LOCKOUT", argv[1]))
+ handle = TPM2_RH_LOCKOUT;
+ else if (!strcasecmp("TPM2_RH_ENDORSEMENT", argv[1]))
+ handle = TPM2_RH_ENDORSEMENT;
+ else if (!strcasecmp("TPM2_RH_OWNER", argv[1]))
+ handle = TPM2_RH_OWNER;
+ else if (!strcasecmp("TPM2_RH_PLATFORM", argv[1]))
+ handle = TPM2_RH_PLATFORM;
+ else
+ return CMD_RET_USAGE;
+
+ return report_return_code(tpm2_change_auth(handle, newpw, newpw_sz,
+ oldpw, oldpw_sz));
+}
+
+static int do_tpm_pcr_setauthpolicy(cmd_tbl_t *cmdtp, int flag, int argc,
+ char * const argv[])
+{
+ u32 index = simple_strtoul(argv[1], NULL, 0);
+ char *key = argv[2];
+ const char *pw = (argc < 4) ? NULL : argv[3];
+ const ssize_t pw_sz = pw ? strlen(pw) : 0;
+
+ if (strlen(key) != TPM2_DIGEST_LEN)
+ return -EINVAL;
+
+ if (argc < 3 || argc > 4)
+ return CMD_RET_USAGE;
+
+ return report_return_code(tpm2_pcr_setauthpolicy(pw, pw_sz, index,
+ key));
+}
+
+static int do_tpm_pcr_setauthvalue(cmd_tbl_t *cmdtp, int flag,
+ int argc, char * const argv[])
+{
+ u32 index = simple_strtoul(argv[1], NULL, 0);
+ char *key = argv[2];
+ const ssize_t key_sz = strlen(key);
+ const char *pw = (argc < 4) ? NULL : argv[3];
+ const ssize_t pw_sz = pw ? strlen(pw) : 0;
+
+ if (strlen(key) != TPM2_DIGEST_LEN)
+ return -EINVAL;
+
+ if (argc < 3 || argc > 4)
+ return CMD_RET_USAGE;
+
+ return report_return_code(tpm2_pcr_setauthvalue(pw, pw_sz, index,
+ key, key_sz));
+}
+
static cmd_tbl_t tpm2_commands[] = {
U_BOOT_CMD_MKENT(info, 0, 1, do_tpm_info, "", ""),
U_BOOT_CMD_MKENT(init, 0, 1, do_tpm_init, "", ""),
U_BOOT_CMD_MKENT(get_capability, 0, 1, do_tpm_get_capability, "", ""),
U_BOOT_CMD_MKENT(dam_reset, 0, 1, do_tpm_dam_reset, "", ""),
U_BOOT_CMD_MKENT(dam_parameters, 0, 1, do_tpm_dam_parameters, "", ""),
+ U_BOOT_CMD_MKENT(change_auth, 0, 1, do_tpm_change_auth, "", ""),
+ U_BOOT_CMD_MKENT(pcr_setauthpolicy, 0, 1,
+ do_tpm_pcr_setauthpolicy, "", ""),
+ U_BOOT_CMD_MKENT(pcr_setauthvalue, 0, 1,
+ do_tpm_pcr_setauthvalue, "", ""),
};
cmd_tbl_t *get_tpm_commands(unsigned int *size)
" <property>: property\n"
" <addr>: address to store <count> entries of 4 bytes\n"
" <count>: number of entries to retrieve\n"
-" dam_reset_counter [<password>]\n"
-" - If the TPM is not in a LOCKOUT state, reset the internal error\n"
-" counter (TPMv2 only)\n"
-" dam_set_parameters <maxTries> <recoveryTime> <lockoutRecovery> [<password>]\n"
-" - If the TPM is not in a LOCKOUT state, set the dictionary attack\n"
-" parameters:\n"
-" * maxTries: maximum number of failures before lockout.\n"
-" 0 means always locking.\n"
-" * recoveryTime: time before decrementation of the error counter,\n"
-" 0 means no lockout.\n"
-" * lockoutRecovery: time of a lockout (before the next try)\n"
-" 0 means a reboot is needed.\n"
+"dam_reset [<password>]\n"
+" If the TPM is not in a LOCKOUT state, reset the internal error counter.\n"
+" <password>: optional password\n"
+"dam_parameters <max_tries> <recovery_time> <lockout_recovery> [<password>]\n"
+" If the TPM is not in a LOCKOUT state, set the DAM parameters\n"
+" <maxTries>: maximum number of failures before lockout,\n"
+" 0 means always locking\n"
+" <recoveryTime>: time before decrement of the error counter,\n"
+" 0 means no lockout\n"
+" <lockoutRecovery>: time of a lockout (before the next try),\n"
+" 0 means a reboot is needed\n"
+" <password>: optional password of the LOCKOUT hierarchy\n"
+"change_auth <hierarchy> <new_pw> [<old_pw>]\n"
+" <hierarchy>: the hierarchy\n"
+" <new_pw>: new password for <hierarchy>\n"
+" <old_pw>: optional previous password of <hierarchy>\n"
+"pcr_setauthpolicy|pcr_setauthvalue <pcr> <key> [<password>]\n"
+" Change the <key> to access PCR #<pcr>.\n"
+" hierarchy and may be empty.\n"
+" /!\\WARNING: untested function, use at your own risks !\n"
+" <pcr>: index of the PCR\n"
+" <key>: secret to protect the access of PCR #<pcr>\n"
+" <password>: optional password of the PLATFORM hierarchy\n"
);
projects / u-boot / blobdiff