]> git.sur5r.net Git - u-boot/commitdiff
tpm: add a Sandbox TPMv2.x driver
authorMiquel Raynal <miquel.raynal@bootlin.com>
Tue, 15 May 2018 09:57:25 +0000 (11:57 +0200)
committerTom Rini <trini@konsulko.com>
Sat, 26 May 2018 00:13:00 +0000 (20:13 -0400)
This driver can emulate all the basic functionalities of a TPMv2.x
chip and should behave like them during regular testing.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
drivers/tpm/Kconfig
drivers/tpm/Makefile
drivers/tpm/tpm2_tis_sandbox.c [new file with mode: 0644]

index 2de986237177812f078ee9c964b726190e1a8991..93264ddd34374f2ccb3267247c14e0fb57b46b89 100644 (file)
@@ -21,7 +21,7 @@ config TPM_TIS_SANDBOX
        bool "Enable sandbox TPM driver"
        depends on TPM_V1 && SANDBOX
        help
-         This driver emulates a TPM, providing access to base functions
+         This driver emulates a TPMv1.x, providing access to base functions
          such as reading and writing TPM private data. This is enough to
          support Chrome OS verified boot. Extend functionality is not
          implemented.
@@ -129,6 +129,15 @@ config TPM_V2
 
 if TPM_V2 && !TPM_V1
 
+config TPM2_TIS_SANDBOX
+       bool "Enable sandbox TPMv2.x driver"
+       depends on TPM_V2 && SANDBOX
+       select TPM_DRIVER_SELECTED
+       help
+         This driver emulates a TPMv2.x, providing access to base functions
+         such as basic configuration, PCR extension and PCR read. Extended
+         functionalities are not implemented.
+
 config TPM2_TIS_SPI
        bool "Enable support for TPMv2.x SPI chips"
        depends on TPM_V2 && DM_SPI
index e4b57615be147f4b76fb99445bec4b8797292b6a..af473ef662e83756850d04d4425a54e231afd8a5 100644 (file)
@@ -10,4 +10,5 @@ obj-$(CONFIG_TPM_TIS_SANDBOX) += tpm_tis_sandbox.o
 obj-$(CONFIG_TPM_ST33ZP24_I2C) += tpm_tis_st33zp24_i2c.o
 obj-$(CONFIG_TPM_ST33ZP24_SPI) += tpm_tis_st33zp24_spi.o
 
+obj-$(CONFIG_TPM2_TIS_SANDBOX) += tpm2_tis_sandbox.o
 obj-$(CONFIG_TPM2_TIS_SPI) += tpm2_tis_spi.o
diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
new file mode 100644 (file)
index 0000000..3240cc5
--- /dev/null
@@ -0,0 +1,625 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2018, Bootlin
+ * Author: Miquel Raynal <miquel.raynal@bootlin.com>
+ */
+
+#include <common.h>
+#include <dm.h>
+#include <tpm-v2.h>
+#include <asm/state.h>
+#include <asm/unaligned.h>
+#include <linux/crc8.h>
+
+/* Hierarchies */
+enum tpm2_hierarchy {
+       TPM2_HIERARCHY_LOCKOUT = 0,
+       TPM2_HIERARCHY_ENDORSEMENT,
+       TPM2_HIERARCHY_PLATFORM,
+       TPM2_HIERARCHY_NB,
+};
+
+/* Subset of supported capabilities */
+enum tpm2_capability {
+       TPM_CAP_TPM_PROPERTIES = 0x6,
+};
+
+/* Subset of supported properties */
+#define TPM2_PROPERTIES_OFFSET 0x0000020E
+
+enum tpm2_cap_tpm_property {
+       TPM2_FAIL_COUNTER = 0,
+       TPM2_PROP_MAX_TRIES,
+       TPM2_RECOVERY_TIME,
+       TPM2_LOCKOUT_RECOVERY,
+       TPM2_PROPERTY_NB,
+};
+
+#define SANDBOX_TPM_PCR_NB 1
+
+static const u8 sandbox_extended_once_pcr[] = {
+       0xf5, 0xa5, 0xfd, 0x42, 0xd1, 0x6a, 0x20, 0x30,
+       0x27, 0x98, 0xef, 0x6e, 0xd3, 0x09, 0x97, 0x9b,
+       0x43, 0x00, 0x3d, 0x23, 0x20, 0xd9, 0xf0, 0xe8,
+       0xea, 0x98, 0x31, 0xa9, 0x27, 0x59, 0xfb, 0x4b,
+};
+
+struct sandbox_tpm2 {
+       /* TPM internal states */
+       bool init_done;
+       bool startup_done;
+       bool tests_done;
+       /* TPM password per hierarchy */
+       char pw[TPM2_HIERARCHY_NB][TPM2_DIGEST_LEN + 1];
+       int pw_sz[TPM2_HIERARCHY_NB];
+       /* TPM properties */
+       u32 properties[TPM2_PROPERTY_NB];
+       /* TPM PCRs */
+       u8 pcr[SANDBOX_TPM_PCR_NB][TPM2_DIGEST_LEN];
+       /* TPM PCR extensions */
+       u32 pcr_extensions[SANDBOX_TPM_PCR_NB];
+};
+
+/*
+ * Check the tag validity depending on the command (authentication required or
+ * not). If authentication is required, check it is valid. Update the auth
+ * pointer to point to the next chunk of data to process if needed.
+ */
+static int sandbox_tpm2_check_session(struct udevice *dev, u32 command, u16 tag,
+                                     const u8 **auth,
+                                     enum tpm2_hierarchy *hierarchy)
+{
+       struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+       u32 handle, auth_sz, session_handle;
+       u16 nonce_sz, pw_sz;
+       const char *pw;
+
+       switch (command) {
+       case TPM2_CC_STARTUP:
+       case TPM2_CC_SELF_TEST:
+       case TPM2_CC_GET_CAPABILITY:
+       case TPM2_CC_PCR_READ:
+               if (tag != TPM2_ST_NO_SESSIONS) {
+                       printf("No session required for command 0x%x\n",
+                              command);
+                       return TPM2_RC_BAD_TAG;
+               }
+
+               return 0;
+
+       case TPM2_CC_CLEAR:
+       case TPM2_CC_HIERCHANGEAUTH:
+       case TPM2_CC_DAM_RESET:
+       case TPM2_CC_DAM_PARAMETERS:
+       case TPM2_CC_PCR_EXTEND:
+               if (tag != TPM2_ST_SESSIONS) {
+                       printf("Session required for command 0x%x\n", command);
+                       return TPM2_RC_AUTH_CONTEXT;
+               }
+
+               handle = get_unaligned_be32(*auth);
+               *auth += sizeof(handle);
+
+               /*
+                * PCR_Extend had a different protection mechanism and does not
+                * use the same standards as other commands.
+                */
+               if (command == TPM2_CC_PCR_EXTEND)
+                       break;
+
+               switch (handle) {
+               case TPM2_RH_LOCKOUT:
+                       *hierarchy = TPM2_HIERARCHY_LOCKOUT;
+                       break;
+               case TPM2_RH_ENDORSEMENT:
+                       if (command == TPM2_CC_CLEAR) {
+                               printf("Endorsement hierarchy unsupported\n");
+                               return TPM2_RC_AUTH_MISSING;
+                       }
+                       *hierarchy = TPM2_HIERARCHY_ENDORSEMENT;
+                       break;
+               case TPM2_RH_PLATFORM:
+                       *hierarchy = TPM2_HIERARCHY_PLATFORM;
+                       break;
+               default:
+                       printf("Wrong handle 0x%x\n", handle);
+                       return TPM2_RC_VALUE;
+               }
+
+               break;
+
+       default:
+               printf("Command code not recognized: 0x%x\n", command);
+               return TPM2_RC_COMMAND_CODE;
+       }
+
+       auth_sz = get_unaligned_be32(*auth);
+       *auth += sizeof(auth_sz);
+
+       session_handle = get_unaligned_be32(*auth);
+       *auth += sizeof(session_handle);
+       if (session_handle != TPM2_RS_PW) {
+               printf("Wrong session handle 0x%x\n", session_handle);
+               return TPM2_RC_VALUE;
+       }
+
+       nonce_sz = get_unaligned_be16(*auth);
+       *auth += sizeof(nonce_sz);
+       if (nonce_sz) {
+               printf("Nonces not supported in Sandbox, aborting\n");
+               return TPM2_RC_HANDLE;
+       }
+
+       /* Ignore attributes */
+       *auth += sizeof(u8);
+
+       pw_sz = get_unaligned_be16(*auth);
+       *auth += sizeof(pw_sz);
+       if (auth_sz != (9 + nonce_sz + pw_sz)) {
+               printf("Authentication size (%d) do not match %d\n",
+                      auth_sz, 9 + nonce_sz + pw_sz);
+               return TPM2_RC_SIZE;
+       }
+
+       /* No passwork is acceptable */
+       if (!pw_sz && !tpm->pw_sz[*hierarchy])
+               return TPM2_RC_SUCCESS;
+
+       /* Password is too long */
+       if (pw_sz > TPM2_DIGEST_LEN) {
+               printf("Password should not be more than %dB\n",
+                      TPM2_DIGEST_LEN);
+               return TPM2_RC_AUTHSIZE;
+       }
+
+       pw = (const char *)*auth;
+       *auth += pw_sz;
+
+       /* Password is wrong */
+       if (pw_sz != tpm->pw_sz[*hierarchy] ||
+           strncmp(pw, tpm->pw[*hierarchy], tpm->pw_sz[*hierarchy])) {
+               printf("Authentication failed: wrong password.\n");
+               return TPM2_RC_BAD_AUTH;
+       }
+
+       return TPM2_RC_SUCCESS;
+}
+
+static int sandbox_tpm2_check_readyness(struct udevice *dev, int command)
+{
+       struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+
+       switch (command) {
+       case TPM2_CC_STARTUP:
+               if (!tpm->init_done || tpm->startup_done)
+                       return TPM2_RC_INITIALIZE;
+
+               break;
+       case TPM2_CC_GET_CAPABILITY:
+               if (!tpm->init_done || !tpm->startup_done)
+                       return TPM2_RC_INITIALIZE;
+
+               break;
+       case TPM2_CC_SELF_TEST:
+               if (!tpm->startup_done)
+                       return TPM2_RC_INITIALIZE;
+
+               break;
+       default:
+               if (!tpm->tests_done)
+                       return TPM2_RC_NEEDS_TEST;
+
+               break;
+       }
+
+       return 0;
+}
+
+static int sandbox_tpm2_fill_buf(u8 **recv, size_t *recv_len, u16 tag, u32 rc)
+{
+       *recv_len = sizeof(tag) + sizeof(u32) + sizeof(rc);
+
+       /* Write tag */
+       put_unaligned_be16(tag, *recv);
+       *recv += sizeof(tag);
+
+       /* Write length */
+       put_unaligned_be32(*recv_len, *recv);
+       *recv += sizeof(u32);
+
+       /* Write return code */
+       put_unaligned_be32(rc, *recv);
+       *recv += sizeof(rc);
+
+       /* Add trailing \0 */
+       *recv = '\0';
+
+       return 0;
+}
+
+static int sandbox_tpm2_extend(struct udevice *dev, int pcr_index,
+                              const u8 *extension)
+{
+       struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+       int i;
+
+       /* Only simulate the first extensions from all '0' with only '0' */
+       for (i = 0; i < TPM2_DIGEST_LEN; i++)
+               if (tpm->pcr[pcr_index][i] || extension[i])
+                       return TPM2_RC_FAILURE;
+
+       memcpy(tpm->pcr[pcr_index], sandbox_extended_once_pcr,
+              TPM2_DIGEST_LEN);
+       tpm->pcr_extensions[pcr_index]++;
+
+       return 0;
+};
+
+static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
+                            size_t send_size, u8 *recvbuf,
+                            size_t *recv_len)
+{
+       struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+       enum tpm2_hierarchy hierarchy = 0;
+       const u8 *sent = sendbuf;
+       u8 *recv = recvbuf;
+       u32 length, command, rc = 0;
+       u16 tag, mode, new_pw_sz;
+       u8 yes_no;
+       int i, j;
+
+       /* TPM2_GetProperty */
+       u32 capability, property, property_count;
+
+       /* TPM2_PCR_Read/Extend variables */
+       int pcr_index;
+       u64 pcr_map = 0;
+       u32 selections, pcr_nb;
+       u16 alg;
+       u8 pcr_array_sz;
+
+       tag = get_unaligned_be16(sent);
+       sent += sizeof(tag);
+
+       length = get_unaligned_be32(sent);
+       sent += sizeof(length);
+       if (length != send_size) {
+               printf("TPM2: Unmatching length, received: %ld, expected: %d\n",
+                      send_size, length);
+               rc = TPM2_RC_SIZE;
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               return 0;
+       }
+
+       command = get_unaligned_be32(sent);
+       sent += sizeof(command);
+       rc = sandbox_tpm2_check_readyness(dev, command);
+       if (rc) {
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               return 0;
+       }
+
+       rc = sandbox_tpm2_check_session(dev, command, tag, &sent, &hierarchy);
+       if (rc) {
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               return 0;
+       }
+
+       switch (command) {
+       case TPM2_CC_STARTUP:
+               mode = get_unaligned_be16(sent);
+               sent += sizeof(mode);
+               switch (mode) {
+               case TPM2_SU_CLEAR:
+               case TPM2_SU_STATE:
+                       break;
+               default:
+                       rc = TPM2_RC_VALUE;
+               }
+
+               tpm->startup_done = true;
+
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               break;
+
+       case TPM2_CC_SELF_TEST:
+               yes_no = *sent;
+               sent += sizeof(yes_no);
+               switch (yes_no) {
+               case TPMI_YES:
+               case TPMI_NO:
+                       break;
+               default:
+                       rc = TPM2_RC_VALUE;
+               }
+
+               tpm->tests_done = true;
+
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               break;
+
+       case TPM2_CC_CLEAR:
+               /* Reset this hierarchy password */
+               tpm->pw_sz[hierarchy] = 0;
+
+               /* Reset all password if thisis the PLATFORM hierarchy */
+               if (hierarchy == TPM2_HIERARCHY_PLATFORM)
+                       for (i = 0; i < TPM2_HIERARCHY_NB; i++)
+                               tpm->pw_sz[i] = 0;
+
+               /* Reset the properties */
+               for (i = 0; i < TPM2_PROPERTY_NB; i++)
+                       tpm->properties[i] = 0;
+
+               /* Reset the PCRs and their number of extensions */
+               for (i = 0; i < SANDBOX_TPM_PCR_NB; i++) {
+                       tpm->pcr_extensions[i] = 0;
+                       for (j = 0; j < TPM2_DIGEST_LEN; j++)
+                               tpm->pcr[i][j] = 0;
+               }
+
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               break;
+
+       case TPM2_CC_HIERCHANGEAUTH:
+               new_pw_sz = get_unaligned_be16(sent);
+               sent += sizeof(new_pw_sz);
+               if (new_pw_sz > TPM2_DIGEST_LEN) {
+                       rc = TPM2_RC_SIZE;
+               } else if (new_pw_sz) {
+                       tpm->pw_sz[hierarchy] = new_pw_sz;
+                       memcpy(tpm->pw[hierarchy], sent, new_pw_sz);
+                       sent += new_pw_sz;
+               }
+
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               break;
+
+       case TPM2_CC_GET_CAPABILITY:
+               capability = get_unaligned_be32(sent);
+               sent += sizeof(capability);
+               if (capability != TPM_CAP_TPM_PROPERTIES) {
+                       printf("Sandbox TPM only support TPM_CAPABILITIES\n");
+                       return TPM2_RC_HANDLE;
+               }
+
+               property = get_unaligned_be32(sent);
+               sent += sizeof(property);
+               property -= TPM2_PROPERTIES_OFFSET;
+
+               property_count = get_unaligned_be32(sent);
+               sent += sizeof(property_count);
+               if (!property_count ||
+                   property + property_count > TPM2_PROPERTY_NB) {
+                       rc = TPM2_RC_HANDLE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               /* Write tag */
+               put_unaligned_be16(tag, recv);
+               recv += sizeof(tag);
+
+               /* Ignore length for now */
+               recv += sizeof(u32);
+
+               /* Write return code */
+               put_unaligned_be32(rc, recv);
+               recv += sizeof(rc);
+
+               /* Tell there is more data to read */
+               *recv = TPMI_YES;
+               recv += sizeof(yes_no);
+
+               /* Repeat the capability */
+               put_unaligned_be32(capability, recv);
+               recv += sizeof(capability);
+
+               /* Give the number of properties that follow */
+               put_unaligned_be32(property_count, recv);
+               recv += sizeof(property_count);
+
+               /* Fill with the properties */
+               for (i = 0; i < property_count; i++) {
+                       put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
+                                          i, recv);
+                       recv += sizeof(property);
+                       put_unaligned_be32(tpm->properties[property + i],
+                                          recv);
+                       recv += sizeof(property);
+               }
+
+               /* Add trailing \0 */
+               *recv = '\0';
+
+               /* Write response length */
+               *recv_len = recv - recvbuf;
+               put_unaligned_be32(*recv_len, recvbuf + sizeof(tag));
+
+               break;
+
+       case TPM2_CC_DAM_PARAMETERS:
+               tpm->properties[TPM2_PROP_MAX_TRIES] = get_unaligned_be32(sent);
+               sent += sizeof(*tpm->properties);
+               tpm->properties[TPM2_RECOVERY_TIME] = get_unaligned_be32(sent);
+               sent += sizeof(*tpm->properties);
+               tpm->properties[TPM2_LOCKOUT_RECOVERY] = get_unaligned_be32(sent);
+               sent += sizeof(*tpm->properties);
+
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               break;
+
+       case TPM2_CC_PCR_READ:
+               selections = get_unaligned_be32(sent);
+               sent += sizeof(selections);
+               if (selections != 1) {
+                       printf("Sandbox cannot handle more than one PCR\n");
+                       rc = TPM2_RC_VALUE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               alg = get_unaligned_be16(sent);
+               sent += sizeof(alg);
+               if (alg != TPM2_ALG_SHA256) {
+                       printf("Sandbox TPM only handle SHA256 algorithm\n");
+                       rc = TPM2_RC_VALUE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               pcr_array_sz = *sent;
+               sent += sizeof(pcr_array_sz);
+               if (!pcr_array_sz || pcr_array_sz > 8) {
+                       printf("Sandbox TPM cannot handle so much PCRs\n");
+                       rc = TPM2_RC_VALUE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               for (i = 0; i < pcr_array_sz; i++)
+                       pcr_map += (u64)sent[i] << (i * 8);
+
+               if (pcr_map >> SANDBOX_TPM_PCR_NB) {
+                       printf("Sandbox TPM handles up to %d PCR(s)\n",
+                              SANDBOX_TPM_PCR_NB);
+                       rc = TPM2_RC_VALUE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               if (pcr_map >> SANDBOX_TPM_PCR_NB) {
+                       printf("Wrong PCR map.\n");
+                       rc = TPM2_RC_VALUE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               for (i = 0; i < SANDBOX_TPM_PCR_NB; i++)
+                       if (pcr_map & BIT(i))
+                               pcr_index = i;
+
+               /* Write tag */
+               put_unaligned_be16(tag, recv);
+               recv += sizeof(tag);
+
+               /* Ignore length for now */
+               recv += sizeof(u32);
+
+               /* Write return code */
+               put_unaligned_be32(rc, recv);
+               recv += sizeof(rc);
+
+               /* Number of extensions */
+               put_unaligned_be32(tpm->pcr_extensions[pcr_index], recv);
+               recv += sizeof(u32);
+
+               /* Copy the PCR */
+               memcpy(recv, tpm->pcr[pcr_index], TPM2_DIGEST_LEN);
+               recv += TPM2_DIGEST_LEN;
+
+               /* Add trailing \0 */
+               *recv = '\0';
+
+               /* Write response length */
+               *recv_len = recv - recvbuf;
+               put_unaligned_be32(*recv_len, recvbuf + sizeof(tag));
+
+               break;
+
+       case TPM2_CC_PCR_EXTEND:
+               /* Get the PCR index */
+               pcr_index = get_unaligned_be32(sendbuf + sizeof(tag) +
+                                              sizeof(length) +
+                                              sizeof(command));
+               if (pcr_index > SANDBOX_TPM_PCR_NB) {
+                       printf("Sandbox TPM handles up to %d PCR(s)\n",
+                              SANDBOX_TPM_PCR_NB);
+                       rc = TPM2_RC_VALUE;
+               }
+
+               /* Check the number of hashes */
+               pcr_nb = get_unaligned_be32(sent);
+               sent += sizeof(pcr_nb);
+               if (pcr_nb != 1) {
+                       printf("Sandbox cannot handle more than one PCR\n");
+                       rc = TPM2_RC_VALUE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               /* Check the hash algorithm */
+               alg = get_unaligned_be16(sent);
+               sent += sizeof(alg);
+               if (alg != TPM2_ALG_SHA256) {
+                       printf("Sandbox TPM only handle SHA256 algorithm\n");
+                       rc = TPM2_RC_VALUE;
+                       return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               }
+
+               /* Extend the PCR */
+               rc = sandbox_tpm2_extend(dev, pcr_index, sent);
+
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+               break;
+
+       default:
+               printf("TPM2 command %02x unknown in Sandbox\n", command);
+               rc = TPM2_RC_COMMAND_CODE;
+               sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+       }
+
+       return 0;
+}
+
+static int sandbox_tpm2_get_desc(struct udevice *dev, char *buf, int size)
+{
+       if (size < 15)
+               return -ENOSPC;
+
+       return snprintf(buf, size, "Sandbox TPM2.x");
+}
+
+static int sandbox_tpm2_open(struct udevice *dev)
+{
+       struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+
+       if (tpm->init_done)
+               return -EIO;
+
+       tpm->init_done = true;
+
+       return 0;
+}
+
+static int sandbox_tpm2_probe(struct udevice *dev)
+{
+       struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+       struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
+
+       memset(tpm, 0, sizeof(*tpm));
+
+       priv->pcr_count = 32;
+       priv->pcr_select_min = 2;
+
+       return 0;
+}
+
+static int sandbox_tpm2_close(struct udevice *dev)
+{
+       return 0;
+}
+
+static const struct tpm_ops sandbox_tpm2_ops = {
+       .open           = sandbox_tpm2_open,
+       .close          = sandbox_tpm2_close,
+       .get_desc       = sandbox_tpm2_get_desc,
+       .xfer           = sandbox_tpm2_xfer,
+};
+
+static const struct udevice_id sandbox_tpm2_ids[] = {
+       { .compatible = "sandbox,tpm2" },
+       { }
+};
+
+U_BOOT_DRIVER(sandbox_tpm2) = {
+       .name   = "sandbox_tpm2",
+       .id     = UCLASS_TPM,
+       .of_match = sandbox_tpm2_ids,
+       .ops    = &sandbox_tpm2_ops,
+       .probe  = sandbox_tpm2_probe,
+       .priv_auto_alloc_size = sizeof(struct sandbox_tpm2),
+};