1 /* SPDX-License-Identifier: BSD-3-Clause */ 2 3 /* 4 * Functions for querying, manipulating and locking rollback indices 5 * stored in the TPM NVRAM. 6 */ 7 8 #ifndef ANTIROLLBACK_H_ 9 #define ANTIROLLBACK_H_ 10 11 #include <types.h> 12 #include <security/tpm/tspi.h> 13 #include <security/tpm/tss_errors.h> 14 #include <vb2_sha.h> 15 16 struct vb2_context; 17 enum vb2_pcr_digest; 18 19 /* TPM NVRAM location indices. */ 20 #define FIRMWARE_NV_INDEX 0x1007 21 #define KERNEL_NV_INDEX 0x1008 22 /* 0x1009 used to be used as a backup space. Think of conflicts if you 23 * want to use 0x1009 for something else. */ 24 #define BACKUP_NV_INDEX 0x1009 25 #define FWMP_NV_INDEX 0x100a 26 /* 0x100b: Hash of MRC_CACHE training data for recovery boot */ 27 #define MRC_REC_HASH_NV_INDEX 0x100b 28 /* 0x100c: OOBE autoconfig public key hashes */ 29 /* 0x100d: Hash of MRC_CACHE training data for non-recovery boot */ 30 #define MRC_RW_HASH_NV_INDEX 0x100d 31 #define HASH_NV_SIZE VB2_SHA256_DIGEST_SIZE 32 #define ENT_ROLLBACK_SPACE_INDEX 0x100e 33 #define VBIOS_CACHE_NV_INDEX 0x100f 34 /* Widevine Secure Counter space */ 35 #define WIDEVINE_COUNTER_NV_INDEX(n) (0x3000 + (n)) 36 #define NUM_WIDEVINE_COUNTERS 4 37 #define WIDEVINE_COUNTER_NAME "Widevine Secure Counter" 38 #define WIDEVINE_COUNTER_SIZE sizeof(uint64_t) 39 /* Zero-Touch Enrollment related spaces */ 40 #define ZTE_BOARD_ID_NV_INDEX 0x3fff00 41 #define ZTE_RMA_SN_BITS_INDEX 0x3fff01 42 #define ZTE_RMA_BYTES_COUNTER_INDEX 0x3fff04 43 44 /* Structure definitions for TPM spaces */ 45 46 /* Flags for firmware space */ 47 48 /* 49 * Last boot was developer mode. TPM ownership is cleared when transitioning 50 * to/from developer mode. 51 */ 52 #define FLAG_LAST_BOOT_DEVELOPER 0x01 53 54 /* All functions return TPM_SUCCESS (zero) if successful, non-zero if error */ 55 56 tpm_result_t antirollback_read_space_firmware(struct vb2_context *ctx); 57 58 /** 59 * Write may be called if the versions change. 60 */ 61 tpm_result_t antirollback_write_space_firmware(struct vb2_context *ctx); 62 63 /** 64 * Read and write kernel space in TPM. 65 */ 66 tpm_result_t antirollback_read_space_kernel(struct vb2_context *ctx); 67 tpm_result_t antirollback_write_space_kernel(struct vb2_context *ctx); 68 69 /** 70 * Lock must be called. 71 */ 72 tpm_result_t antirollback_lock_space_firmware(void); 73 74 /* 75 * Read MRC hash data from TPM. 76 * @param index index into TPM NVRAM where hash is stored The index 77 * can be set to either MRC_REC_HASH_NV_INDEX or 78 * MRC_RW_HASH_NV_INDEX depending upon whether we are 79 * booting in recovery or normal mode. 80 * @param data pointer to buffer where hash from TPM read into 81 * @param size size of buffer 82 */ 83 tpm_result_t antirollback_read_space_mrc_hash(uint32_t index, uint8_t *data, uint32_t size); 84 /* 85 * Write new hash data to MRC space in TPM.\ 86 * @param index index into TPM NVRAM where hash is stored The index 87 * can be set to either MRC_REC_HASH_NV_INDEX or 88 * MRC_RW_HASH_NV_INDEX depending upon whether we are 89 * booting in recovery or normal mode. 90 * @param data pointer to buffer of hash value to be written 91 * @param size size of buffer 92 */ 93 tpm_result_t antirollback_write_space_mrc_hash(uint32_t index, const uint8_t *data, 94 uint32_t size); 95 /* 96 * Lock down MRC hash space in TPM. 97 * @param index index into TPM NVRAM where hash is stored The index 98 * can be set to either MRC_REC_HASH_NV_INDEX or 99 * MRC_RW_HASH_NV_INDEX depending upon whether we are 100 * booting in recovery or normal mode. 101 */ 102 tpm_result_t antirollback_lock_space_mrc_hash(uint32_t index); 103 104 /* 105 * Read VBIOS hash data from TPM. 106 * @param data pointer to buffer where hash from TPM read into 107 * @param size size of buffer 108 */ 109 tpm_result_t antirollback_read_space_vbios_hash(uint8_t *data, uint32_t size); 110 /* 111 * Write new hash data to VBIOS space in TPM. 112 * @param data pointer to buffer of hash value to be written 113 * @param size size of buffer 114 */ 115 tpm_result_t antirollback_write_space_vbios_hash(const uint8_t *data, uint32_t size); 116 117 #endif /* ANTIROLLBACK_H_ */ 118