| // |
| // Copyright (C) 2014 The Android Open Source Project |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| // |
| |
| #include "trunks/tpm_state_impl.h" |
| |
| #include <base/logging.h> |
| |
| #include "trunks/error_codes.h" |
| #include "trunks/tpm_generated.h" |
| #include "trunks/trunks_factory.h" |
| |
| namespace { |
| |
| // From definition of TPMA_PERMANENT. |
| const trunks::TPMA_PERMANENT kOwnerAuthSetMask = 1U; |
| const trunks::TPMA_PERMANENT kEndorsementAuthSetMask = 1U << 1; |
| const trunks::TPMA_PERMANENT kLockoutAuthSetMask = 1U << 2; |
| const trunks::TPMA_PERMANENT kInLockoutMask = 1U << 9; |
| |
| // From definition of TPMA_STARTUP_CLEAR. |
| const trunks::TPMA_STARTUP_CLEAR kPlatformHierarchyMask = 1U; |
| const trunks::TPMA_STARTUP_CLEAR kStorageHierarchyMask = 1U << 1; |
| const trunks::TPMA_STARTUP_CLEAR kEndorsementHierarchyMask = 1U << 2; |
| const trunks::TPMA_STARTUP_CLEAR kOrderlyShutdownMask = 1U << 31; |
| |
| // From definition of TPMA_ALGORITHM |
| const trunks::TPMA_ALGORITHM kAsymmetricAlgMask = 1U; |
| |
| } // namespace |
| |
| namespace trunks { |
| |
| TpmStateImpl::TpmStateImpl(const TrunksFactory& factory) |
| : factory_(factory), |
| initialized_(false), |
| permanent_flags_(0), |
| startup_clear_flags_(0), |
| rsa_flags_(0), |
| ecc_flags_(0) { |
| } |
| |
| TpmStateImpl::~TpmStateImpl() {} |
| |
| TPM_RC TpmStateImpl::Initialize() { |
| TPM_RC result = GetTpmProperty(TPM_PT_PERMANENT, &permanent_flags_); |
| if (result != TPM_RC_SUCCESS) { |
| LOG(ERROR) << "Error getting permanent flags: " << GetErrorString(result); |
| return result; |
| } |
| result = GetTpmProperty(TPM_PT_STARTUP_CLEAR, &startup_clear_flags_); |
| if (result != TPM_RC_SUCCESS) { |
| LOG(ERROR) << "Error getting startup flags: " << GetErrorString(result); |
| return result; |
| } |
| result = GetTpmProperty(TPM_PT_LOCKOUT_COUNTER, &lockout_counter_); |
| if (result != TPM_RC_SUCCESS) { |
| LOG(ERROR) << "Error getting lockout counter: " << GetErrorString(result); |
| return result; |
| } |
| result = GetTpmProperty(TPM_PT_MAX_AUTH_FAIL, &lockout_threshold_); |
| if (result != TPM_RC_SUCCESS) { |
| LOG(ERROR) << "Error getting lockout threshold: " << GetErrorString(result); |
| return result; |
| } |
| result = GetTpmProperty(TPM_PT_LOCKOUT_INTERVAL, &lockout_interval_); |
| if (result != TPM_RC_SUCCESS) { |
| LOG(ERROR) << "Error getting lockout interval: " << GetErrorString(result); |
| return result; |
| } |
| result = GetTpmProperty(TPM_PT_LOCKOUT_RECOVERY, &lockout_recovery_); |
| if (result != TPM_RC_SUCCESS) { |
| LOG(ERROR) << "Error getting lockout recovery: " << GetErrorString(result); |
| return result; |
| } |
| |
| TPMI_YES_NO more_data; |
| TPMS_CAPABILITY_DATA capability_data; |
| result = factory_.GetTpm()->GetCapabilitySync(TPM_CAP_ALGS, |
| TPM_ALG_RSA, |
| 1, // There is only one value. |
| &more_data, |
| &capability_data, |
| nullptr); |
| if (result) { |
| LOG(ERROR) << __func__ << ": " << GetErrorString(result); |
| return result; |
| } |
| if (capability_data.capability != TPM_CAP_ALGS || |
| capability_data.data.algorithms.count != 1) { |
| LOG(ERROR) << __func__ << ": Unexpected capability data."; |
| return SAPI_RC_MALFORMED_RESPONSE; |
| } |
| if (capability_data.data.algorithms.alg_properties[0].alg == TPM_ALG_RSA) { |
| rsa_flags_ = |
| capability_data.data.algorithms.alg_properties[0].alg_properties; |
| } |
| result = factory_.GetTpm()->GetCapabilitySync(TPM_CAP_ALGS, |
| TPM_ALG_ECC, |
| 1, // There is only one value. |
| &more_data, |
| &capability_data, |
| nullptr); |
| if (result) { |
| LOG(ERROR) << __func__ << ": " << GetErrorString(result); |
| return result; |
| } |
| if (capability_data.capability != TPM_CAP_ALGS || |
| capability_data.data.algorithms.count != 1) { |
| LOG(ERROR) << __func__ << ": Unexpected capability data."; |
| return SAPI_RC_MALFORMED_RESPONSE; |
| } |
| if (capability_data.data.algorithms.alg_properties[0].alg == TPM_ALG_ECC) { |
| ecc_flags_ = |
| capability_data.data.algorithms.alg_properties[0].alg_properties; |
| } |
| initialized_ = true; |
| return TPM_RC_SUCCESS; |
| } |
| |
| bool TpmStateImpl::IsOwnerPasswordSet() { |
| CHECK(initialized_); |
| return ((permanent_flags_ & kOwnerAuthSetMask) == kOwnerAuthSetMask); |
| } |
| |
| bool TpmStateImpl::IsEndorsementPasswordSet() { |
| CHECK(initialized_); |
| return ((permanent_flags_ & kEndorsementAuthSetMask) == |
| kEndorsementAuthSetMask); |
| } |
| |
| bool TpmStateImpl::IsLockoutPasswordSet() { |
| CHECK(initialized_); |
| return ((permanent_flags_ & kLockoutAuthSetMask) == kLockoutAuthSetMask); |
| } |
| |
| bool TpmStateImpl::IsOwned() { |
| return (IsOwnerPasswordSet() && |
| IsEndorsementPasswordSet() && |
| IsLockoutPasswordSet()); |
| } |
| |
| bool TpmStateImpl::IsInLockout() { |
| CHECK(initialized_); |
| return ((permanent_flags_ & kInLockoutMask) == kInLockoutMask); |
| } |
| |
| bool TpmStateImpl::IsPlatformHierarchyEnabled() { |
| CHECK(initialized_); |
| return ((startup_clear_flags_ & kPlatformHierarchyMask) == |
| kPlatformHierarchyMask); |
| } |
| |
| bool TpmStateImpl::IsStorageHierarchyEnabled() { |
| CHECK(initialized_); |
| return ((startup_clear_flags_ & kStorageHierarchyMask) == |
| kStorageHierarchyMask); |
| } |
| |
| bool TpmStateImpl::IsEndorsementHierarchyEnabled() { |
| CHECK(initialized_); |
| return ((startup_clear_flags_ & kEndorsementHierarchyMask) == |
| kEndorsementHierarchyMask); |
| } |
| |
| bool TpmStateImpl::IsEnabled() { |
| return (!IsPlatformHierarchyEnabled() && |
| IsStorageHierarchyEnabled() && |
| IsEndorsementHierarchyEnabled()); |
| } |
| |
| bool TpmStateImpl::WasShutdownOrderly() { |
| CHECK(initialized_); |
| return ((startup_clear_flags_ & kOrderlyShutdownMask) == |
| kOrderlyShutdownMask); |
| } |
| |
| bool TpmStateImpl::IsRSASupported() { |
| CHECK(initialized_); |
| return ((rsa_flags_ & kAsymmetricAlgMask) == kAsymmetricAlgMask); |
| } |
| |
| bool TpmStateImpl::IsECCSupported() { |
| CHECK(initialized_); |
| return ((ecc_flags_ & kAsymmetricAlgMask) == kAsymmetricAlgMask); |
| } |
| |
| uint32_t TpmStateImpl::GetLockoutCounter() { |
| CHECK(initialized_); |
| return lockout_counter_; |
| } |
| |
| uint32_t TpmStateImpl::GetLockoutThreshold() { |
| CHECK(initialized_); |
| return lockout_threshold_; |
| } |
| |
| uint32_t TpmStateImpl::GetLockoutInterval() { |
| CHECK(initialized_); |
| return lockout_interval_; |
| } |
| |
| uint32_t TpmStateImpl::GetLockoutRecovery() { |
| CHECK(initialized_); |
| return lockout_recovery_; |
| } |
| |
| TPM_RC TpmStateImpl::GetTpmProperty(uint32_t property, |
| uint32_t* value) { |
| CHECK(value); |
| TPMI_YES_NO more_data; |
| TPMS_CAPABILITY_DATA capability_data; |
| TPM_RC result = factory_.GetTpm()->GetCapabilitySync(TPM_CAP_TPM_PROPERTIES, |
| property, |
| 1, // Only one property. |
| &more_data, |
| &capability_data, |
| nullptr); |
| if (result != TPM_RC_SUCCESS) { |
| LOG(ERROR) << __func__ << ": " << GetErrorString(result); |
| return result; |
| } |
| if (capability_data.capability != TPM_CAP_TPM_PROPERTIES || |
| capability_data.data.tpm_properties.count != 1 || |
| capability_data.data.tpm_properties.tpm_property[0].property != |
| property) { |
| LOG(ERROR) << __func__ << ": Unexpected capability data."; |
| return SAPI_RC_MALFORMED_RESPONSE; |
| } |
| *value = capability_data.data.tpm_properties.tpm_property[0].value; |
| return TPM_RC_SUCCESS; |
| } |
| |
| } // namespace trunks |
