| /* Software-based Trusted Platform Module (TPM) Emulator |
| * Copyright (C) 2004-2010 Mario Strasser <mast@gmx.net> |
| * |
| * This module is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License as published |
| * by the Free Software Foundation; either version 2 of the License, |
| * or (at your option) any later version. |
| * |
| * This module is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU General Public License for more details. |
| * |
| * $Id: tpm_commands.h 364 2010-02-11 10:24:45Z mast $ |
| */ |
| |
| #ifndef _TPM_COMMANDS_H_ |
| #define _TPM_COMMANDS_H_ |
| |
| #include "tpm_structures.h" |
| |
| /* |
| * The following commands are specified in |
| * TPM Main Part 3 Commands [TPM_Part3]. |
| */ |
| |
| /* |
| * Admin Startup and State ([TPM_Part3], Section 3) |
| * [tpm_startup.c] |
| * This section describes the commands that start a TPM. |
| */ |
| |
| /** |
| * TPM_Init - initializes the TPM |
| * @startupType: [in] Type of startup that is occurring |
| * |
| * Description: ([TPM_Part3], Section 3.1) |
| * TPM_Init is a "physical" method of initializing a TPM, |
| * there is no TPM_Init ordinal. |
| */ |
| void TPM_Init( |
| TPM_STARTUP_TYPE startupType |
| ); |
| |
| /** |
| * TPM_Startup - starts the TPM |
| * @startupType: [in] Type of startup that is occurring |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 3.2) |
| * The TPM can startup in three different modes. (1) "clear" start where all |
| * variables go back to their default or non-volatile set state. (2) "save" |
| * start where the TPM recovers appropriate information and restores various |
| * values based on a prior TPM_SaveState. (3) "deactivated" start where the |
| * TPM turns itself off and requires another TPM_Init before the TPM will |
| * execute in a fully operational state. |
| */ |
| TPM_RESULT TPM_Startup( |
| TPM_STARTUP_TYPE startupType |
| ); |
| |
| /** |
| * TPM_SaveState - saves the current state of the TPM |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 3.3) |
| * This warns a TPM to save some state information. If the relevant shielded |
| * storage is non-volatile, this command need have no effect. If the relevant |
| * shielded storage is volatile and the TPM alone is unable to detect the loss |
| * of external power in time to move data to non-volatile memory, this command |
| * should be presented before the systems enters a low or no power state. |
| */ |
| TPM_RESULT TPM_SaveState(void); |
| |
| /* |
| * Admin Testing ([TPM_Part3], Section 4) |
| * [tpm_testing.c] |
| */ |
| |
| /** |
| * TPM_SelfTestFull - tests all of the TPM capabilities |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 4.1) |
| * Tests all of the TPM capabilities. |
| */ |
| TPM_RESULT TPM_SelfTestFull(void); |
| |
| /** |
| * TPM_ContinueSelfTest - continues a started self test |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 4.2) |
| * Informs the TPM that it may complete the self test of all TPM functions. |
| */ |
| TPM_RESULT TPM_ContinueSelfTest(void); |
| |
| /** |
| * TPM_GetTestResult - provides the results of the self test |
| * @outDataSize: [out] The size of the outData area |
| * @outData: [out] The outData this is manufacturer specific |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 4.3) |
| * TPM_GetTestResult provides manufacturer specific information regarding the |
| * results of the self test. This command will also work when the TPM is in |
| * self test failure mode. |
| */ |
| TPM_RESULT TPM_GetTestResult( |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /* |
| * Admin Opt-in ([TPM_Part3], Section 5) |
| * [tpm_owner.c] |
| */ |
| |
| /** |
| * TPM_SetOwnerInstall - sets the persistent owner-install flag |
| * @state: [in] State to which ownership flag is to be set |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.1) |
| * When enabled but without an owner this command sets the persistent flag |
| * that allows or disallows the ability to insert an owner. |
| */ |
| TPM_RESULT TPM_SetOwnerInstall( |
| BOOL state |
| ); |
| |
| /** |
| * TPM_OwnerSetDisable - sets the persistent disable flag |
| * @disableState: [in] Value for disable state, enable if TRUE |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.2) |
| * The TPM owner sets the persistent disable flag. |
| */ |
| TPM_RESULT TPM_OwnerSetDisable( |
| BOOL disableState, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_PhysicalEnable - sets the persistent disable flag to FALSE |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.3) |
| * Sets the persistent disable flag to FALSE using physical presence as |
| * authorization. |
| */ |
| TPM_RESULT TPM_PhysicalEnable(void); |
| |
| /** |
| * TPM_PhysicalDisable - sets the persistent disable flag to TRUE |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.4) |
| * Sets the persistent disable flag to TRUE using physical presence as |
| * authorization. |
| */ |
| TPM_RESULT TPM_PhysicalDisable(void); |
| |
| /** |
| * TPM_PhysicalSetDeactivated - sets the deactivated flag |
| * @state: [in] State to which deactivated flag is to be set |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.5) |
| * Sets the deactivated flag using physical presence as authorization. |
| */ |
| TPM_RESULT TPM_PhysicalSetDeactivated( |
| BOOL state |
| ); |
| |
| /** |
| * TPM_SetTempDeactivated - deactivates the TPM until the next boot |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.6) |
| * This command allows the operator of the platform to deactivate the TPM until |
| * the next boot of the platform. The operator can provide the authorization by |
| * either the assertion of physical presence or presenting the operation |
| * authorization value. |
| */ |
| TPM_RESULT TPM_SetTempDeactivated( |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_SetOperatorAuth - sets the operator authorization value |
| * @operatorAuth: [in] The operator authorization |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.7) |
| * This command allows the setting of the operator authorization value. There |
| * is no confidentiality applied to the operator authorization as the value is |
| * sent under the assumption of being local to the platform. |
| */ |
| TPM_RESULT TPM_SetOperatorAuth( |
| TPM_SECRET *operatorAuth |
| ); |
| |
| /* |
| * Admin Ownership ([TPM_Part3], Section 6) |
| * [tpm_owner.c] |
| */ |
| |
| /** |
| * TPM_TakeOwnership - inserts the TPM Ownership value into the TPM |
| * @protocolID: [in] The ownership protocol in use |
| * @encOwnerAuthSize: [in] The size of the encOwnerAuth field |
| * @encOwnerAuth: [in] The owner authorization data encrypted with PUBEK |
| * @encSrkAuthSize: [in] The size of the encSrkAuth field |
| * @encSrkAuth: [in] The SRK authorization data encrypted with PUBEK |
| * @srkParams: [in] All parameters of the new SRK |
| * @auth1: [in, out] Authorization protocol parameters |
| * @srkPub: [out] All parameters of the new SRK |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 6.1) |
| * This command inserts the TPM Ownership value into the TPM. |
| */ |
| TPM_RESULT TPM_TakeOwnership( |
| TPM_PROTOCOL_ID protocolID, |
| UINT32 encOwnerAuthSize, |
| BYTE *encOwnerAuth, |
| UINT32 encSrkAuthSize, |
| BYTE *encSrkAuth, |
| TPM_KEY *srkParams, |
| TPM_AUTH *auth1, |
| TPM_KEY *srkPub |
| ); |
| |
| /** |
| * tpm_owner_clear - owner clear operation |
| */ |
| void tpm_owner_clear(void); |
| |
| /** |
| * TPM_OwnerClear - performs the clear operation |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 6.2) |
| * This command performs the clear operation under Owner authorization. It |
| * is available until the Owner executes the DisableOwnerClear, at which |
| * time any further invocation of this command returns TPM_CLEAR_DISABLED. |
| */ |
| TPM_RESULT TPM_OwnerClear( |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_ForceClear - forces the clear operation |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 6.3) |
| * This command performs the clear operation under physical access. It is |
| * available until the execution of DisableForceClear, at which time any |
| * further invocation of this command returns TPM_CLEAR_DISABLED. |
| */ |
| TPM_RESULT TPM_ForceClear(void); |
| |
| /** |
| * TPM_DisableOwnerClear - disables the ability to execute TPM_OwnerClear |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 6.4) |
| * This command disables the ability to execute the TPM_OwnerClear command |
| * permanently. Once invoked the only method of clearing the TPM will require |
| * physical access to the TPM. |
| */ |
| TPM_RESULT TPM_DisableOwnerClear( |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_DisableForceClear - disables the ability to execute TPM_ForceClear |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 6.5) |
| * The DisableForceClear command disables the execution of the ForceClear |
| * command until the next startup cycle. Once this command is executed, |
| * the TPM_ForceClear is disabled until another startup cycle is run. |
| */ |
| TPM_RESULT TPM_DisableForceClear(void); |
| |
| /** |
| * TSC_PhysicalPresence - sets the physical presence flag |
| * @physicalPresence: [in] The state to set the TPM's Physical Presence flags |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 6.6) |
| * This command allows a process on the platform to indicate the assertion |
| * of physical presence. |
| */ |
| TPM_RESULT TSC_PhysicalPresence( |
| TPM_PHYSICAL_PRESENCE physicalPresence |
| ); |
| |
| /** |
| * TSC_ResetEstablishmentBit - resets the establishment bit |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 6.7) |
| * The PC TPM Interface Specification (TIS) specifies a bit that is set upon |
| * execution of the HASH_START sequence. This command allows for the resetting |
| * of the bit under controlled circumstances. |
| */ |
| TPM_RESULT TSC_ResetEstablishmentBit(void); |
| |
| /* |
| * The GetCapability Commands ([TPM_Part3], Section 7) |
| * [tpm_capability.c] |
| * The GetCapability command allows the TPM to report back to the requester |
| * what type of TPM it is dealing with. The request for information requires |
| * the requester to specify which piece of information that is required. |
| */ |
| |
| /** |
| * TPM_GetCapability - provides current information regarding the TPM |
| * @capArea: [in] Partition of capabilities to be interrogated |
| * @subCapSize: [in] Size of subCap parameter |
| * @subCap: [in] Further definition of information |
| * @respSize: [out] The length of the returned capability response |
| * @resp: [out] The capability response |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 7.1) |
| * This command provides current information regarding the TPM. |
| */ |
| TPM_RESULT TPM_GetCapability( |
| TPM_CAPABILITY_AREA capArea, |
| UINT32 subCapSize, |
| BYTE *subCap, |
| UINT32 *respSize, |
| BYTE **resp |
| ); |
| |
| /** |
| * TPM_SetCapability - sets values in the TPM |
| * @capArea: [in] Partition of capabilities to be set |
| * @subCapSize: [in] Size of subCap parameter |
| * @subCap: [in] Further definition of information |
| * @setValueSize: [in] Size of the value to set |
| * @setValue: [in] Value to set |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 7.2) |
| * This command sets values in the TPM. |
| */ |
| TPM_RESULT TPM_SetCapability( |
| TPM_CAPABILITY_AREA capArea, |
| UINT32 subCapSize, |
| BYTE *subCap, |
| UINT32 setValueSize, |
| BYTE *setValue, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_GetCapabilityOwner (deprecated) |
| * @auth1: [in, out] Authorization protocol parameters |
| * @version: [out] Properly filled out version structure |
| * @non_volatile_flags: [out] Current state of the non-volatile flags |
| * @volatile_flags: [out] Current state of the volatile flags |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 7.3) |
| * This command is deprecated. |
| */ |
| TPM_RESULT TPM_GetCapabilityOwner( |
| TPM_AUTH *auth1, |
| TPM_VERSION *version, |
| UINT32 *non_volatile_flags, |
| UINT32 *volatile_flags |
| ); |
| |
| /* |
| * Auditing ([TPM_Part3], Section 8) |
| * [tpm_audit.c] |
| * The TPM generates an audit event in response to the TPM executing a |
| * function that has the audit flag set to TRUE for that function. The |
| * TPM maintains an extended value for all audited operations. |
| */ |
| |
| /** |
| * tpm_audit_request - audits a TPM request |
| * @ordinal: [in] The ordinal of the request |
| * @req: [in] The request to audit |
| */ |
| void tpm_audit_request( |
| TPM_COMMAND_CODE ordinal, |
| TPM_REQUEST *req |
| ); |
| |
| /** |
| * tpm_audit_response - audits a TPM response |
| * @ordinal: [in] The ordinal of the response |
| * @rsp: [in] The response to audit |
| */ |
| void tpm_audit_response( |
| TPM_COMMAND_CODE ordinal, |
| TPM_RESPONSE *rsp |
| ); |
| |
| /** |
| * TPM_GetAuditDigest - provides the current audit digest |
| * @startOrdinal: [in] The starting ordinal for the list of audited ordinals |
| * @counterValue: [out] The current value of the audit monotonic counter |
| * @auditDigest: [out] Log of all audited events |
| * @more: [out] TRUE if the output does not contain all audited ordinals |
| * @ordSize: [out] Size of the ordinal list in bytes |
| * @ordList: [out] List of ordinals that are audited |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 8.3) |
| * This provides the current audit digest. The external audit log has the |
| * responsibility to track the parameters that constitute the audit digest. |
| */ |
| TPM_RESULT TPM_GetAuditDigest( |
| UINT32 startOrdinal, |
| TPM_COUNTER_VALUE *counterValue, |
| TPM_DIGEST *auditDigest, |
| BOOL *more, |
| UINT32 *ordSize, |
| UINT32 **ordList |
| ); |
| |
| /** |
| * TPM_GetAuditDigestSigned - provides the current (signed) audit digest |
| * @keyHandle: [in] Handle of a loaded key that can perform digital signatures |
| * @closeAudit: [in] Indication if audit session should be closed |
| * @antiReplay: [in] A nonce to prevent replay attacks |
| * @auth1: [in, out] Authorization protocol parameters |
| * @counterValue: [out] The value of the audit monotonic counter |
| * @auditDigest: [out] Log of all audited events |
| * @ordinalDigest: [out] Digest of all audited ordinals |
| * @sigSize: [out] The size of the sig parameter |
| * @sig: [out] The signature of the area |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 8.4) |
| * The signing of the audit log provides the entire digest value and the list |
| * of currently audited commands. The inclusion of the list of audited commands |
| * as an atomic operation is to tie the current digest value with the list of |
| * commands that are being audited. |
| */ |
| TPM_RESULT TPM_GetAuditDigestSigned( |
| TPM_KEY_HANDLE keyHandle, |
| BOOL closeAudit, |
| TPM_NONCE *antiReplay, |
| TPM_AUTH *auth1, |
| TPM_COUNTER_VALUE *counterValue, |
| TPM_DIGEST *auditDigest, |
| TPM_DIGEST *ordinalDigest, |
| UINT32 *sigSize, |
| BYTE **sig |
| ); |
| |
| /** |
| * TPM_SetOrdinalAuditStatus - set the audit flag for a given ordinal |
| * @ordinalToAudit: [in] The ordinal whose audit flag is to be set |
| * @auditState: [in] Value for audit flag |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 8.5) |
| * Set the audit flag for a given ordinal. This command requires the |
| * authorization of the TPM Owner. |
| */ |
| TPM_RESULT TPM_SetOrdinalAuditStatus( |
| TPM_COMMAND_CODE ordinalToAudit, |
| BOOL auditState, |
| TPM_AUTH *auth1 |
| ); |
| |
| /* |
| * Administrative Functions ([TPM_Part3], Section 9) |
| * [tpm_management.c] |
| */ |
| |
| /** |
| * TPM_FieldUpgrade - updates the protected capabilities |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 9.1) |
| * This command provides a manufacturer specific method of updating |
| * the protected capabilities |
| */ |
| TPM_RESULT TPM_FieldUpgrade(void); |
| |
| /** |
| * TPM_SetRedirection - attaches a key to a redirection receiver |
| * @keyHandle: [in] Handle of a loaded key that can implement redirection |
| * @redirCmd: [in] The command to execute |
| * @inputDataSize: [in] The size of the input data |
| * @inputData: [in] Manufacturer parameter |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 9.2) |
| */ |
| TPM_RESULT TPM_SetRedirection( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_REDIR_COMMAND redirCmd, |
| UINT32 inputDataSize, |
| BYTE *inputData, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_ResetLockValue - resets the TPM dictionary attack mitigation values |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 9.3) |
| */ |
| TPM_RESULT TPM_ResetLockValue( |
| TPM_AUTH *auth1 |
| ); |
| |
| /* |
| * Storage functions ([TPM_Part3], Section 10) |
| * [tpm_storage.c] |
| */ |
| |
| /** |
| * TPM_Seal - seals the TPM configuration |
| * @keyHandle: [in] Handle of a loaded key that can perform seal operations |
| * @encAuth: [in] The encrypted authorization data for the sealed data |
| * @pcrInfoSize: [in] The size of the pcrInfo parameter |
| * @pcrInfo: [in] The PCR selection information |
| * @inDataSize: [in] The size of the inData parameter |
| * @inData: [in] The data to be sealed to the platform and any specified PCRs |
| * @auth1: [in, out] Authorization protocol parameters |
| * @sealedData: [out] Encrypted, integrity-protected data object |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.1) |
| * The Seal operation allows software to explicitly state the future trusted |
| * configuration that the platform must be in for the secret to be revealed. |
| */ |
| TPM_RESULT TPM_Seal( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_ENCAUTH *encAuth, |
| UINT32 pcrInfoSize, |
| TPM_PCR_INFO *pcrInfo, |
| UINT32 inDataSize, |
| BYTE *inData, |
| TPM_AUTH *auth1, |
| TPM_STORED_DATA *sealedData |
| ); |
| |
| /** |
| * TPM_Unseal - unseals the TPM configuration |
| * @parentHandle: [in] Handle of a loaded key that can unseal the data |
| * @inData: [in] The encrypted data generated by TPM_Seal |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @sealedDataSize: [out] The used size of the output area for secret |
| * @secret: [out] Decrypted data that had been sealed |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.2) |
| * The Unseal operation will reveal TPM_Sealed data only if it was encrypted |
| * on this platform and the current configuration (as defined by the named PCR |
| * contents) is the one named as qualified to decrypt it. |
| */ |
| TPM_RESULT TPM_Unseal( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_STORED_DATA *inData, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| UINT32 *sealedDataSize, |
| BYTE **secret |
| ); |
| |
| /** |
| * TPM_UnBind - decrypts the result of a TSS_Bind command |
| * @keyHandle: [in] Handle of a loaded key that can perform UnBind operations |
| * @inDataSize: [in] The size of the input blob |
| * @inData: [in] Encrypted blob to be decrypted |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The length of the returned decrypted data |
| * @outData: [out] The resulting decrypted data |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.3) |
| * TPM_UnBind takes the data blob that is the result of a TSS_Bind command and |
| * decrypts it for export to the User. The caller must authorize the use of the |
| * key that will decrypt the incoming blob. UnBInd operates on a block-by-block |
| * basis, and has no notion of any relation between one block and another. |
| */ |
| TPM_RESULT TPM_UnBind( |
| TPM_KEY_HANDLE keyHandle, |
| UINT32 inDataSize, |
| BYTE *inData, |
| TPM_AUTH *auth1, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /** |
| * TPM_CreateWrapKey - generates and creates a wrapped asymmetric key |
| * @parentHandle: [in] Handle of a loaded key that can perform key wrapping |
| * @dataUsageAuth: [in] Encrypted usage authorization data |
| * @dataMigrationAuth: [in] Encrypted migration authorization data |
| * @keyInfo: [in] Information about key to be created |
| * @auth1: [in, out] Authorization protocol parameters |
| * @wrappedKey: [out] The public and encrypted private key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.4) |
| * The TPM_CreateWrapKey command both generates and creates a secure storage |
| * bundle for asymmetric keys. The newly created key can be locked to a |
| * specific PCR value by specifying a set of PCR registers. |
| */ |
| TPM_RESULT TPM_CreateWrapKey( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_ENCAUTH *dataUsageAuth, |
| TPM_ENCAUTH *dataMigrationAuth, |
| TPM_KEY *keyInfo, |
| TPM_AUTH *auth1, |
| TPM_KEY *wrappedKey |
| ); |
| |
| /** |
| * TPM_LoadKey - loads a key into the TPM for further use |
| * @parentHandle: [in] TPM handle of parent key |
| * @inKey: [in] Incoming key structure, both private and public portions |
| * @auth1: [in, out] Authorization protocol parameters |
| * @inkeyHandle: [out] Internal TPM handle where decrypted key was loaded |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.5) |
| * Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, |
| * unseal, sign or perform any other action, it needs to be present in the |
| * TPM. The TPM_LoadKey function loads the key into the TPM for further use. |
| */ |
| TPM_RESULT TPM_LoadKey( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_KEY *inKey, |
| TPM_AUTH *auth1, |
| TPM_KEY_HANDLE *inkeyHandle |
| ); |
| |
| /** |
| * TPM_LoadKey2 - loads a key into the TPM for further use |
| * @parentHandle: [in] TPM handle of parent key |
| * @inKey: [in] Incoming key structure, both private and public portions |
| * @auth1: [in, out] Authorization protocol parameters |
| * @inkeyHandle: [out] Internal TPM handle where decrypted key was loaded |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.5) |
| * Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, |
| * unseal, sign or perform any other action, it needs to be present in the |
| * TPM. The TPM_LoadKey function loads the key into the TPM for further use. |
| */ |
| TPM_RESULT TPM_LoadKey2( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_KEY *inKey, |
| TPM_AUTH *auth1, |
| TPM_KEY_HANDLE *inkeyHandle |
| ); |
| |
| /** |
| * TPM_GetPubKey - provides the public key value from a loaded key |
| * @keyHandle: [in] TPM handle of key |
| * @auth1: [in, out] Authorization protocol parameters |
| * @pubKey: [out] Public portion of key in keyHandle |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.6) |
| * The owner of a key may wish to obtain the public key value from a loaded |
| * key. This information may have privacy concerns so the command must have |
| * authorization from the key owner. |
| */ |
| TPM_RESULT TPM_GetPubKey( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_AUTH *auth1, |
| TPM_PUBKEY *pubKey |
| ); |
| |
| /** |
| * TPM_Sealx - seals encrypted data to a TPM configuration |
| * @keyHandle: [in] Handle of a loaded key that can perform seal operations |
| * @encAuth: [in] The encrypted authorization data for the sealed data |
| * @pcrInfoSize: [in] The size of the pcrInfo parameter |
| * @pcrInfo: [in] The PCR selection information (MUST be TPM_PCR_INFO_LONG) |
| * @inDataSize: [in] The size of the inData parameter |
| * @inData: [in] The data to be sealed to the platform and any specified PCRs |
| * @auth1: [in, out] Authorization protocol parameters |
| * @sealedData: [out] Encrypted, integrity-protected data object |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 10.7) |
| * The SEALX command works exactly like the SEAL command with the additional |
| * requirement of encryption for the inData parameter. This command also |
| * places in the sealed blob the information that the unseal also requires |
| * encryption. |
| */ |
| TPM_RESULT TPM_Sealx( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_ENCAUTH *encAuth, |
| UINT32 pcrInfoSize, |
| TPM_PCR_INFO *pcrInfo, |
| UINT32 inDataSize, |
| BYTE *inData, |
| TPM_AUTH *auth1, |
| TPM_STORED_DATA *sealedData |
| ); |
| |
| /** |
| * tpm_get_free_key - allocates a new key slot |
| * Returns: the key handle on success, TPM_INVALID_HANDLE otherwise. |
| |
| */ |
| TPM_KEY_HANDLE tpm_get_free_key(void); |
| |
| /** |
| * tpm_encrypt_public - encrypts the input data with the specified public key |
| * @key: [in], Public key |
| * @in: [in] Input data to encrypt |
| * @in_size: [in] Size of the input data |
| * @enc: [out] Encrypted data |
| * @enc_size: [out] Size of the encrypted data |
| * Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_encrypt_public( |
| TPM_PUBKEY_DATA *key, |
| BYTE *in, |
| UINT32 in_size, |
| BYTE *enc, |
| UINT32 *enc_size |
| ); |
| |
| /** |
| * tpm_encrypt_private - encrypts the input data with the specified private key |
| * @key: [in], Private key |
| * @in: [in] Input data to encrypt |
| * @in_size: [in] Size of the input data |
| * @enc: [out] Encrypted data |
| * @enc_size: [out] Size of the encrypted data |
| * Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_encrypt_private( |
| TPM_KEY_DATA *key, |
| BYTE *in, |
| UINT32 in_size, |
| BYTE *enc, |
| UINT32 *enc_size |
| ); |
| |
| /** |
| * tpm_decrypt - decrypts the input data with the specified private key |
| * @key: [in], Private key |
| * @enc: [in] Encrypted data |
| * @enc_size: [in] Size of the encrypted data |
| * @out: [out] Decrypted data |
| * @out_size: [out] Size of the decrypted data |
| * Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_decrypt( |
| TPM_KEY_DATA *key, |
| BYTE *enc, |
| UINT32 enc_size, |
| BYTE *out, |
| UINT32 *out_size |
| ); |
| |
| /** |
| * tpm_encrypt_sealed_data - encrypts a TPM_SEALED_DATA structure |
| * @key: [in], Private key |
| * @seal: [in] Structure to encrypt |
| * @enc: [out] Encrypted structure |
| * @enc_size: [out] Size of the encrypted structure |
| * Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_encrypt_sealed_data( |
| TPM_KEY_DATA *key, |
| TPM_SEALED_DATA *seal, |
| BYTE *enc, |
| UINT32 *enc_size |
| ); |
| |
| /** |
| * tpm_decrypt_sealed_data - decrypts a TPM_SEALED_DATA structure |
| * @key: [in], Private key |
| * @enc: [in] Encrypted structure |
| * @enc_size: [in] Size of the encrypted structure |
| * @seal: [out] Decrypted structure |
| * @buf: [out] Buffer for the decrypted structure (to be freed by the caller) |
| * Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_decrypt_sealed_data( |
| TPM_KEY_DATA *key, |
| BYTE *enc, |
| UINT32 enc_size, |
| TPM_SEALED_DATA *seal, |
| BYTE **buf |
| ); |
| |
| /** |
| * tpm_encrypt_sealed_data - encrypts a TPM_STORE_ASYMKEY structure |
| * @key: [in], Private key |
| * @store: [in] Structure to encrypt |
| * @enc: [out] Encrypted structure |
| * @enc_size: [out] Size of the encrypted structure |
| * Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_encrypt_private_key( |
| TPM_KEY_DATA *key, |
| TPM_STORE_ASYMKEY *store, |
| BYTE *enc, |
| UINT32 *enc_size |
| ); |
| |
| /** |
| * tpm_decrypt_sealed_data - decrypts a TPM_STORE_ASYMKEY structure |
| * @key: [in], Private key |
| * @enc: [in] Encrypted structure |
| * @enc_size: [in] Size of the encrypted structure |
| * @store: [out] Decrypted structure |
| * @buf: [out] Buffer for the decrypted structure (to be freed by the caller) |
| * @buf_size: [out] Size of the buffer |
| * Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_decrypt_private_key( |
| TPM_KEY_DATA *key, |
| BYTE *enc, |
| UINT32 enc_size, |
| TPM_STORE_ASYMKEY *store, |
| BYTE **buf, |
| UINT32 *buf_size |
| ); |
| |
| /** |
| * tpm_compute_key_digest - computes the digest of a key |
| * @key: [in] Key |
| * @digest: [out] Digest of the key |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_compute_key_digest( |
| TPM_KEY *key, |
| TPM_DIGEST *digest |
| ); |
| |
| /** |
| * tpm_compute_key_data_digest - computes the digest of the public part of a key |
| * @key: [in] Key |
| * @digest: [out] Digest of the key |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_compute_key_data_digest( |
| TPM_KEY_DATA *key, |
| TPM_DIGEST *digest |
| ); |
| |
| /** |
| * tpm_compute_pubkey_checksum - computes the checksum of a public key |
| * @antiReplay: [in] Nonce to prevent replay of messages |
| * @pubKey: [in] Public key |
| * @checksum: [out] Checksum of the public key and the nonce |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_compute_pubkey_checksum( |
| TPM_NONCE *antiReplay, |
| TPM_PUBKEY *pubKey, |
| TPM_DIGEST *checksum |
| ); |
| |
| /** |
| * tpm_compute_pubkey_digest - computes the digest of a public key |
| * @key: [in] Public key |
| * @digest: [out] Digest of the key |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_compute_pubkey_digest( |
| TPM_PUBKEY *key, |
| TPM_DIGEST *digest |
| ); |
| |
| /** |
| * tpm_setup_key_parms - sets the key parameters according to the given key |
| * @key: [in] Key |
| * @params: [out] Key parameters to set |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_setup_key_parms( |
| TPM_KEY_DATA *key, |
| TPM_KEY_PARMS *parms |
| ); |
| |
| /** |
| * tpm_setup_pubkey_data - creates an internal public key based on the given key |
| * @in: [in] Public Key of type TPM_PUBKEY |
| * @out: [out] Internal public key of type TPM_PUBKEY_DATA |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_setup_pubkey_data( |
| TPM_PUBKEY *in, |
| TPM_PUBKEY_DATA *out |
| ); |
| |
| /** |
| * tpm_extract_pubkey - extracts the public part of the specified key |
| * @in: [in] Key |
| * @out: [out] Public key |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_extract_pubkey( |
| TPM_KEY_DATA *key, |
| TPM_PUBKEY *pubKey |
| ); |
| |
| /** |
| * tpm_extract_store_pubkey - extracts the public part of the specified key |
| * @in: [in] Key |
| * @out: [out] Public key |
| * @Returns: 0 on success, -1 otherwise. |
| */ |
| int tpm_extract_store_pubkey( |
| TPM_KEY_DATA *key, |
| TPM_STORE_PUBKEY *pubKey |
| ); |
| |
| /** |
| * internal_TPM_LoadKey - loads the specified key into the TPM |
| * @inKey: [in] Incoming key structure, both private and public portions |
| * @inkeyHandle: [out] Internal TPM handle where decrypted key was loaded |
| */ |
| TPM_RESULT internal_TPM_LoadKey( |
| TPM_KEY *inKey, |
| TPM_KEY_HANDLE *inkeyHandle |
| ); |
| |
| /* |
| * Migration ([TPM_Part3], Section 11) |
| * [tpm_migration.c] |
| */ |
| |
| /** |
| * TPM_CreateMigrationBlob - creates a migration blob |
| * @parentHandle: [in] Handle of the parent key that can decrypt encData |
| * @migrationType: [in] The migration type, either MIGRATE or REWRAP |
| * @migrationKeyAuth: [in] Migration public key and its authorization digest |
| * @encDataSize: [in] The size of the encData parameter |
| * @encData: [in] The encrypted entity that is to be modified |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @randomSize: [out] The used size of the output area for random |
| * @random: [out] String used for xor encryption |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The modified, encrypted entity |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.1) |
| * The TPM_CreateMigrationBlob command implements the first step in the |
| * process of moving a migratable key to a new parent or platform. |
| */ |
| TPM_RESULT TPM_CreateMigrationBlob( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_MIGRATE_SCHEME migrationType, |
| TPM_MIGRATIONKEYAUTH *migrationKeyAuth, |
| UINT32 encDataSize, |
| BYTE *encData, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| UINT32 *randomSize, |
| BYTE **random, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /** |
| * TPM_ConvertMigrationBlob - converts a migration into a wrapped blob |
| * @parentHandle: [in] Handle of a loaded key that can decrypt keys |
| * @inDataSize: [in] Size of inData |
| * @inData: [in] The XOR d and encrypted key |
| * @randomSize: [in] Size of random |
| * @random: [in] Random value used to hide key data |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The encrypted private key that can be loaded with LoadKey |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.2) |
| * This command takes a migration blob and creates a normal wrapped blob. |
| * The migrated blob must be loaded into the TPM using the normal TPM_LoadKey |
| * function. Note that the command migrates private keys, only. |
| */ |
| TPM_RESULT TPM_ConvertMigrationBlob( |
| TPM_KEY_HANDLE parentHandle, |
| UINT32 inDataSize, |
| BYTE *inData, |
| UINT32 randomSize, |
| BYTE *random, |
| TPM_AUTH *auth1, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /** |
| * TPM_AuthorizeMigrationKey - creates an authorization blob |
| * @migrateScheme: [in] Migration operation that is to be permitted for this key |
| * @migrationKey: [in] The public key to be authorized |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outData: [out] Returned public key and authorization digest |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.3) |
| * This command creates an authorization blob, to allow the TPM owner to |
| * specify which migration facility they will use and allow users to migrate |
| * information without further involvement with the TPM owner. |
| */ |
| TPM_RESULT TPM_AuthorizeMigrationKey( |
| TPM_MIGRATE_SCHEME migrateScheme, |
| TPM_PUBKEY *migrationKey, |
| TPM_AUTH *auth1, |
| TPM_MIGRATIONKEYAUTH *outData |
| ); |
| |
| /** |
| * TPM_MigrateKey - performs the function of a migration authority |
| * @maKeyHandle: [in] Handle of the key to be used to migrate the key |
| * @pubKey: [in] Public key to which the blob is to be migrated |
| * @inDataSize: [in] The size of inData |
| * @inData: [in] The input blob |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The re-encrypted blob |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.4) |
| */ |
| TPM_RESULT TPM_MigrateKey( |
| TPM_KEY_HANDLE maKeyHandle, |
| TPM_PUBKEY *pubKey, |
| UINT32 inDataSize, |
| BYTE *inData, |
| TPM_AUTH *auth1, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /** |
| * TPM_CMK_SetRestrictions - dictates the usage of a restricted migration key |
| * @restriction: [in] The bit mask of how to set the restrictions on CMK keys |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.5) |
| * This command is used by the Owner to dictate the usage of a restricted- |
| * migration key with delegated authorisation (authorisation other than actual |
| * Owner authorisation). |
| */ |
| TPM_RESULT TPM_CMK_SetRestrictions( |
| TPM_CMK_DELEGATE restriction, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_CMK_ApproveMA - creates an authorization ticket |
| * @migrationAuthorityDigest: [in] A digest of a TPM_MSA_COMPOSITE structure |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outData: [out] HMAC of the migrationAuthorityDigest |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.6) |
| */ |
| TPM_RESULT TPM_CMK_ApproveMA( |
| TPM_DIGEST *migrationAuthorityDigest, |
| TPM_AUTH *auth1, |
| TPM_HMAC *outData |
| ); |
| |
| /** |
| * TPM_CMK_CreateKey - generates and creates a wrapped CMK |
| * @parentHandle: [in] Handle of a loaded key that can perform key wrapping |
| * @dataUsageAuth: [in] Encrypted usage authorization data for the sealed data |
| * @keyInfo: [in] Information about key to be created |
| * @migrationAuthorityApproval: [in] A ticket created by the TPM owner |
| * @migrationAuthorityDigest: [in] The digest of the public key of the MSA or MA |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @wrappedKey: [out] The public and encrypted private key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.7) |
| * The TPM_CreateWrapRestrictedKey command both generates and creates a |
| * secure storage bundle for asymmetric keys whose migration is controlled |
| * by a migration authority. |
| */ |
| TPM_RESULT TPM_CMK_CreateKey( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_ENCAUTH *dataUsageAuth, |
| TPM_KEY *keyInfo, |
| TPM_HMAC *migrationAuthorityApproval, |
| TPM_DIGEST *migrationAuthorityDigest, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| TPM_KEY *wrappedKey |
| ); |
| |
| /** |
| * TPM_CMK_CreateTicket - creates a ticket for proving a signature verification |
| * @verificationKey: [in] The public key to be used to check signatureValue |
| * @signedData: [in] The data proported to be signed |
| * @signatureValueSize: [in] The size of the signatureValue |
| * @signatureValue: [in] The signatureValue to be verified |
| * @auth1: [in, out] Authorization protocol parameters |
| * @sigTicket: [out] Ticket that proves digest created on this TPM |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.8) |
| * The TPM_verifySignature command uses a public key to verify the signature |
| * over a digest. TPM_verifySignature provides a ticket that can be used to |
| * prove to the same TPM that signature verification with a particular public |
| * key was successful. |
| */ |
| TPM_RESULT TPM_CMK_CreateTicket( |
| TPM_PUBKEY *verificationKey, |
| TPM_DIGEST *signedData, |
| UINT32 signatureValueSize, |
| BYTE *signatureValue, |
| TPM_AUTH *auth1, |
| TPM_DIGEST *sigTicket |
| ); |
| |
| /** |
| * TPM_CMK_CreateBlob - creates a migration blob |
| * @parentHandle: [in] Handle of the parent key that can decrypt encData |
| * @migrationType: [in] The migration type |
| * @migrationKeyAuth: [in] Migration public key and its authorization digest |
| * @pubSourceKeyDigest: [in] Digest of the entity's public key to be migrated |
| * @msaList: [in] Digests of public keys belonging to MAs |
| * @restrictTicket: [in] The digests of the public keys |
| * @sigTicket: [in] A signature ticket, generate by the TPM |
| * @encDataSize: [in] The size of the encData parameter |
| * @encData: [in] The encrypted entity that is to be modified |
| * @auth1: [in, out] Authorization protocol parameters |
| * @randomSize: [out] The used size of the output area for random |
| * @random: [out] String used for xor encryption |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The modified, encrypted entity |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.9) |
| * TPM_CMK_CreateBlob command is very similar to TPM_CreateMigrationBlob, |
| * except that it (1) uses an extra ticket (restrictedKeyAuth) instead |
| * of a migrationAuth authorization session; (2) uses the migration options |
| * TPM_MS_RESTRICT_MIGRATE or TPM_MS_RESTRICT_APPROVE. |
| */ |
| TPM_RESULT TPM_CMK_CreateBlob( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_MIGRATE_SCHEME migrationType, |
| TPM_MIGRATIONKEYAUTH *migrationKeyAuth, |
| TPM_DIGEST *pubSourceKeyDigest, |
| TPM_MSA_COMPOSITE *msaList, |
| TPM_CMK_AUTH *restrictTicket, |
| TPM_HMAC *sigTicket, |
| UINT32 encDataSize, |
| BYTE *encData, |
| TPM_AUTH *auth1, |
| UINT32 *randomSize, |
| BYTE **random, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /** |
| * TPM_CMK_ConvertMigration - completes the migration of certified blobs |
| * @parentHandle: [in] Handle of a loaded key that can decrypt keys |
| * @restrictTicket: [in] The digests of the public keys |
| * @sigTicket: [in] A signature ticket, generated by the TPM |
| * @migratedKey: [in] The public key of the key to be migrated |
| * @msaList: [in] One or more digests of public keys belonging to MAs |
| * @randomSize: [in] Size of random |
| * @random: [in] Random value used to hide key data |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The encrypted private key that can be loaded |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 11.10) |
| */ |
| TPM_RESULT TPM_CMK_ConvertMigration( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_CMK_AUTH *restrictTicket, |
| TPM_HMAC *sigTicket, |
| TPM_KEY *migratedKey, |
| TPM_MSA_COMPOSITE *msaList, |
| UINT32 randomSize, |
| BYTE *random, |
| TPM_AUTH *auth1, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /* |
| * Maintenance Functions ([TPM_Part3], Section 12) |
| * [tpm_maintenance.c] |
| */ |
| |
| /** |
| * TPM_CreateMaintenanceArchive - creates the maintenance archive |
| * @generateRandom: [in] Use RNG or Owner auth to generate random |
| * @auth1: [in, out] Authorization protocol parameters |
| * @randomSize: [out] Size of the returned random data |
| * @random: [out] Random data to XOR with result |
| * @archiveSize: [out] Size of the encrypted archive |
| * @archive: [out] Encrypted key archive |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 12.1) |
| * This command creates the maintenance archive. It can only be executed by |
| * the owner, and may be shut off with the KillMaintenanceFeature command. |
| */ |
| TPM_RESULT TPM_CreateMaintenanceArchive( |
| BOOL generateRandom, |
| TPM_AUTH *auth1, |
| UINT32 *randomSize, |
| BYTE **random , |
| UINT32 *archiveSize, |
| BYTE **archive |
| ); |
| |
| /** |
| * TPM_LoadMaintenanceArchive - loads in a maintenance archive |
| * @archiveSize: [in] Size of encrypted key archive |
| * @archive: [in] Encrypted key archive |
| * @sigSize: [in] Size of archive signature |
| * @sig: [in] archive signature |
| * @randomSize: [in] Size of the random data |
| * @random: [in] Random data to XOR with encrypted archive |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 12.2) |
| * This command loads in a maintenance archive that has been massaged |
| * by the manufacturer to load into another TPM. |
| */ |
| TPM_RESULT TPM_LoadMaintenanceArchive( |
| UINT32 archiveSize, |
| BYTE *archive, |
| UINT32 sigSize, |
| BYTE *sig, |
| UINT32 randomSize, |
| BYTE *random, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_KillMaintenanceFeature - prevents the creation of a maintenance archive |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 12.3) |
| * The KillMaintencanceFeature is a permanent action that prevents ANYONE from |
| * creating a maintenance archive. This action, once taken, is permanent until |
| * a new TPM Owner is set. This action is to allow those customers who do not |
| * want the maintenance feature to prohibit it. |
| */ |
| TPM_RESULT TPM_KillMaintenanceFeature( |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_LoadManuMaintPub - loads the manufacturer's public key |
| * @antiReplay: [in] AntiReplay and validation nonce |
| * @pubKey: [in] The public key of the manufacturer to be in use for maintenance |
| * @checksum: [out] Digest of pubKey and antiReplay |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 12.4) |
| * The LoadManuMaintPub command loads the manufacturer's public key for use in |
| * the maintenance process. The command installs ManuMaintPub in persistent |
| * data storage inside a TPM. |
| */ |
| TPM_RESULT TPM_LoadManuMaintPub( |
| TPM_NONCE *antiReplay, |
| TPM_PUBKEY *pubKey, |
| TPM_DIGEST *checksum |
| ); |
| |
| /** |
| * TPM_ReadManuMaintPub - provides a digest of the manufacturer's public key |
| * @antiReplay: [in] AntiReplay and validation nonce |
| * @checksum: [out] Digest of pubKey and antiReplay |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 12.5) |
| * The ReadManuMaintPub command is used to check whether the manufacturer's |
| * public maintenance key in a TPM has the expected value. The command |
| * provides a digest of the installed key, rather than the key itself. |
| */ |
| TPM_RESULT TPM_ReadManuMaintPub( |
| TPM_NONCE *antiReplay, |
| TPM_DIGEST *checksum |
| ); |
| |
| /* |
| * Cryptographic Functions ([TPM_Part3], Section 13) |
| * [tpm_crypto.c] |
| */ |
| |
| /** |
| * TPM_SHA1Start - starts the process of calculating a SHA-1 digest |
| * @maxNumBytes: [out] Maximum number of bytes that can be sent to SHA1Update |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.1) |
| * This capability starts the process of calculating a SHA-1 digest. |
| */ |
| TPM_RESULT TPM_SHA1Start( |
| UINT32 *maxNumBytes |
| ); |
| |
| /** |
| * TPM_SHA1Update - inputs blocks of data into a pending SHA-1 digest |
| * @numBytes: [in] The number of bytes in hashData |
| * @hashData: [in] Bytes to be hashed |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.2) |
| * This capability inputs complete blocks of data into a pending SHA-1 digest. |
| * At the end of the process, the digest remains pending. |
| */ |
| TPM_RESULT TPM_SHA1Update( |
| UINT32 numBytes, |
| BYTE *hashData |
| ); |
| |
| /** |
| * TPM_SHA1Complete - terminates a pending SHA-1 calculation |
| * @hashDataSize: [in] Number of bytes in hashData, MUST be 64 or less |
| * @hashData: [in] Final bytes to be hashed |
| * @hashValue: [out] The output of the SHA-1 hash |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.3) |
| * This capability terminates a pending SHA-1 calculation. |
| */ |
| TPM_RESULT TPM_SHA1Complete( |
| UINT32 hashDataSize, |
| BYTE *hashData, |
| TPM_DIGEST *hashValue |
| ); |
| |
| /** |
| * TPM_SHA1CompleteExtend - terminates and extends a pending SHA-1 calculation |
| * @pcrNum: [in] Index of the PCR to be modified |
| * @hashDataSize: [in] Number of bytes in hashData, MUST be 64 or less |
| * @hashData: [in] Final bytes to be hashed |
| * @hashValue: [out] The output of the SHA-1 hash |
| * @outDigest: [out] The PCR value after execution of the command |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.4) |
| * This capability terminates a pending SHA-1 calculation and EXTENDS the |
| * result into a Platform Configuration Register using a SHA-1 hash process. |
| */ |
| TPM_RESULT TPM_SHA1CompleteExtend( |
| TPM_PCRINDEX pcrNum, |
| UINT32 hashDataSize, |
| BYTE *hashData, |
| TPM_DIGEST *hashValue, |
| TPM_PCRVALUE *outDigest |
| ); |
| |
| /** |
| * tpm_verify - verifies the signature with the specified key |
| * @key: [in] key to verify the signature |
| * @auth: [in, out] Authorization protocol parameters |
| * @isInfo: [in] True if the input data is of type TPM_SIGN_INFO |
| * @data: [in] The input data |
| * @dataSize: [in] The size of the input data |
| * @sig: [in] The digital signature |
| * @sigSize: [in] The size of the digital signature |
| * Returns: TPM_SUCCESS if the signature is valid, a TPM error code otherwise. |
| */ |
| TPM_RESULT tpm_verify( |
| TPM_PUBKEY_DATA *key, |
| TPM_AUTH *auth, |
| BOOL isInfo, |
| BYTE *data, |
| UINT32 dataSize, |
| BYTE *sig, |
| UINT32 sigSize |
| ); |
| |
| /** |
| * tpm_sign - signs data with the specified key |
| * @key: [in] key to compute the signature |
| * @auth: [in, out] Authorization protocol parameters |
| * @isInfo: [in] True if the input data is of type TPM_SIGN_INFO |
| * @areaToSign: [in] The value to sign |
| * @areaToSignSize: [in] The size of the areaToSign parameter |
| * @sig: [out] The digital signature |
| * @sigSize: [out] The size of the digital signature |
| * Returns: TPM_SUCCESS if the signature is valid, a TPM error code otherwise. |
| */ |
| TPM_RESULT tpm_sign( |
| TPM_KEY_DATA *key, |
| TPM_AUTH *auth, |
| BOOL isInfo, |
| BYTE *areaToSign, |
| UINT32 areaToSignSize, |
| BYTE **sig, |
| UINT32 *sigSize |
| ); |
| |
| /** |
| * TPM_Sign - signs data and provides the resulting digital signature |
| * @keyHandle: [in] Handle of a loaded key that can perform digital signatures |
| * @areaToSignSize: [in] The size of the areaToSign parameter |
| * @areaToSign: [in] The value to sign |
| * @auth1: [in, out] Authorization protocol parameters |
| * @sigSize: [out] The length of the returned digital signature |
| * @sig: [out] The resulting digital signature |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.5) |
| * The Sign command signs data and provides the resulting digital signature. |
| */ |
| TPM_RESULT TPM_Sign( |
| TPM_KEY_HANDLE keyHandle, |
| UINT32 areaToSignSize, |
| BYTE *areaToSign, |
| TPM_AUTH *auth1, |
| UINT32 *sigSize, |
| BYTE **sig |
| ); |
| |
| /** |
| * tpm_get_random_bytes - provides the requested amount of random bytes |
| * @buf: [out] buffer to fill with random data |
| * @nbytes: [in] requested number of random bytes |
| */ |
| void tpm_get_random_bytes( |
| void *buf, |
| size_t nbytes |
| ); |
| |
| /** |
| * TPM_GetRandom - provides the next bytes from the RNG |
| * @bytesRequested: [in] Number of bytes to return |
| * @randomBytesSize: [out] The number of bytes returned |
| * @randomBytes: [out] The returned bytes |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.6) |
| * GetRandom provides the next bytesRequested bytes from the random number |
| * generator to the caller. |
| */ |
| TPM_RESULT TPM_GetRandom( |
| UINT32 bytesRequested, |
| UINT32 *randomBytesSize, |
| BYTE **randomBytes |
| ); |
| |
| /** |
| * TPM_StirRandom - adds entropy to the RNG state |
| * @dataSize: [in] Number of bytes of input (256) |
| * @inData: [in] Data to add entropy to RNG state |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.7) |
| * StirRandom adds entropy to the RNG state. |
| */ |
| TPM_RESULT TPM_StirRandom( |
| UINT32 dataSize, |
| BYTE *inData |
| ); |
| |
| /** |
| * TPM_CertifyKey - certifies the public portion of a non-migratable key |
| * @certHandle: [in] Handle of the key to be used to certify the key |
| * @keyHandle: [in] Handle of the key to be certified |
| * @antiReplay: [in] 160 bits of externally supplied data (typically a nonce) |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @certifyInfo: [out] Certify information relative to keyhandle |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The signed public key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.8) |
| * The TPM_CERTIFYKEY operation allows a key to certify the public portion of |
| * certain storage and signing keys. A TPM identity key may be used to certify |
| * non-migratable keys but is not permitted to certify migratory keys. |
| */ |
| TPM_RESULT TPM_CertifyKey( |
| TPM_KEY_HANDLE certHandle, |
| TPM_KEY_HANDLE keyHandle, |
| TPM_NONCE *antiReplay, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| TPM_CERTIFY_INFO *certifyInfo, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /** |
| * TPM_CertifyKey2 - certifies a CMK |
| * @certHandle: [in] Handle of the key to be used to certify the key |
| * @keyHandle: [in] Handle of the key to be certified |
| * @migrationPubDigest: [in] Digest of the public key of a Migration Authority |
| * @antiReplay: [in] 160 bits of externally supplied data (typically a nonce) |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @certifyInfo: [out] TPM_CERTIFY_INFO2 relative to keyHandle |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The signed public key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 13.9) |
| * This command provides the ability to certify a Certifiable Migration Key |
| * (CMK). This certification requires additional parameters and output then |
| * the TPM_CertifyKey. This command always uses the TPM_SIGN_INFO2 structure. |
| * All other aspects of the command are the same as TPM_CertifyKey. |
| */ |
| TPM_RESULT TPM_CertifyKey2( |
| TPM_KEY_HANDLE certHandle, |
| TPM_KEY_HANDLE keyHandle, |
| TPM_DIGEST *migrationPubDigest, |
| TPM_NONCE *antiReplay, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| TPM_CERTIFY_INFO *certifyInfo, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /* |
| * Credential Handling ([TPM_Part3], Section 14) |
| * [tpm_credentials.c] |
| * There are two create EK commands. The first matches the 1.1 functionality. |
| * The second provides the mechanism to enable revokeEK and provides |
| * FIPS 140-2 compatibility. |
| */ |
| |
| /** |
| * TPM_CreateEndorsementKeyPair - creates the TPM endorsement key |
| * @antiReplay: [in] Arbitrary data |
| * @keyInfo: [in] Information about key to be created |
| * @pubEndorsementKey: [out] The public endorsement key |
| * @Checksum: [out] Hash of pubEndorsementKey and antiReplay |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 14.1) |
| * This command creates the TPM endorsement key. It returns a failure code if |
| * an endorsement key already exists. |
| */ |
| TPM_RESULT TPM_CreateEndorsementKeyPair( |
| TPM_NONCE *antiReplay, |
| TPM_KEY_PARMS *keyInfo, |
| TPM_PUBKEY *pubEndorsementKey, |
| TPM_DIGEST *Checksum |
| ); |
| |
| /** |
| * TPM_CreateRevocableEK - creates the TPM endorsement key |
| * @antiReplay: [in] Arbitrary data |
| * @keyInfo: [in] Information about key to be created |
| * @generateReset: [in] If TRUE generate EKreset otherwise use the passed value |
| * @inputEKreset: [in] Authorization value to be used if generateReset is FALSE |
| * @pubEndorsementKey: [out] The public endorsement key |
| * @Checksum: [out] Hash of pubEndorsementKey and antiReplay |
| * @outputEKreset: [out] The authorization value to use TPM_RevokeTrust |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 14.2) |
| * This command creates the TPM endorsement key. It returns a failure code if |
| * an endorsement key already exists. |
| */ |
| TPM_RESULT TPM_CreateRevocableEK( |
| TPM_NONCE *antiReplay, |
| TPM_KEY_PARMS *keyInfo, |
| BOOL generateReset, |
| TPM_NONCE *inputEKreset, |
| TPM_PUBKEY *pubEndorsementKey, |
| TPM_DIGEST *Checksum, |
| TPM_NONCE *outputEKreset |
| ); |
| |
| /** |
| * TPM_RevokeTrust - clears the EK and sets the TPM to a pure default state |
| * @EKReset: [in] The value that will be matched to EK Reset |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 14.3) |
| * This command clears the EK and sets the TPM back to a pure default state. |
| * The generation of the authorization value occurs during the generation of |
| * the EK. It is the responsibility of the EK generator to properly protect |
| * and disseminate the RevokeTrust authorization. |
| */ |
| TPM_RESULT TPM_RevokeTrust( |
| TPM_NONCE *EKReset |
| ); |
| |
| /** |
| * tpm_get_pubek - extracts the public portion of the EK |
| * @pubEndorsementKey: [out] The public endorsement key |
| */ |
| TPM_RESULT tpm_get_pubek( |
| TPM_PUBKEY *pubEndorsementKey |
| ); |
| |
| /** |
| * TPM_ReadPubek - provides the public portion of the EK |
| * @antiReplay: [in] Arbitrary data |
| * @pubEndorsementKey: [out] The public endorsement key |
| * @checksum: [out] Hash of pubEndorsementKey and antiReplay |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 14.4) |
| * Provides the endorsement key public portion. This value should have |
| * controls placed upon access as it is a privacy sensitive value. |
| */ |
| TPM_RESULT TPM_ReadPubek( |
| TPM_NONCE *antiReplay, |
| TPM_PUBKEY *pubEndorsementKey, |
| TPM_DIGEST *checksum |
| ); |
| |
| /** |
| * TPM_DisablePubekRead - disables the TPM_ReadPubk command |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 14.5) |
| * The TPM Owner may wish to prevent any entity from reading the PUBEK. |
| * This command sets the non-volatile flag so that the TPM_ReadPubek |
| * command always returns TPM_DISABLED_CMD. |
| */ |
| TPM_RESULT TPM_DisablePubekRead( |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_OwnerReadInternalPub - provides the public portion of the EK or SRK |
| * @keyHandle: [in] Handle for either PUBEK or SRK |
| * @auth1: [in, out] Authorization protocol parameters |
| * @publicPortion: [out] The public portion of the requested key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 14.6) |
| * A TPM Owner authorized command that provides the public portion of |
| * the EK or SRK. |
| */ |
| TPM_RESULT TPM_OwnerReadInternalPub( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_AUTH *auth1, |
| TPM_PUBKEY *publicPortion |
| ); |
| |
| /* |
| * Identity Creation and Activation ([TPM_Part3], Section 15) |
| * [tpm_identity.c] |
| */ |
| |
| /** |
| * TPM_MakeIdentity - generates a new AIK |
| * @identityAuth: [in] Encrypted usage authorization data for the new identity |
| * @labelPrivCADigest: [in] Digest of the identity label and the new privacy CA |
| * @idKeyParams: [in] All parameters of the new identity key |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @idKey: [out] The newly created identity key |
| * @identityBindingSize: [out] The size of the output area for identityBinding |
| * @identityBinding: [out] Signature of TPM_IDENTITY_CONTENTS using idKey |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 15.1) |
| * Generate a new Attestation Identity Key (AIK). |
| */ |
| TPM_RESULT TPM_MakeIdentity( |
| TPM_ENCAUTH *identityAuth, |
| TPM_CHOSENID_HASH *labelPrivCADigest, |
| TPM_KEY *idKeyParams, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| TPM_KEY *idKey, |
| UINT32 *identityBindingSize, |
| BYTE **identityBinding |
| ); |
| |
| /** |
| * TPM_ActivateIdentity - activates a TPM identity |
| * @idKeyHandle: [in] Identity key to be activated |
| * @blobSize: [in] Size of encrypted blob from CA |
| * @blob: [in] The encrypted ASYM_CA_CONTENTS or TPM_EK_BLOB |
| * @auth1: [in, out] Authorization protocol parameters (usageAuth) |
| * @auth2: [in, out] Authorization protocol parameters (ownerAuth) |
| * @symmetricKey: [out] The decrypted symmetric key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 15.2) |
| * The purpose of TPM_ActivateIdentity is to twofold. The first purpose is to |
| * obtain assurance that the credential in the TPM_SYM_CA_ATTESTATION is for |
| * this TPM. The second purpose is to obtain the session key used to encrypt |
| * the TPM_IDENTITY_CREDENTIAL. |
| */ |
| TPM_RESULT TPM_ActivateIdentity( |
| TPM_KEY_HANDLE idKeyHandle, |
| UINT32 blobSize, |
| BYTE *blob, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| TPM_SYMMETRIC_KEY *symmetricKey |
| ); |
| |
| /* |
| * Integrity Collection and Reporting ([TPM_Part3], Section 16) |
| * [tpm_integrity.c] |
| * This section deals with what commands have direct access to the PCR. |
| */ |
| |
| /** |
| * TPM_Extend - adds a new measurement to a PCR |
| * @pcrNum: [in] The PCR to be updated |
| * @inDigest: [in] The 160 bit value representing the event to be recorded |
| * @outDigest: [out] The PCR value after execution of the command |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 16.1) |
| * This adds a new measurement to a Platform Configuration Register (PCR). |
| */ |
| TPM_RESULT TPM_Extend( |
| TPM_PCRINDEX pcrNum, |
| TPM_DIGEST *inDigest, |
| TPM_PCRVALUE *outDigest |
| ); |
| |
| /** |
| * TPM_PCRRead - provides the contents of a named PCR |
| * @pcrIndex: [in] Index of the PCR to be read |
| * @outDigest: [out] The current contents of the named PCR |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 16.2) |
| * The TPM_PCRRead operation provides non-cryptographic reporting of the |
| * contents of a named PCR. |
| */ |
| TPM_RESULT TPM_PCRRead( |
| TPM_PCRINDEX pcrIndex, |
| TPM_PCRVALUE *outDigest |
| ); |
| |
| /** |
| * TPM_Quote - provides cryptographic reporting of PCR values |
| * @keyHandle: [in] Handle of a loaded key that can sign the PCR values |
| * @extrnalData: [in] 160 bits of externally supplied data (typically a nonce) |
| * @targetPCR: [in] The indices of the PCRs that are to be reported |
| * @auth1: [in, out] Authorization protocol parameters |
| * @pcrData: [out] The indices and values of the PCRs listed in targetPCR |
| * @sigSize: [out] The used size of the output area for the signature |
| * @sig: [out] The signed data blob |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 16.3) |
| * The TPM_Quote operation provides cryptographic reporting of PCR values. |
| * A loaded key is required for operation TPM_Quote uses a key to sign a |
| * statement that names the current value of a chosen PCR and externally |
| * supplied data (which may be a nonce supplied by a Challenger). |
| */ |
| TPM_RESULT TPM_Quote( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_NONCE *extrnalData, |
| TPM_PCR_SELECTION *targetPCR, |
| TPM_AUTH *auth1, |
| TPM_PCR_COMPOSITE *pcrData, |
| UINT32 *sigSize, |
| BYTE **sig |
| ); |
| |
| /** |
| * TPM_PCR_Reset - resets the indicated PCRs |
| * @pcrSelection: [in] The PCRs to reset |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 16.4) |
| * Resets the indicated PCRs. This command uses the locality modifier. |
| * The modifier for a command to indicate locality is a platform specific |
| * issue. |
| */ |
| TPM_RESULT TPM_PCR_Reset( |
| TPM_PCR_SELECTION *pcrSelection |
| ); |
| |
| /** |
| * TPM_Quote2 - provides cryptographic reporting of PCR values |
| * @keyHandle: [in] Handle of a loaded key that can sign the PCR values |
| * @extrnalData: [in] 160 bits of externally supplied data (typically a nonce) |
| * @targetPCR: [in] The indices of the PCRs that are to be reported |
| * @addVersion: [in] When TRUE add TPM_CAP_VERSION_INFO to the output |
| * @auth1: [in, out] Authorization protocol parameters |
| * @pcrData: [out] The value created and signed for the quote |
| * @versionInfoSize: [out] Size of the version info |
| * @versionInfo: [out] The version info |
| * @sigSize: [out] The used size of the output area for the signature |
| * @sig: [out] The signed data blob |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 16.5) |
| */ |
| TPM_RESULT TPM_Quote2( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_NONCE *externalData, |
| TPM_PCR_SELECTION *targetPCR, |
| BOOL addVersion, |
| TPM_AUTH *auth1, |
| TPM_PCR_INFO_SHORT *pcrData, |
| UINT32 *versionInfoSize, |
| TPM_CAP_VERSION_INFO *versionInfo, |
| UINT32 *sigSize, |
| BYTE **sig |
| ); |
| |
| /** |
| * tpm_compute_pcr_digest - computes a PCR composite hash |
| * @pcrSelection: [in] The PCRs to include |
| * @digest: [out] The computed composite hash |
| * @composite: [out] If not NULL the used composite is stored into it |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.3.1) |
| * Computes the PCR composite hash over a given set of PCRs. |
| */ |
| TPM_RESULT tpm_compute_pcr_digest( |
| TPM_PCR_SELECTION *pcrSelection, |
| TPM_COMPOSITE_HASH *digest, |
| TPM_PCR_COMPOSITE *composite |
| ); |
| |
| /** |
| * tpm_verify_pcr - verifies the PCR composite hash of the specified key |
| * @key: [in] The key whose PCR composite hash should be verified |
| * @atrelease: [in] If TRUE the AtRelease composite hash is verified |
| * @atcreation: [in] If TRUE the AtCreation composite hash is verified |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 5.3.1) |
| * Computes the PCR composite hash over a given set of PCRs. |
| */ |
| TPM_RESULT tpm_verify_pcr( |
| TPM_KEY_DATA *key, |
| BOOL atrelease, |
| BOOL atcreation |
| ); |
| |
| /* |
| * Authorization Changing ([TPM_Part3], Section 17) |
| * [tpm_authorization.c] |
| */ |
| |
| /** |
| * TPM_ChangeAuth - changes the authorization data for the entity |
| * @parentHandle: [in] Handle of the parent key to the entity |
| * @protocolID: [in] The protocol in use |
| * @newAuth: [in] The encrypted new authorization data for the entity |
| * @entityType: [in] The type of entity to be modified |
| * @encDataSize: [in] The size of the encData parameter |
| * @encData: [in] The encrypted entity that is to be modified |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The modified, encrypted entity |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 17.1) |
| * The TPM_ChangeAuth command allows the owner of an entity to change the |
| * authorization data for the entity. TPM_ChangeAuth requires the encryption |
| * of one parameter (NewAuth). |
| */ |
| TPM_RESULT TPM_ChangeAuth( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_PROTOCOL_ID protocolID, |
| TPM_ENCAUTH *newAuth, |
| TPM_ENTITY_TYPE entityType, |
| UINT32 encDataSize, |
| BYTE *encData, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| UINT32 *outDataSize, |
| BYTE **outData |
| ); |
| |
| /** |
| * TPM_ChangeAuthOwner - changes the authorization data for the TPM Owner |
| * @protocolID: [in] The protocol in use |
| * @newAuth: [in] The encrypted new authorization data for the entity |
| * @entityType: [in] The type of entity to be modified |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 17.2) |
| * The TPM_ChangeAuthOwner command allows the owner of an entity to change |
| * the authorization data for the TPM Owner or the SRK. This command requires |
| * authorization from the current TPM Owner to execute. |
| */ |
| TPM_RESULT TPM_ChangeAuthOwner( |
| TPM_PROTOCOL_ID protocolID, |
| TPM_ENCAUTH *newAuth, |
| TPM_ENTITY_TYPE entityType, |
| TPM_AUTH *auth1 |
| ); |
| |
| /* |
| * Authorization Sessions ([TPM_Part3], Section 18) |
| * [tpm_authorization.c] |
| */ |
| |
| /** |
| * TPM_OIAP - creates an authorization handle for the OIAP |
| * @authHandle: [out] Handle that points to the authorization state |
| * @nonceEven: [out] Nonce associated with session |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 18.1) |
| * The TPM_OIAP command creates an authorization handle and generates |
| * nonceEven for the Object-Independent Authorization Protocol (OIAP). |
| */ |
| TPM_RESULT TPM_OIAP( |
| TPM_AUTHHANDLE *authHandle, |
| TPM_NONCE *nonceEven |
| ); |
| |
| /** |
| * TPM_OSAP - creates an authorization handle for the OSAP |
| * @entityType: [in] The type of entity in use |
| * @entityValue: [in] The selection value based on entityType |
| * @nonceOddOSAP: [in] The nonce generated by the caller |
| * @authHandle: [out] Handle that points to the authorization state |
| * @nonceEven: [out] Nonce associated with session |
| * @nonceEvenOSAP: [out] Nonce associated with shared secret |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 18.2) |
| * The TPM_OSAP command creates an authorization handle, the shared secret |
| * and generates nonceEven and nonceEvenOSAP for the Object-Specific |
| * Authorization Protocol (OSAP). |
| */ |
| TPM_RESULT TPM_OSAP( |
| TPM_ENTITY_TYPE entityType, |
| UINT32 entityValue, |
| TPM_NONCE *nonceOddOSAP, |
| TPM_AUTHHANDLE *authHandle, |
| TPM_NONCE *nonceEven, |
| TPM_NONCE *nonceEvenOSAP |
| ); |
| |
| /** |
| * TPM_DSAP - creates an authorization handle for the DSAP |
| * @entityType [in] The type of delegation information to use |
| * @keyHandle: [in] Key for which delegated authority corresponds |
| * @nonceOddDSAP: [in] The nonce generated by the caller |
| * @entityValueSize: [in] The size of entityValue |
| * @entityValue: [in] The entity value based on entityType |
| * @authHandle: [out] Handle that points to the authorization state |
| * @nonceEven: [out] Nonce associated with session |
| * @nonceEvenDSAP: [out] Nonce associated with shared secret |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 18.3) |
| * The TPM_DSAP command creates the authorization handle using a delegated |
| * authorization value passed into the command as an encrypted blob or from |
| * the internal delegation table for the Delegate-Specific Authorization |
| * Protocol (DSAP). |
| */ |
| TPM_RESULT TPM_DSAP( |
| TPM_ENTITY_TYPE entityType, |
| TPM_KEY_HANDLE keyHandle, |
| TPM_NONCE *nonceOddDSAP, |
| UINT32 entityValueSize, |
| BYTE *entityValue, |
| TPM_AUTHHANDLE *authHandle, |
| TPM_NONCE *nonceEven, |
| TPM_NONCE *nonceEvenDSAP |
| ); |
| |
| /** |
| * TPM_SetOwnerPointer - sets an owner secret for OIAP or OSAP |
| * @entityType: [in] The type of entity in use |
| * @entityValue: [in] The selection value based on entityType, |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 18.4) |
| * This command will set a reference to which secret the TPM will use when |
| * executing an owner secret related OIAP or OSAP session. This command |
| * should only be used if legacy code must be enabled for delegation to work. |
| */ |
| TPM_RESULT TPM_SetOwnerPointer( |
| TPM_ENTITY_TYPE entityType, |
| UINT32 entityValue |
| ); |
| |
| /** |
| * tpm_verify_auth - verifies an authorization session |
| * @auth: [in] The handle to the authorization session |
| * @secret: [in] The secret associated with the resource |
| * @handle: [in] The handle used to access the resource |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 18.1.1 and 18.2.1) |
| * Verifies a OIAP and OSAP session. In addition to the protocol |
| * parameters auth->digest is supposed to contain the the SHA-1 digest |
| * of the input parameters. |
| */ |
| TPM_RESULT tpm_verify_auth( |
| TPM_AUTH *auth, |
| TPM_SECRET secret, |
| TPM_HANDLE handle |
| ); |
| |
| /** |
| * tpm_decrypt_auth_secret - decrypts an authorization secret |
| * @encAuth: [in] The encrypted authorization secret |
| * @secret: [in] The shared secret of the OSAP session |
| * @nonce: [in] The nonce for decryption |
| * @plainAuth: [out]: The decrypted authorization secret |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: |
| * Decrypts an encrypted authorization secret by xoring it with |
| * the key SHA-1(secret||nonce). |
| */ |
| void tpm_decrypt_auth_secret( |
| TPM_ENCAUTH encAuth, |
| TPM_SECRET secret, |
| TPM_NONCE *nonce, |
| TPM_SECRET plainAuth |
| ); |
| |
| /* |
| * Delegation Commands ([TPM_Part3], Section 19) |
| * [tpm_delegation.c] |
| */ |
| |
| /** |
| * TPM_Delegate_Manage - manages the Family tables |
| * @familyID: [in] The familyID that is to be managed |
| * @opFlag: [in] Operation to be performed by this command |
| * @opDataSize: [in] Size in bytes of opData |
| * @opData: [in] Data necessary to implement opFlag |
| * @auth1: [in, out] Authorization protocol parameters |
| * @retDataSize: [out] Size in bytes of retData |
| * @retData: [out] Returned data |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 19.1) |
| * TPM_Delegate_Manage is the fundamental process for managing the Family |
| * tables, including enabling/disabling Delegation for a selected Family. |
| */ |
| TPM_RESULT TPM_Delegate_Manage( |
| TPM_FAMILY_ID familyID, |
| TPM_FAMILY_OPERATION opFlag, |
| UINT32 opDataSize, |
| BYTE *opData, |
| TPM_AUTH *auth1, |
| UINT32 *retDataSize, |
| BYTE **retData |
| ); |
| |
| /** |
| * TPM_Delegate_CreateKeyDelegation - delegates privilege to use a key |
| * @keyHandle: [in] Handle of a loaded key |
| * @publicInfo: [in] The public information necessary to fill in the blob |
| * @delAuth: [in] The encrypted new authorization data for the blob |
| * @auth1: [in, out] Authorization protocol parameters |
| * @blob: [out] The partially encrypted delegation information |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 19.2) |
| * This command delegates privilege to use a key by creating a blob that can |
| * be used by TPM_DSAP. |
| */ |
| TPM_RESULT TPM_Delegate_CreateKeyDelegation( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_DELEGATE_PUBLIC *publicInfo, |
| TPM_ENCAUTH *delAuth, |
| TPM_AUTH *auth1, |
| TPM_DELEGATE_KEY_BLOB *blob |
| ); |
| |
| /** |
| * TPM_Delegate_CreateOwnerDelegation - delegates the Owner's privilege |
| * @increment: [in] Flag dictates whether verificationCount will be incremented |
| * @publicInfo: [in] The public parameters for the blob |
| * @delAuth: [in] The encrypted new authorization data for the blob |
| * @auth1: [in, out] Authorization protocol parameters |
| * @blob: [out] The partially encrypted delegation information |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 19.3) |
| * TPM_Delegate_CreateOwnerDelegation delegates the Owner's privilege to use |
| * a set of command ordinals, by creating a blob. Such blobs can be used as |
| * input data for TPM_DSAP or TPM_Delegate_LoadOwnerDelegation. |
| */ |
| TPM_RESULT TPM_Delegate_CreateOwnerDelegation( |
| BOOL increment, |
| TPM_DELEGATE_PUBLIC *publicInfo, |
| TPM_ENCAUTH *delAuth, |
| TPM_AUTH *auth1, |
| TPM_DELEGATE_OWNER_BLOB *blob |
| ); |
| |
| /** |
| * TPM_Delegate_LoadOwnerDelegation - loads a delegate table row blob |
| * @index: [in] The index of the delegate row to be written |
| * @blob: [in] the delegation information |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 19.4) |
| * This command loads a delegate table row blob into a non-volatile delegate |
| * table row. Delegate_LoadOwnerDelegation can be used during manufacturing or |
| * on first boot (when no Owner is installed), or after an Owner is installed. |
| */ |
| TPM_RESULT TPM_Delegate_LoadOwnerDelegation( |
| TPM_DELEGATE_INDEX index, |
| TPM_DELEGATE_OWNER_BLOB *blob, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_Delegate_ReadTable - reads from the family and delegate tables |
| * @familyTableSize: [out] Size in bytes of familyTable |
| * @familyTable: [out] Array of TPM_FAMILY_TABLE_ENTRY elements |
| * @delegateTableSize: [out] Size in bytes of delegateTable |
| * @delegateTable: [out] Array of TPM_DELEGATE_TABLE_PUBLIC elements |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 19.5) |
| * This command is used to read from the TPM the public contents of the |
| * family and delegate tables that are stored on the TPM. |
| */ |
| TPM_RESULT TPM_Delegate_ReadTable( |
| UINT32 *familyTableSize, |
| BYTE **familyTable , |
| UINT32 *delegateTableSize, |
| BYTE **delegateTable |
| ); |
| |
| /** |
| * TPM_Delegate_UpdateVerification - updates the verificationCount |
| * @inputSize: [in] The size of inputData |
| * @inputData: [in] TPM_DELEGATE_KEY_BLOB, -OWNER_BLOB or table index |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outputSize: [out] The size of the output |
| * @outputData: [out] TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 19.6) |
| * UpdateVerification sets the verificationCount in an entity (a blob or a |
| * delegation row) to the current family value, in order that the delegations |
| * represented by that entity will continue to be accepted by the TPM. |
| */ |
| TPM_RESULT TPM_Delegate_UpdateVerification( |
| UINT32 inputSize, |
| BYTE *inputData, |
| TPM_AUTH *auth1, |
| UINT32 *outputSize, |
| BYTE **outputData |
| ); |
| |
| /** |
| * TPM_Delegate_VerifyDelegation - verifies a delegate blob |
| * @delegateSize: [in] The length of the delegated information blob |
| * @delegation: [in] TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 19.7) |
| * VerifyDelegation loads a delegate blob and returns success or failure, |
| * depending on whether the blob is currently valid. |
| */ |
| TPM_RESULT TPM_Delegate_VerifyDelegation( |
| UINT32 delegateSize, |
| BYTE *delegation |
| ); |
| |
| /** |
| * tpm_get_family_row - returns the family row for the specified id |
| * @id: [in] family id |
| * Returns: The matching family row on success, NULL otherwise. |
| */ |
| TPM_FAMILY_TABLE_ENTRY *tpm_get_family_row( |
| TPM_FAMILY_ID id |
| ); |
| |
| /** |
| * tpm_get_delegate_row - returns the delegate row for the specified index |
| * @row: [in] row index |
| * Returns: The matching delegate row on success, NULL otherwise. |
| */ |
| TPM_DELEGATE_TABLE_ROW *tpm_get_delegate_row( |
| UINT32 row |
| ); |
| |
| /** |
| * tpm_compute_owner_blob_digest - computes the digest of an owner blob |
| * @blob: [in] Owner blob |
| * @digest: [out] Digest of the specified owner blob |
| */ |
| void tpm_compute_owner_blob_digest( |
| TPM_DELEGATE_OWNER_BLOB *blob, |
| TPM_DIGEST *digest |
| ); |
| |
| /** |
| * tpm_compute_key_blob_digest - computes the digest of a key blob |
| * @blob: [in] Key blob |
| * @digest: [out] Digest of the specified key blob |
| */ |
| void tpm_compute_key_blob_digest( |
| TPM_DELEGATE_KEY_BLOB *blob, |
| TPM_DIGEST *digest |
| ); |
| |
| /** |
| * tpm_encrypt_sensitive - encrypts a TPM_DELEGATE_SENSITIVE structure |
| * @iv: [in] IV value |
| * @iv_size: [in] Size of the IV value |
| * @sensitive: [in] structure to encrypt |
| * @enc: [out] Encrypted structure |
| * @enc_size: [out] Size of the encrypted structure |
| * Returns 0 on success, -1 otherwise. |
| */ |
| int tpm_encrypt_sensitive( |
| BYTE *iv, |
| UINT32 iv_size, |
| TPM_DELEGATE_SENSITIVE *sensitive, |
| BYTE **enc, |
| UINT32 *enc_size |
| ); |
| |
| /** |
| * tpm_decrypt_sensitive - decrypts a TPM_DELEGATE_SENSITIVE structure |
| * @iv: [in] IV value |
| * @iv_size: [in] Size of the IV value |
| * @enc: [in] Encrypted structure |
| * @enc_size: [in] Size of the encrypted structure |
| * @sensitive: [out] decrypted structure |
| * Returns 0 on success, -1 otherwise. |
| */ |
| int tpm_decrypt_sensitive( |
| BYTE *iv, |
| UINT32 iv_size, |
| BYTE *enc, |
| UINT32 enc_size, |
| TPM_DELEGATE_SENSITIVE *sensitive, |
| BYTE **buf |
| ); |
| |
| /* |
| * Non-volatile Storage ([TPM_Part3], Section 20) |
| * [tpm_nv_storage.c] |
| * This section handles the allocation and use of the TPM non-volatile storage. |
| */ |
| |
| /** |
| * TPM_NV_DefineSpace - establishes the necessary space |
| * @pubInfo: [in] The public parameters of the NV area |
| * @encAuth: [in] The encrypted authorization (if reqired) |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 20.1) |
| * This establishes the space necessary for the indicated index. The definition |
| * will include the access requirements for writing and reading the area. The |
| * space definition size does not include the area needed to manage the space. |
| */ |
| TPM_RESULT TPM_NV_DefineSpace( |
| TPM_NV_DATA_PUBLIC *pubInfo, |
| TPM_ENCAUTH *encAuth, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_NV_WriteValue - writes a value to a defined NV area |
| * @nvIndex: [in] The index of the area to set |
| * @offset: [in] The offset into the NV Area |
| * @dataSize: [in] The size of the data area |
| * @data: [in] The data to set the area to |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 20.2) |
| * This command writes a value to a defined area. The write can be TPM Owner |
| * authorized or unauthorized and protected by other attributes and will work |
| * when no TPM Owner is present. |
| */ |
| TPM_RESULT TPM_NV_WriteValue( |
| TPM_NV_INDEX nvIndex, |
| UINT32 offset, |
| UINT32 dataSize, |
| BYTE *data, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_NV_WriteValueAuth - writes a value to a protected NV area |
| * @nvIndex: [in] The index of the area to set |
| * @offset: [in] The offset into the chunk |
| * @dataSize: [in] The size of the data area |
| * @data: [in] The data to set the area to |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 20.3) |
| * This command writes to a previously defined area. The area must require |
| * authorization to write. This command is for using when authorization other |
| * than the owner authorization is to be used. |
| */ |
| TPM_RESULT TPM_NV_WriteValueAuth( |
| TPM_NV_INDEX nvIndex, |
| UINT32 offset, |
| UINT32 dataSize, |
| BYTE *data, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_NV_ReadValue - reads a value from a defined NV area |
| * @nvIndex: [in] The index of the area to set |
| * @offset: [in] The offset into the area |
| * @inDataSize: [in] The size of the data area |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The size of the data area |
| * @data: [out] The data to set the area to |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 20.4) |
| * Read a value from the NV store. This command uses optional owner |
| * authorization. |
| */ |
| TPM_RESULT TPM_NV_ReadValue( |
| TPM_NV_INDEX nvIndex, |
| UINT32 offset, |
| UINT32 inDataSize, |
| TPM_AUTH *auth1, |
| UINT32 *outDataSize, |
| BYTE **data |
| ); |
| |
| /** |
| * TPM_NV_ReadValueAuth - reads a value from a protected NV area |
| * @nvIndex: [in] The index of the area to set |
| * @offset: [in] The offset from the data area |
| * @inDataSize: [in] The size of the data area |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The size of the data area |
| * @data: [out] The data |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 20.5) |
| * This command requires that the read be authorized by a value set |
| * with the blob. |
| */ |
| TPM_RESULT TPM_NV_ReadValueAuth( |
| TPM_NV_INDEX nvIndex, |
| UINT32 offset, |
| UINT32 inDataSize, |
| TPM_AUTH *auth1, |
| UINT32 *outDataSize, |
| BYTE **data |
| ); |
| |
| /** |
| * tpm_nv_remove_data - removes the specified data from the NV area |
| * @nv: [in] Data area to be removed |
| */ |
| void tpm_nv_remove_data( |
| TPM_NV_DATA_SENSITIVE *nv |
| ); |
| |
| /* |
| * Session Management ([TPM_Part3], Section 21) |
| * [tpm_context.c] |
| */ |
| |
| /** |
| * TPM_KeyControlOwner - controls attributes of keys within the key cache |
| * @keyHandle: [in] Handle of a loaded key |
| * @pubKey: [in] The public key associated with the loaded key |
| * @bitName: [in] The name of the bit to be modified |
| * @bitValue: [in] The value to set the bit to |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 21.1) |
| * This command controls some attributes of keys that are stored within |
| * the TPM key cache. |
| */ |
| TPM_RESULT TPM_KeyControlOwner( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_PUBKEY pubKey, |
| UINT32 bitName, |
| BOOL bitValue, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_SaveContext - saves a loaded resource outside the TPM |
| * @handle: [in] Handle of the resource being saved |
| * @resourceType: [in] The type of resource that is being saved |
| * @label[16]: [in] Label for identification purposes |
| * @contextSize: [out] The actual size of the outgoing context blob |
| * @contextBlob: [out] The context blob |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 21.2) |
| * SaveContext saves a loaded resource outside the TPM. After successful |
| * execution of the command the TPM automatically releases the internal |
| * memory for sessions but leaves keys in place. |
| */ |
| TPM_RESULT TPM_SaveContext( |
| TPM_HANDLE handle, |
| TPM_RESOURCE_TYPE resourceType, |
| const BYTE label[16], |
| UINT32 *contextSize, |
| TPM_CONTEXT_BLOB *contextBlob |
| ); |
| |
| /** |
| * TPM_LoadContext - loads a previously saved context into the TPM |
| * @keepHandle: [in] Indication if the handle MUST be preserved |
| * @hintHandle: [in] The hint handle the TPM MAY use to locate a OSAP session |
| * @contextSize: [in] The size of the following context blob |
| * @contextBlob: [in] The context blob |
| * @handle: [out] Handle assigned to the resource |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 21.3) |
| * LoadContext loads into the TPM a previously saved context. The command |
| * returns the type of blob and a handle. |
| */ |
| TPM_RESULT TPM_LoadContext( |
| BOOL keepHandle, |
| TPM_HANDLE hintHandle, |
| UINT32 contextSize, |
| TPM_CONTEXT_BLOB *contextBlob, |
| TPM_HANDLE *handle |
| ); |
| |
| /** |
| * tpm_get_free_session - allocates a new session |
| * @type: [in] The session type |
| * Returns: the session handle on success, TPM_INVALID_HANDLE otherwise. |
| */ |
| UINT32 tpm_get_free_session( |
| BYTE type |
| ); |
| |
| /** |
| * tpm_invalidate_sessions - invalidates all sessions associated with the handle |
| * @handle: [in] Session handle |
| */ |
| void tpm_invalidate_sessions( |
| TPM_HANDLE handle |
| ); |
| |
| /* |
| * Eviction ([TPM_Part3], Section 22) |
| * [tpm_eviction.c] |
| * The TPM has numerous resources held inside of the TPM that may need |
| * eviction. The need for eviction occurs when the number or resources |
| * in use by the TPM exceed the available space. In version 1.1 there were |
| * separate commands to evict separate resource types. This new command |
| * set uses the resource types defined for context saving and creates a |
| * generic command that will evict all resource types. |
| */ |
| |
| /** |
| * TPM_FlushSpecific - flushes a specific handle |
| * @handle: [in] Handle of the item to flush |
| * @resourceType: [in] The type of resource that is being flushed |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 22.1) |
| * TPM_FlushSpecific flushes from the TPM a specific handle. |
| */ |
| TPM_RESULT TPM_FlushSpecific( |
| TPM_HANDLE handle, |
| TPM_RESOURCE_TYPE resourceType |
| ); |
| |
| /* |
| * Timing Ticks ([TPM_Part3], Section 23) |
| * [tpm_ticks.c] |
| * The TPM timing ticks are always available for use. The association of |
| * timing ticks to actual time is a protocol that occurs outside of the TPM. |
| * See the design document for details. |
| */ |
| |
| /** |
| * TPM_GetTicks - provides the current tick count |
| * @currentTime: [out] The current time held in the TPM descriptions |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 23.2) |
| * This command provides the current tick count of the TPM. |
| */ |
| TPM_RESULT TPM_GetTicks( |
| TPM_CURRENT_TICKS *currentTime |
| ); |
| |
| /** |
| * TPM_TickStampBlob - applies a time stamp to the passed blob |
| * @keyHandle: [in] Handle of a loaded key that can perform digital signatures |
| * @antiReplay: [in] Anti replay value to added to signature |
| * @digestToStamp: [in] The digest to perform the tick stamp on |
| * @auth1: [in, out] Authorization protocol parameters |
| * @currentTicks: [out] The current time according to the TPM |
| * @sigSize: [out] The length of the returned digital signature |
| * @sig: [out] The resulting digital signature |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 23.3) |
| * This command applies a time stamp to the passed blob. The TPM makes no |
| * representation regarding the blob merely that the blob was present at |
| * the TPM at the time indicated. |
| */ |
| TPM_RESULT TPM_TickStampBlob( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_NONCE *antiReplay, |
| TPM_DIGEST *digestToStamp, |
| TPM_AUTH *auth1, |
| TPM_CURRENT_TICKS *currentTicks, |
| UINT32 *sigSize, |
| BYTE **sig |
| ); |
| |
| /** |
| * tpm_update_ticks - updates the current tick session |
| */ |
| void tpm_update_ticks(void); |
| |
| /* |
| * Transport Sessions ([TPM_Part3], Section 24) |
| * [tpm_transport.c] |
| */ |
| |
| /** |
| * TPM_EstablishTransport - establishes a transport session |
| * @encHandle: [in] Handle to the key that encrypted the blob |
| * @transPublic: [in] The public information describing the transport session |
| * @secretSize: [in] The size of the secret Area |
| * @secret: [in] The encrypted secret area |
| * @auth1: [in, out] Authorization protocol parameters |
| * @transHandle: [out] Handle for the transport session |
| * @locality [out] The locality that called this command |
| * @currentTicks: [out] The current tick count |
| * @transNonce: [out] The even nonce in use for subsequent execute transport |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 24.1) |
| * This establishes a transport session. Depending on the attributes |
| * specified for the session this may establish shared secrets, encryption |
| * keys and session logs. The session will be in use for by the |
| * TPM_ExecuteTransport command. |
| */ |
| TPM_RESULT TPM_EstablishTransport( |
| TPM_KEY_HANDLE encHandle, |
| TPM_TRANSPORT_PUBLIC *transPublic, |
| UINT32 secretSize, |
| BYTE *secret, |
| TPM_AUTH *auth1, |
| TPM_TRANSHANDLE *transHandle, |
| TPM_MODIFIER_INDICATOR *locality, |
| TPM_CURRENT_TICKS *currentTicks, |
| TPM_NONCE *transNonce |
| ); |
| |
| /** |
| * TPM_ExecuteTransport - executes a wrapped TPM command |
| * @inWrappedCmdSize: [in] Size of the wrapped command |
| * @inWrappedCmd: [in] The wrapped command |
| * @auth1: [in, out] Authorization protocol parameters |
| * @currentTicks: [out] The current ticks when the command was executed |
| * @locality [out] The locality that called this command |
| * @outWrappedCmdSize: [out] Size of the wrapped command |
| * @outWrappedCmd: [out] The wrapped command |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 24.2) |
| * Delivers a wrapped TPM command to the TPM where the TPM unwraps the |
| * command and then executes the command. |
| */ |
| TPM_RESULT TPM_ExecuteTransport( |
| UINT32 inWrappedCmdSize, |
| BYTE *inWrappedCmd, |
| TPM_AUTH *auth1, |
| UINT64 *currentTicks, |
| TPM_MODIFIER_INDICATOR *locality, |
| UINT32 *outWrappedCmdSize, |
| BYTE **outWrappedCmd |
| ); |
| |
| /** |
| * TPM_ReleaseTransportSigned - completes a transport session |
| * @Key: [in] The key that will perform the signing |
| * @antiReplay: [in] Value provided by caller for anti-replay protection |
| * @auth1: [in, out] Authorization protocol parameters |
| * @auth2: [in, out] Authorization protocol parameters |
| * @locality [out] The locality that called this command |
| * @currentTicks: [out] The current ticks when the command was executed |
| * @signSize: [out] The size of the signature area |
| * @signature: [out] The signature of the digest |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 24.3) |
| * This command completes a transport session. If logging for this session |
| * is turned on, then this command returns a signed hash of all operations |
| * performed during the session. This command serves no purpose if logging |
| * is turned off and results in an error if attempted. |
| */ |
| TPM_RESULT TPM_ReleaseTransportSigned( |
| TPM_KEY_HANDLE Key, |
| TPM_NONCE *antiReplay, |
| TPM_AUTH *auth1, |
| TPM_AUTH *auth2, |
| TPM_MODIFIER_INDICATOR *locality, |
| TPM_CURRENT_TICKS *currentTicks, |
| UINT32 *signSize, |
| BYTE **signature |
| ); |
| |
| /* |
| * Monotonic Counter ([TPM_Part3], Section 25) |
| * [tpm_counter.c] |
| */ |
| |
| /** |
| * TPM_CreateCounter - creates a counter but does not select it |
| * @authData: [in] The encrypted auth data for the new counter |
| * @label[4]: [in] Label to associate with counter |
| * @auth1: [in, out] Authorization protocol parameters |
| * @countID: [out] Handle for the counter |
| * @counterValue: [out] The starting counter value |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 25.1) |
| * This command creates a counter but does not select it. Counter creation |
| * assigns an authorization value to the counter and sets the counters |
| * original start value to the current internal base value plus one. |
| */ |
| TPM_RESULT TPM_CreateCounter( |
| TPM_ENCAUTH *authData, |
| BYTE label[4], |
| TPM_AUTH *auth1, |
| TPM_COUNT_ID *countID, |
| TPM_COUNTER_VALUE *counterValue |
| ); |
| |
| /** |
| * TPM_IncrementCounter - increments the indicated counter by one |
| * @countID: [in] Handle of a valid counter |
| * @auth1: [in, out] Authorization protocol parameters |
| * @count: [out] The counter value |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 25.2) |
| * This authorized command increments the indicated counter by one. Once a |
| * counter has been incremented then all subsequent increments must be for |
| * the same handle until a successful TPM_Startup(ST_CLEAR) is executed. |
| */ |
| TPM_RESULT TPM_IncrementCounter( |
| TPM_COUNT_ID countID, |
| TPM_AUTH *auth1, |
| TPM_COUNTER_VALUE *count |
| ); |
| |
| /** |
| * TPM_ReadCounter - provides the current counter number |
| * @countID: [in] ID value of the counter |
| * @count: [out] The counter value |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 25.3) |
| * Reading the counter provides the caller with the current number |
| * in the sequence. |
| */ |
| TPM_RESULT TPM_ReadCounter( |
| TPM_COUNT_ID countID, |
| TPM_COUNTER_VALUE *count |
| ); |
| |
| /** |
| * TPM_ReleaseCounter - releases a counter |
| * @countID: [in] ID value of the counter |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 25.4) |
| * This command releases a counter such that no reads or increments |
| * of the indicated counter will succeed. |
| */ |
| TPM_RESULT TPM_ReleaseCounter( |
| TPM_COUNT_ID countID, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_ReleaseCounterOwner - releases a counter |
| * @countID: [in] ID value of the counter |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 25.5) |
| * This command releases a counter such that no reads or increments |
| * of the indicated counter will succeed. |
| */ |
| TPM_RESULT TPM_ReleaseCounterOwner( |
| TPM_COUNT_ID countID, |
| TPM_AUTH *auth1 |
| ); |
| |
| /* |
| * DAA commands ([TPM_Part3], Section 26) |
| * [tpm_daa.c] |
| * Operations that are necessary to setup a TPM for DAA, execute the |
| * JOIN process, and execute the SIGN process. |
| */ |
| |
| /** |
| * TPM_DAA_Join - establishes the DAA parameters |
| * @handle: [in] Session handle |
| * @stage: [in] Processing stage of join |
| * @inputSize0: [in] Size of inputData0 for this stage of JOIN |
| * @inputData0: [in] Data to be used by this capability |
| * @inputSize1: [in] Size of inputData1 for this stage of JOIN |
| * @inputData1: [in] Data to be used by this capability |
| * @auth1: [in, out] Authorization protocol parameters |
| * @ordinal: [out] Command ordinal: TPM_ORD_DAA_Join |
| * @outputSize: [out] Size of outputData |
| * @outputData: [out] Data produced by this capability |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 26.1) |
| * TPM_DAA_Join is the process that establishes the DAA parameters in |
| * the TPM for a specific DAA issuing authority. |
| */ |
| TPM_RESULT TPM_DAA_Join( |
| TPM_HANDLE handle, |
| BYTE stage, |
| UINT32 inputSize0, |
| BYTE *inputData0, |
| UINT32 inputSize1, |
| BYTE *inputData1, |
| TPM_AUTH *auth1, |
| TPM_COMMAND_CODE *ordinal, |
| UINT32 *outputSize, |
| BYTE **outputData |
| ); |
| |
| /** |
| * TPM_DAA_Sign - proves the attestation held by a TPM |
| * @handle: [in] Handle to the sign session |
| * @stage: [in] Stage of the sign process |
| * @inputSize0: [in] Size of inputData0 for this stage of DAA_Sign |
| * @inputData0: [in] Data to be used by this capability |
| * @inputSize1: [in] Size of inputData1 for this stage of DAA_Sign |
| * @inputData1: [in] Data to be used by this capability |
| * @auth1: [in, out] Authorization protocol parameters |
| * @ordinal: [out] Command ordinal:TPM_ORD_DAA_SIGN |
| * @outputSize: [out] Size of outputData |
| * @outputData: [out] Data produced by this capability |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 26.2) |
| * TPM_DAA_Sign responds to a challenge and proves the attestation |
| * held by a TPM without revealing the attestation held by that TPM. |
| */ |
| TPM_RESULT TPM_DAA_Sign( |
| TPM_HANDLE handle, |
| BYTE stage, |
| UINT32 inputSize0, |
| BYTE *inputData0, |
| UINT32 inputSize1, |
| BYTE *inputData1, |
| TPM_AUTH *auth1, |
| TPM_COMMAND_CODE *ordinal, |
| UINT32 *outputSize, |
| BYTE **outputData |
| ); |
| |
| /** |
| * tpm_get_free_daa_session - allocates a new DAA session |
| * Returns: the session handle on success, TPM_INVALID_HANDLE otherwise. |
| */ |
| UINT32 tpm_get_free_daa_session(void); |
| |
| /* |
| * Deprecated commands ([TPM_Part3], Section 28) |
| * [tpm_deprecated.c] |
| * This section covers the commands that were in version 1.1 but now have |
| * new functionality in other functions. The deprecated commands are still |
| * available in 1.2 but all new software should use the new functionality. |
| * There is no requirement that the deprecated commands work with new |
| * structures. |
| */ |
| |
| /** |
| * TPM_EvictKey - evicts a key |
| * @evictHandle: [in] Handle of the key to be evicted |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.1.1) |
| * The key commands are deprecated as the new way to handle keys is to use |
| * the standard context commands. So TPM_EvictKey is now handled by |
| * TPM_FlushSpecific, TPM_TerminateHandle by TPM_FlushSpecific. |
| */ |
| TPM_RESULT TPM_EvictKey( |
| TPM_KEY_HANDLE evictHandle |
| ); |
| |
| /** |
| * TPM_Terminate_Handle - clears out information in a session handle |
| * @handle: [in] Handle to terminate |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.1.2) |
| * This allows the TPM manager to clear out information in a session handle. |
| */ |
| TPM_RESULT TPM_Terminate_Handle( |
| TPM_AUTHHANDLE handle |
| ); |
| |
| /** |
| * TPM_SaveKeyContext - saves a loaded key outside the TPM |
| * @keyHandle: [in] The key which will be kept outside the TPM |
| * @keyContextSize: [out] The actual size of the outgoing key context blob |
| * @keyContextBlob: [out] The key context blob |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.2.1) |
| * SaveKeyContext saves a loaded key outside the TPM. After creation of the |
| * key context blob the TPM automatically releases the internal memory used |
| * by that key. The format of the key context blob is specific to a TPM. |
| */ |
| TPM_RESULT TPM_SaveKeyContext( |
| TPM_KEY_HANDLE keyHandle, |
| UINT32 *keyContextSize, |
| BYTE **keyContextBlob |
| ); |
| |
| /** |
| * TPM_LoadKeyContext - loads a key context blob into the TPM |
| * @keyContextSize: [in] The size of the following key context blob |
| * @keyContextBlob: [in] The key context blob |
| * @keyHandle: [out] Handle assigned to the key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.2.2) |
| * LoadKeyContext loads a key context blob into the TPM previously retrieved |
| * by a SaveKeyContext call. After successful completion the handle returned |
| * by this command can be used to access the key. |
| */ |
| TPM_RESULT TPM_LoadKeyContext( |
| UINT32 keyContextSize, |
| BYTE *keyContextBlob, |
| TPM_KEY_HANDLE *keyHandle |
| ); |
| |
| /** |
| * TPM_SaveAuthContext - saves an authorization session outside the TPM |
| * @authHandle: [in] Authorization session which will be kept outside the TPM |
| * @authContextSize: [out] The size of the outgoing authorization context blob |
| * @authContextBlob: [out] The authorization context blob |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.2.3) |
| * SaveAuthContext saves a loaded authorization session outside the TPM. |
| * The format of the authorization context blob is specific to a TPM. |
| */ |
| TPM_RESULT TPM_SaveAuthContext( |
| TPM_AUTHHANDLE authHandle, |
| UINT32 *authContextSize, |
| BYTE **authContextBlob |
| ); |
| |
| /** |
| * TPM_LoadAuthContext - loads an authorization context blob into the TPM |
| * @authContextSize: [in] The size of the following authorization context blob |
| * @authContextBlob: [in] The authorization context blob |
| * @authHandle: [out] Handle assigned to the authorization session |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.2.4) |
| * LoadAuthContext loads an authorization context blob into the TPM previously |
| * retrieved by a SaveAuthContext call. After successful completion the handle |
| * returned by this command can be used to access the authorization session. |
| */ |
| TPM_RESULT TPM_LoadAuthContext( |
| UINT32 authContextSize, |
| BYTE *authContextBlob, |
| TPM_KEY_HANDLE *authHandle |
| ); |
| |
| /** |
| * TPM_DirWriteAuth - provides write access to the DIRs |
| * @dirIndex: [in] Index of the DIR |
| * @newContents: [in] New value to be stored in named DIR |
| * @auth1: [in, out] Authorization protocol parameters |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.3.1) |
| * The TPM_DirWriteAuth operation provides write access to the Data Integrity |
| * Registers. DIRs are non-volatile memory registers held in a TPM-shielded |
| * location. |
| */ |
| TPM_RESULT TPM_DirWriteAuth( |
| TPM_DIRINDEX dirIndex, |
| TPM_DIRVALUE *newContents, |
| TPM_AUTH *auth1 |
| ); |
| |
| /** |
| * TPM_DirRead - provides read access to the DIRs |
| * @dirIndex: [in] Index of the DIR to be read |
| * @dirContents: [out] The current contents of the named DIR |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.3.2) |
| * The TPM_DirRead operation provides read access to the DIRs. No |
| * authentication is required to perform this action. |
| */ |
| TPM_RESULT TPM_DirRead( |
| TPM_DIRINDEX dirIndex, |
| TPM_DIRVALUE *dirContents |
| ); |
| |
| /** |
| * TPM_ChangeAuthAsymStart - starts the ChangeAuth process |
| * @idHandle: [in] Handle of a loaded identity ID key |
| * @antiReplay: [in] The nonce to be inserted into the certifyInfo structure |
| * @inTempKey: [in] Structure containing all parameters of the ephemeral key |
| * @auth1: [in, out] Authorization protocol parameters |
| * @certifyInfo: [out] The certifyInfo structure that is to be signed |
| * @sigSize: [out] The used size of the output area for the signature |
| * @sig: [out] The signature of the certifyInfo parameter |
| * @ephHandle: [out] Handle to be used by ChangeAuthAsymFinish for ephemeral key |
| * @outTempKey: [out] Structure containing all parameters and public part of ephemeral key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.4.1) |
| * The TPM_ChangeAuthAsymStart starts the process of changing authorization |
| * for an entity. It sets up an OIAP session that must be retained for use by |
| * its twin TPM_ChangeAuthAsymFinish command. |
| */ |
| TPM_RESULT TPM_ChangeAuthAsymStart( |
| TPM_KEY_HANDLE idHandle, |
| TPM_NONCE *antiReplay, |
| TPM_KEY_PARMS *inTempKey, |
| TPM_AUTH *auth1, |
| TPM_CERTIFY_INFO *certifyInfo, |
| UINT32 *sigSize, |
| BYTE **sig , |
| TPM_KEY_HANDLE *ephHandle, |
| TPM_KEY *outTempKey |
| ); |
| |
| /** |
| * TPM_ChangeAuthAsymFinish - terminates the ChangeAuth process |
| * @parentHandle: [in] Handle of the parent key for the input data |
| * @ephHandle: [in] Handle for the ephemeral key |
| * @entityType: [in] The type of entity to be modified |
| * @newAuthLink: [in] HMAC over the old and new authorization values |
| * @newAuthSize: [in] Size of encNewAuth |
| * @encNewAuth: [in] New authorization data encrypted with ephemeral key |
| * @encDataSize: [in] The size of the inData parameter |
| * @encData: [in] The encrypted entity that is to be modified |
| * @auth1: [in, out] Authorization protocol parameters |
| * @outDataSize: [out] The used size of the output area for outData |
| * @outData: [out] The modified, encrypted entity |
| * @saltNonce: [out] A nonce value to add entropy to the changeProof value |
| * @changeProof: [out] Proof that authorization data has changed |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.4.2) |
| * The TPM_ChangeAuth command allows the owner of an entity to change the |
| * authorization data for the entity. The command requires knowledge of |
| * the existing authorization information. |
| */ |
| TPM_RESULT TPM_ChangeAuthAsymFinish( |
| TPM_KEY_HANDLE parentHandle, |
| TPM_KEY_HANDLE ephHandle, |
| TPM_ENTITY_TYPE entityType, |
| TPM_HMAC *newAuthLink, |
| UINT32 newAuthSize, |
| BYTE *encNewAuth, |
| UINT32 encDataSize, |
| BYTE *encData, |
| TPM_AUTH *auth1, |
| UINT32 *outDataSize, |
| BYTE **outData , |
| TPM_NONCE *saltNonce, |
| TPM_DIGEST *changeProof |
| ); |
| |
| /** |
| * TPM_Reset - releases all resources |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.5) |
| * TPM_Reset releases all resources associated with existing authorization |
| * sessions. This is useful if a TSS driver has lost track of the state in |
| * the TPM. |
| */ |
| TPM_RESULT TPM_Reset(void); |
| |
| /** |
| * TPM_CertifySelfTest - performs a full self-test and signs the result |
| * @keyHandle: [in] Handle of a loaded key that can perform digital signatures |
| * @antiReplay: [in] AnitReplay nonce to prevent replay of messages |
| * @auth1: [in, out] Authorization protocol parameters |
| * @sigSize: [out] The length of the returned digital signature |
| * @sig: [out] The resulting digital signature |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.6) |
| * CertifySelfTest causes the TPM to perform a full self-test and return |
| * an authenticated value if the test passes. |
| */ |
| TPM_RESULT TPM_CertifySelfTest( |
| TPM_KEY_HANDLE keyHandle, |
| TPM_NONCE *antiReplay, |
| TPM_AUTH *auth1, |
| UINT32 *sigSize, |
| BYTE **sig |
| ); |
| |
| /** |
| * TPM_OwnerReadPubek - provides the endorsement key public portion |
| * @auth1: [in, out] Authorization protocol parameters |
| * @pubEndorsementKey: [out] The public endorsement key |
| * Returns: TPM_SUCCESS on success, a TPM error code otherwise. |
| * |
| * Description: ([TPM_Part3], Section 28.7) |
| * Provides the endorsement key public portion. |
| */ |
| TPM_RESULT TPM_OwnerReadPubek( |
| TPM_AUTH *auth1, |
| TPM_PUBKEY *pubEndorsementKey |
| ); |
| |
| /* |
| * Error handling |
| * [tpm_error.c] |
| */ |
| |
| /** |
| * tpm_error_to_string - converts the specified error code into a string message |
| * @res: [in] Error code |
| * Returns: Human-readable description of the error code. |
| */ |
| const char *tpm_error_to_string( |
| TPM_RESULT res |
| ); |
| |
| #endif /* _TPM_COMMANDS_H_ */ |