Read from TPM2 NV Index

Harshvardhan Patel harshvardhan1621 at gmail.com
Sun Nov 7 17:44:49 CET 2021 

Hi All,

I am working with Infineon TPM SLB9670 connected to a Raspberry Pi 4 via
the GPIO Header. I want to perform a simple NV Index read operation from NV
Index 1 in U-Boot. This NV Index was defined and written to in Linux
userspace using tpm2-tools (following the man page here -
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvwrite.1.md
):

$ tpm2_nvdefine -Q   1 -C o -s 32 -a "ownerread|policywrite|ownerwrite"
$ echo "please123abc" > nv.test_w
$ tpm2_nvwrite -Q   1 -C o -i nv.test_w

After the above definition and write operation, I am able to read the data
back from the NV Indices using TPM2 tools. However, it seems I'm unable to
do so in U-Boot. Following is the code snippet I'm using for reading NV
Index 1.

struct udevice *dev = NULL;
void *data = NULL;
get_tpm(&dev);
status = tpm2_nv_read_value(dev, 1, data, 270);
However, the status code in the above case is "329" or "0x149".

Further I did notice that the hierarchy used in the tpm2-tools command is
the Owner Hierarchy. However the lib/tpm-v2.c code by-default sets
TPM2_RH_PLATFORM as the hierarchy. So I made the following changes:

diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 235f8c20d4..a9644c2f8b 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -178,12 +178,12 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32
index, void *data, u32 count)
                tpm_u32(TPM2_CC_NV_READ),       /* Command code */

                /* handles 8 bytes */
-               tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
+               tpm_u32(TPM2_RH_OWNER), /* Primary platform seed */
                tpm_u32(HR_NV_INDEX + index),   /* Password authorisation */

                /* AUTH_SESSION */
                tpm_u32(9),                     /* Authorization size */
-               tpm_u32(TPM2_RS_PW),            /* Session handle */
+               tpm_u32(TPM2_RH_OWNER),         /* Session handle */
                tpm_u16(0),                     /* Size of <nonce> */
                                                /* <nonce> (if any) */
                0,                              /* Attributes:
Cont/Excl/Rst */

The status code in this case changes to "2436" or "0x984".

Please let me know if I am missing something in the above API call? What
changes do I have to make in order to read the value stored at an NV Index
from U-Boot space?

More information about the U-Boot mailing list