Read from TPM2 NV Index

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Nov 17 12:05:13 CET 2021 

Hi Harshvardhan

On Sun, 7 Nov 2021 at 18:45, Harshvardhan Patel
<harshvardhan1621 at gmail.com> wrote:
>
> Hi All,
>
> I am working with Infineon TPM SLB9670 connected to a Raspberry Pi 4 via
> the GPIO Header. I want to perform a simple NV Index read operation from NV
> Index 1 in U-Boot. This NV Index was defined and written to in Linux
> userspace using tpm2-tools (following the man page here -
> https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvwrite.1.md
> ):
>
> $ tpm2_nvdefine -Q   1 -C o -s 32 -a "ownerread|policywrite|ownerwrite"
> $ echo "please123abc" > nv.test_w
> $ tpm2_nvwrite -Q   1 -C o -i nv.test_w
>
> After the above definition and write operation, I am able to read the data
> back from the NV Indices using TPM2 tools. However, it seems I'm unable to
> do so in U-Boot. Following is the code snippet I'm using for reading NV
> Index 1.
>
> struct udevice *dev = NULL;
> void *data = NULL;
> get_tpm(&dev);
> status = tpm2_nv_read_value(dev, 1, data, 270);
> However, the status code in the above case is "329" or "0x149".
>
> Further I did notice that the hierarchy used in the tpm2-tools command is
> the Owner Hierarchy. However the lib/tpm-v2.c code by-default sets
> TPM2_RH_PLATFORM as the hierarchy. So I made the following changes:
>
> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> index 235f8c20d4..a9644c2f8b 100644
> --- a/lib/tpm-v2.c
> +++ b/lib/tpm-v2.c
> @@ -178,12 +178,12 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32
> index, void *data, u32 count)
>                 tpm_u32(TPM2_CC_NV_READ),       /* Command code */
>
>                 /* handles 8 bytes */
> -               tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
> +               tpm_u32(TPM2_RH_OWNER), /* Primary platform seed */
>                 tpm_u32(HR_NV_INDEX + index),   /* Password authorisation */
>
>                 /* AUTH_SESSION */
>                 tpm_u32(9),                     /* Authorization size */
> -               tpm_u32(TPM2_RS_PW),            /* Session handle */
> +               tpm_u32(TPM2_RH_OWNER),         /* Session handle */
>                 tpm_u16(0),                     /* Size of <nonce> */
>                                                 /* <nonce> (if any) */
>                 0,                              /* Attributes:
> Cont/Excl/Rst */
>

We should add options for defining the hierarchy in nv_read instead of
hardcoding it.

> The status code in this case changes to "2436" or "0x984".
>
> Please let me know if I am missing something in the above API call? What
> changes do I have to make in order to read the value stored at an NV Index
> from U-Boot space?

I guess this means this is still an error?  I haven't played around
with u-boot nv_read too much so I am afraid we'll need a bit more
debugging to figure out what's going on.


Cheers
/Ilias

More information about the U-Boot mailing list