From 0f4b2ba1762d74c0b5520d99a58796d6ca78abf0 Mon Sep 17 00:00:00 2001 From: "mario.six@gdsys.cc" Date: Mon, 20 Mar 2017 10:28:28 +0100 Subject: tpm: Add function to load keys via their parent's SHA1 hash If we want to load a key into a TPM, we need to know the designated parent key's handle, so that the TPM is able to insert the key at the correct place in the key hierarchy. However, if we want to load a key whose designated parent key we also previously loaded ourselves, we first need to memorize this parent key's handle (since the handles for the key are chosen at random when they are inserted into the TPM). If we are, however, unable to do so, for example if the parent key is loaded into the TPM during production, and its child key during the actual boot, we must find a different mechanism to identify the parent key. To solve this problem, we add a function that allows U-Boot to load a key into the TPM using their designated parent key's SHA1 hash, and the corresponding auth data. Signed-off-by: Mario Six Reviewed-by: Simon Glass --- include/tpm.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'include/tpm.h') diff --git a/include/tpm.h b/include/tpm.h index 800f29c101..f88388f353 100644 --- a/include/tpm.h +++ b/include/tpm.h @@ -639,4 +639,16 @@ uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm); */ uint32_t tpm_flush_specific(uint32_t key_handle, uint32_t resource_type); +#ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1 +/** + * Search for a key by usage AuthData and the hash of the parent's pub key. + * + * @param auth Usage auth of the key to search for + * @param pubkey_digest SHA1 hash of the pub key structure of the key + * @param[out] handle The handle of the key (Non-null iff found) + * @return 0 if key was found in TPM; != 0 if not. + */ +uint32_t tpm_find_key_sha1(const uint8_t auth[20], const uint8_t + pubkey_digest[20], uint32_t *handle); +#endif /* CONFIG_TPM_LOAD_KEY_BY_SHA1 */ #endif /* __TPM_H */ -- cgit