[PATCH] cmd: tpm-v2: add get_random

[PATCH] cmd: tpm-v2: add get_random

[Oleksandr Suvorov]

From: Jorge Ramirez-Ortiz <jorge@foundries.io>

Enable getting randomness from the tpm command line.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Co-developed-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
---

 cmd/tpm-v2.c | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index 4ea5f9f094f..5b53953e207 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -6,8 +6,10 @@
 
 #include <common.h>
 #include <command.h>
+#include <display_options.h>
 #include <dm.h>
 #include <log.h>
+#include <malloc.h>
 #include <mapmem.h>
 #include <tpm-common.h>
 #include <tpm-v2.h>
@@ -206,6 +208,37 @@ unmap_data:
 	return report_return_code(rc);
 }
 
+static int do_tpm2_get_random(struct cmd_tbl *cmdtp, int flag, int argc,
+			      char *const argv[])
+{
+	struct udevice *dev;
+	char *buffer;
+	u32 len;
+	int ret;
+
+	ret = get_tpm(&dev);
+	if (ret) {
+		printf("Can't get tpm\n");
+		return ret;
+	}
+
+	if (argc != 2)
+		return CMD_RET_USAGE;
+
+	len = simple_strtoul(argv[1], NULL, 10);
+	buffer = calloc(1, len);
+	if (!buffer)
+		return -ENOMEM;
+
+	ret = tpm2_get_random(dev, buffer, len);
+	if (!ret)
+		print_buffer(0, buffer, 1, len, 0);
+
+	free(buffer);
+
+	return report_return_code(ret);
+}
+
 static int do_tpm_dam_reset(struct cmd_tbl *cmdtp, int flag, int argc,
 			    char *const argv[])
 {
@@ -366,6 +399,7 @@ static struct cmd_tbl tpm2_commands[] = {
 	U_BOOT_CMD_MKENT(pcr_extend, 0, 1, do_tpm2_pcr_extend, "", ""),
 	U_BOOT_CMD_MKENT(pcr_read, 0, 1, do_tpm_pcr_read, "", ""),
 	U_BOOT_CMD_MKENT(get_capability, 0, 1, do_tpm_get_capability, "", ""),
+	U_BOOT_CMD_MKENT(get_random, 0, 1, do_tpm2_get_random, "", ""),
 	U_BOOT_CMD_MKENT(dam_reset, 0, 1, do_tpm_dam_reset, "", ""),
 	U_BOOT_CMD_MKENT(dam_parameters, 0, 1, do_tpm_dam_parameters, "", ""),
 	U_BOOT_CMD_MKENT(change_auth, 0, 1, do_tpm_change_auth, "", ""),
@@ -421,6 +455,8 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
 "    <property>: property\n"
 "    <addr>: address to store <count> entries of 4 bytes\n"
 "    <count>: number of entries to retrieve\n"
+"get_random <len>\n"
+"    Get <len> random bytes.\n"
 "dam_reset [<password>]\n"
 "    If the TPM is not in a LOCKOUT state, reset the internal error counter.\n"
 "    <password>: optional password\n"
-- 
2.37.2

Re: [PATCH] cmd: tpm-v2: add get_random

[Ilias Apalodimas]

Hi Oleksandr

On Wed, Aug 17, 2022 at 01:27:16PM +0300, Oleksandr Suvorov wrote:
> From: Jorge Ramirez-Ortiz <jorge@foundries.io>
> 
> Enable getting randomness from the tpm command line.

Does it have to be the tpm command lime?
As of 87ab234c1cf ("cmd: rng: Add support for selecting RNG device") you can
explicitly select the device on the default rng command.  That series also 
plugs in the TPM RNG into the DM and allows wider usage (e.g from the EFI_RNG_PROTOCOL)

So the rng command should be good enough?

Thanks
/Ilias
> 
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> Co-developed-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
> Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
> ---
> 
>  cmd/tpm-v2.c | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)
> 
> diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
> index 4ea5f9f094f..5b53953e207 100644
> --- a/cmd/tpm-v2.c
> +++ b/cmd/tpm-v2.c
> @@ -6,8 +6,10 @@
>  
>  #include <common.h>
>  #include <command.h>
> +#include <display_options.h>
>  #include <dm.h>
>  #include <log.h>
> +#include <malloc.h>
>  #include <mapmem.h>
>  #include <tpm-common.h>
>  #include <tpm-v2.h>
> @@ -206,6 +208,37 @@ unmap_data:
>  	return report_return_code(rc);
>  }
>  
> +static int do_tpm2_get_random(struct cmd_tbl *cmdtp, int flag, int argc,
> +			      char *const argv[])
> +{
> +	struct udevice *dev;
> +	char *buffer;
> +	u32 len;
> +	int ret;
> +
> +	ret = get_tpm(&dev);
> +	if (ret) {
> +		printf("Can't get tpm\n");
> +		return ret;
> +	}
> +
> +	if (argc != 2)
> +		return CMD_RET_USAGE;
> +
> +	len = simple_strtoul(argv[1], NULL, 10);
> +	buffer = calloc(1, len);
> +	if (!buffer)
> +		return -ENOMEM;
> +
> +	ret = tpm2_get_random(dev, buffer, len);
> +	if (!ret)
> +		print_buffer(0, buffer, 1, len, 0);
> +
> +	free(buffer);
> +
> +	return report_return_code(ret);
> +}
> +
>  static int do_tpm_dam_reset(struct cmd_tbl *cmdtp, int flag, int argc,
>  			    char *const argv[])
>  {
> @@ -366,6 +399,7 @@ static struct cmd_tbl tpm2_commands[] = {
>  	U_BOOT_CMD_MKENT(pcr_extend, 0, 1, do_tpm2_pcr_extend, "", ""),
>  	U_BOOT_CMD_MKENT(pcr_read, 0, 1, do_tpm_pcr_read, "", ""),
>  	U_BOOT_CMD_MKENT(get_capability, 0, 1, do_tpm_get_capability, "", ""),
> +	U_BOOT_CMD_MKENT(get_random, 0, 1, do_tpm2_get_random, "", ""),
>  	U_BOOT_CMD_MKENT(dam_reset, 0, 1, do_tpm_dam_reset, "", ""),
>  	U_BOOT_CMD_MKENT(dam_parameters, 0, 1, do_tpm_dam_parameters, "", ""),
>  	U_BOOT_CMD_MKENT(change_auth, 0, 1, do_tpm_change_auth, "", ""),
> @@ -421,6 +455,8 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
>  "    <property>: property\n"
>  "    <addr>: address to store <count> entries of 4 bytes\n"
>  "    <count>: number of entries to retrieve\n"
> +"get_random <len>\n"
> +"    Get <len> random bytes.\n"
>  "dam_reset [<password>]\n"
>  "    If the TPM is not in a LOCKOUT state, reset the internal error counter.\n"
>  "    <password>: optional password\n"
> -- 
> 2.37.2
> 

Re: [PATCH] cmd: tpm-v2: add get_random

[Simon Glass]

Hi Ilias,

On Wed, 17 Aug 2022 at 06:13, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> Hi Oleksandr
>
> On Wed, Aug 17, 2022 at 01:27:16PM +0300, Oleksandr Suvorov wrote:
> > From: Jorge Ramirez-Ortiz <jorge@foundries.io>
> >
> > Enable getting randomness from the tpm command line.
>
> Does it have to be the tpm command lime?
> As of 87ab234c1cf ("cmd: rng: Add support for selecting RNG device") you can
> explicitly select the device on the default rng command.  That series also
> plugs in the TPM RNG into the DM and allows wider usage (e.g from the EFI_RNG_PROTOCOL)
>
> So the rng command should be good enough?

I like the idea of this command, as it is a direct way of using TPM
functionality.

But can we use this oopty to add something to doc/usage/cmd/tpm.rst
and also a sandbox test?

Regards,
Simon


>
> Thanks
> /Ilias
> >
> > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> > Co-developed-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
> > Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
> > ---
> >
> >  cmd/tpm-v2.c | 36 ++++++++++++++++++++++++++++++++++++
> >  1 file changed, 36 insertions(+)
> >
> > diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
> > index 4ea5f9f094f..5b53953e207 100644
> > --- a/cmd/tpm-v2.c
> > +++ b/cmd/tpm-v2.c
> > @@ -6,8 +6,10 @@
> >
> >  #include <common.h>
> >  #include <command.h>
> > +#include <display_options.h>
> >  #include <dm.h>
> >  #include <log.h>
> > +#include <malloc.h>
> >  #include <mapmem.h>
> >  #include <tpm-common.h>
> >  #include <tpm-v2.h>
> > @@ -206,6 +208,37 @@ unmap_data:
> >       return report_return_code(rc);
> >  }
> >
> > +static int do_tpm2_get_random(struct cmd_tbl *cmdtp, int flag, int argc,
> > +                           char *const argv[])
> > +{
> > +     struct udevice *dev;
> > +     char *buffer;
> > +     u32 len;
> > +     int ret;
> > +
> > +     ret = get_tpm(&dev);
> > +     if (ret) {
> > +             printf("Can't get tpm\n");
> > +             return ret;
> > +     }
> > +
> > +     if (argc != 2)
> > +             return CMD_RET_USAGE;
> > +
> > +     len = simple_strtoul(argv[1], NULL, 10);
> > +     buffer = calloc(1, len);
> > +     if (!buffer)
> > +             return -ENOMEM;
> > +
> > +     ret = tpm2_get_random(dev, buffer, len);
> > +     if (!ret)
> > +             print_buffer(0, buffer, 1, len, 0);
> > +
> > +     free(buffer);
> > +
> > +     return report_return_code(ret);
> > +}
> > +
> >  static int do_tpm_dam_reset(struct cmd_tbl *cmdtp, int flag, int argc,
> >                           char *const argv[])
> >  {
> > @@ -366,6 +399,7 @@ static struct cmd_tbl tpm2_commands[] = {
> >       U_BOOT_CMD_MKENT(pcr_extend, 0, 1, do_tpm2_pcr_extend, "", ""),
> >       U_BOOT_CMD_MKENT(pcr_read, 0, 1, do_tpm_pcr_read, "", ""),
> >       U_BOOT_CMD_MKENT(get_capability, 0, 1, do_tpm_get_capability, "", ""),
> > +     U_BOOT_CMD_MKENT(get_random, 0, 1, do_tpm2_get_random, "", ""),
> >       U_BOOT_CMD_MKENT(dam_reset, 0, 1, do_tpm_dam_reset, "", ""),
> >       U_BOOT_CMD_MKENT(dam_parameters, 0, 1, do_tpm_dam_parameters, "", ""),
> >       U_BOOT_CMD_MKENT(change_auth, 0, 1, do_tpm_change_auth, "", ""),
> > @@ -421,6 +455,8 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
> >  "    <property>: property\n"
> >  "    <addr>: address to store <count> entries of 4 bytes\n"
> >  "    <count>: number of entries to retrieve\n"
> > +"get_random <len>\n"
> > +"    Get <len> random bytes.\n"
> >  "dam_reset [<password>]\n"
> >  "    If the TPM is not in a LOCKOUT state, reset the internal error counter.\n"
> >  "    <password>: optional password\n"
> > --
> > 2.37.2
> >