tpm: add a Sandbox TPMv2.x driver

This driver can emulate all the basic functionalities of a TPMv2.x
chip and should behave like them during regular testing.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
new file mode 100644
index 0000000..3240cc5
--- /dev/null
+++ b/drivers/tpm/tpm2_tis_sandbox.c
@@ -0,0 +1,625 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2018, Bootlin
+ * Author: Miquel Raynal <miquel.raynal@bootlin.com>
+ */
+
+#include <common.h>
+#include <dm.h>
+#include <tpm-v2.h>
+#include <asm/state.h>
+#include <asm/unaligned.h>
+#include <linux/crc8.h>
+
+/* Hierarchies */
+enum tpm2_hierarchy {
+	TPM2_HIERARCHY_LOCKOUT = 0,
+	TPM2_HIERARCHY_ENDORSEMENT,
+	TPM2_HIERARCHY_PLATFORM,
+	TPM2_HIERARCHY_NB,
+};
+
+/* Subset of supported capabilities */
+enum tpm2_capability {
+	TPM_CAP_TPM_PROPERTIES = 0x6,
+};
+
+/* Subset of supported properties */
+#define TPM2_PROPERTIES_OFFSET 0x0000020E
+
+enum tpm2_cap_tpm_property {
+	TPM2_FAIL_COUNTER = 0,
+	TPM2_PROP_MAX_TRIES,
+	TPM2_RECOVERY_TIME,
+	TPM2_LOCKOUT_RECOVERY,
+	TPM2_PROPERTY_NB,
+};
+
+#define SANDBOX_TPM_PCR_NB 1
+
+static const u8 sandbox_extended_once_pcr[] = {
+	0xf5, 0xa5, 0xfd, 0x42, 0xd1, 0x6a, 0x20, 0x30,
+	0x27, 0x98, 0xef, 0x6e, 0xd3, 0x09, 0x97, 0x9b,
+	0x43, 0x00, 0x3d, 0x23, 0x20, 0xd9, 0xf0, 0xe8,
+	0xea, 0x98, 0x31, 0xa9, 0x27, 0x59, 0xfb, 0x4b,
+};
+
+struct sandbox_tpm2 {
+	/* TPM internal states */
+	bool init_done;
+	bool startup_done;
+	bool tests_done;
+	/* TPM password per hierarchy */
+	char pw[TPM2_HIERARCHY_NB][TPM2_DIGEST_LEN + 1];
+	int pw_sz[TPM2_HIERARCHY_NB];
+	/* TPM properties */
+	u32 properties[TPM2_PROPERTY_NB];
+	/* TPM PCRs */
+	u8 pcr[SANDBOX_TPM_PCR_NB][TPM2_DIGEST_LEN];
+	/* TPM PCR extensions */
+	u32 pcr_extensions[SANDBOX_TPM_PCR_NB];
+};
+
+/*
+ * Check the tag validity depending on the command (authentication required or
+ * not). If authentication is required, check it is valid. Update the auth
+ * pointer to point to the next chunk of data to process if needed.
+ */
+static int sandbox_tpm2_check_session(struct udevice *dev, u32 command, u16 tag,
+				      const u8 **auth,
+				      enum tpm2_hierarchy *hierarchy)
+{
+	struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+	u32 handle, auth_sz, session_handle;
+	u16 nonce_sz, pw_sz;
+	const char *pw;
+
+	switch (command) {
+	case TPM2_CC_STARTUP:
+	case TPM2_CC_SELF_TEST:
+	case TPM2_CC_GET_CAPABILITY:
+	case TPM2_CC_PCR_READ:
+		if (tag != TPM2_ST_NO_SESSIONS) {
+			printf("No session required for command 0x%x\n",
+			       command);
+			return TPM2_RC_BAD_TAG;
+		}
+
+		return 0;
+
+	case TPM2_CC_CLEAR:
+	case TPM2_CC_HIERCHANGEAUTH:
+	case TPM2_CC_DAM_RESET:
+	case TPM2_CC_DAM_PARAMETERS:
+	case TPM2_CC_PCR_EXTEND:
+		if (tag != TPM2_ST_SESSIONS) {
+			printf("Session required for command 0x%x\n", command);
+			return TPM2_RC_AUTH_CONTEXT;
+		}
+
+		handle = get_unaligned_be32(*auth);
+		*auth += sizeof(handle);
+
+		/*
+		 * PCR_Extend had a different protection mechanism and does not
+		 * use the same standards as other commands.
+		 */
+		if (command == TPM2_CC_PCR_EXTEND)
+			break;
+
+		switch (handle) {
+		case TPM2_RH_LOCKOUT:
+			*hierarchy = TPM2_HIERARCHY_LOCKOUT;
+			break;
+		case TPM2_RH_ENDORSEMENT:
+			if (command == TPM2_CC_CLEAR) {
+				printf("Endorsement hierarchy unsupported\n");
+				return TPM2_RC_AUTH_MISSING;
+			}
+			*hierarchy = TPM2_HIERARCHY_ENDORSEMENT;
+			break;
+		case TPM2_RH_PLATFORM:
+			*hierarchy = TPM2_HIERARCHY_PLATFORM;
+			break;
+		default:
+			printf("Wrong handle 0x%x\n", handle);
+			return TPM2_RC_VALUE;
+		}
+
+		break;
+
+	default:
+		printf("Command code not recognized: 0x%x\n", command);
+		return TPM2_RC_COMMAND_CODE;
+	}
+
+	auth_sz = get_unaligned_be32(*auth);
+	*auth += sizeof(auth_sz);
+
+	session_handle = get_unaligned_be32(*auth);
+	*auth += sizeof(session_handle);
+	if (session_handle != TPM2_RS_PW) {
+		printf("Wrong session handle 0x%x\n", session_handle);
+		return TPM2_RC_VALUE;
+	}
+
+	nonce_sz = get_unaligned_be16(*auth);
+	*auth += sizeof(nonce_sz);
+	if (nonce_sz) {
+		printf("Nonces not supported in Sandbox, aborting\n");
+		return TPM2_RC_HANDLE;
+	}
+
+	/* Ignore attributes */
+	*auth += sizeof(u8);
+
+	pw_sz = get_unaligned_be16(*auth);
+	*auth += sizeof(pw_sz);
+	if (auth_sz != (9 + nonce_sz + pw_sz)) {
+		printf("Authentication size (%d) do not match %d\n",
+		       auth_sz, 9 + nonce_sz + pw_sz);
+		return TPM2_RC_SIZE;
+	}
+
+	/* No passwork is acceptable */
+	if (!pw_sz && !tpm->pw_sz[*hierarchy])
+		return TPM2_RC_SUCCESS;
+
+	/* Password is too long */
+	if (pw_sz > TPM2_DIGEST_LEN) {
+		printf("Password should not be more than %dB\n",
+		       TPM2_DIGEST_LEN);
+		return TPM2_RC_AUTHSIZE;
+	}
+
+	pw = (const char *)*auth;
+	*auth += pw_sz;
+
+	/* Password is wrong */
+	if (pw_sz != tpm->pw_sz[*hierarchy] ||
+	    strncmp(pw, tpm->pw[*hierarchy], tpm->pw_sz[*hierarchy])) {
+		printf("Authentication failed: wrong password.\n");
+		return TPM2_RC_BAD_AUTH;
+	}
+
+	return TPM2_RC_SUCCESS;
+}
+
+static int sandbox_tpm2_check_readyness(struct udevice *dev, int command)
+{
+	struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+
+	switch (command) {
+	case TPM2_CC_STARTUP:
+		if (!tpm->init_done || tpm->startup_done)
+			return TPM2_RC_INITIALIZE;
+
+		break;
+	case TPM2_CC_GET_CAPABILITY:
+		if (!tpm->init_done || !tpm->startup_done)
+			return TPM2_RC_INITIALIZE;
+
+		break;
+	case TPM2_CC_SELF_TEST:
+		if (!tpm->startup_done)
+			return TPM2_RC_INITIALIZE;
+
+		break;
+	default:
+		if (!tpm->tests_done)
+			return TPM2_RC_NEEDS_TEST;
+
+		break;
+	}
+
+	return 0;
+}
+
+static int sandbox_tpm2_fill_buf(u8 **recv, size_t *recv_len, u16 tag, u32 rc)
+{
+	*recv_len = sizeof(tag) + sizeof(u32) + sizeof(rc);
+
+	/* Write tag */
+	put_unaligned_be16(tag, *recv);
+	*recv += sizeof(tag);
+
+	/* Write length */
+	put_unaligned_be32(*recv_len, *recv);
+	*recv += sizeof(u32);
+
+	/* Write return code */
+	put_unaligned_be32(rc, *recv);
+	*recv += sizeof(rc);
+
+	/* Add trailing \0 */
+	*recv = '\0';
+
+	return 0;
+}
+
+static int sandbox_tpm2_extend(struct udevice *dev, int pcr_index,
+			       const u8 *extension)
+{
+	struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+	int i;
+
+	/* Only simulate the first extensions from all '0' with only '0' */
+	for (i = 0; i < TPM2_DIGEST_LEN; i++)
+		if (tpm->pcr[pcr_index][i] || extension[i])
+			return TPM2_RC_FAILURE;
+
+	memcpy(tpm->pcr[pcr_index], sandbox_extended_once_pcr,
+	       TPM2_DIGEST_LEN);
+	tpm->pcr_extensions[pcr_index]++;
+
+	return 0;
+};
+
+static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
+			     size_t send_size, u8 *recvbuf,
+			     size_t *recv_len)
+{
+	struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+	enum tpm2_hierarchy hierarchy = 0;
+	const u8 *sent = sendbuf;
+	u8 *recv = recvbuf;
+	u32 length, command, rc = 0;
+	u16 tag, mode, new_pw_sz;
+	u8 yes_no;
+	int i, j;
+
+	/* TPM2_GetProperty */
+	u32 capability, property, property_count;
+
+	/* TPM2_PCR_Read/Extend variables */
+	int pcr_index;
+	u64 pcr_map = 0;
+	u32 selections, pcr_nb;
+	u16 alg;
+	u8 pcr_array_sz;
+
+	tag = get_unaligned_be16(sent);
+	sent += sizeof(tag);
+
+	length = get_unaligned_be32(sent);
+	sent += sizeof(length);
+	if (length != send_size) {
+		printf("TPM2: Unmatching length, received: %ld, expected: %d\n",
+		       send_size, length);
+		rc = TPM2_RC_SIZE;
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		return 0;
+	}
+
+	command = get_unaligned_be32(sent);
+	sent += sizeof(command);
+	rc = sandbox_tpm2_check_readyness(dev, command);
+	if (rc) {
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		return 0;
+	}
+
+	rc = sandbox_tpm2_check_session(dev, command, tag, &sent, &hierarchy);
+	if (rc) {
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		return 0;
+	}
+
+	switch (command) {
+	case TPM2_CC_STARTUP:
+		mode = get_unaligned_be16(sent);
+		sent += sizeof(mode);
+		switch (mode) {
+		case TPM2_SU_CLEAR:
+		case TPM2_SU_STATE:
+			break;
+		default:
+			rc = TPM2_RC_VALUE;
+		}
+
+		tpm->startup_done = true;
+
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		break;
+
+	case TPM2_CC_SELF_TEST:
+		yes_no = *sent;
+		sent += sizeof(yes_no);
+		switch (yes_no) {
+		case TPMI_YES:
+		case TPMI_NO:
+			break;
+		default:
+			rc = TPM2_RC_VALUE;
+		}
+
+		tpm->tests_done = true;
+
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		break;
+
+	case TPM2_CC_CLEAR:
+		/* Reset this hierarchy password */
+		tpm->pw_sz[hierarchy] = 0;
+
+		/* Reset all password if thisis the PLATFORM hierarchy */
+		if (hierarchy == TPM2_HIERARCHY_PLATFORM)
+			for (i = 0; i < TPM2_HIERARCHY_NB; i++)
+				tpm->pw_sz[i] = 0;
+
+		/* Reset the properties */
+		for (i = 0; i < TPM2_PROPERTY_NB; i++)
+			tpm->properties[i] = 0;
+
+		/* Reset the PCRs and their number of extensions */
+		for (i = 0; i < SANDBOX_TPM_PCR_NB; i++) {
+			tpm->pcr_extensions[i] = 0;
+			for (j = 0; j < TPM2_DIGEST_LEN; j++)
+				tpm->pcr[i][j] = 0;
+		}
+
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		break;
+
+	case TPM2_CC_HIERCHANGEAUTH:
+		new_pw_sz = get_unaligned_be16(sent);
+		sent += sizeof(new_pw_sz);
+		if (new_pw_sz > TPM2_DIGEST_LEN) {
+			rc = TPM2_RC_SIZE;
+		} else if (new_pw_sz) {
+			tpm->pw_sz[hierarchy] = new_pw_sz;
+			memcpy(tpm->pw[hierarchy], sent, new_pw_sz);
+			sent += new_pw_sz;
+		}
+
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		break;
+
+	case TPM2_CC_GET_CAPABILITY:
+		capability = get_unaligned_be32(sent);
+		sent += sizeof(capability);
+		if (capability != TPM_CAP_TPM_PROPERTIES) {
+			printf("Sandbox TPM only support TPM_CAPABILITIES\n");
+			return TPM2_RC_HANDLE;
+		}
+
+		property = get_unaligned_be32(sent);
+		sent += sizeof(property);
+		property -= TPM2_PROPERTIES_OFFSET;
+
+		property_count = get_unaligned_be32(sent);
+		sent += sizeof(property_count);
+		if (!property_count ||
+		    property + property_count > TPM2_PROPERTY_NB) {
+			rc = TPM2_RC_HANDLE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		/* Write tag */
+		put_unaligned_be16(tag, recv);
+		recv += sizeof(tag);
+
+		/* Ignore length for now */
+		recv += sizeof(u32);
+
+		/* Write return code */
+		put_unaligned_be32(rc, recv);
+		recv += sizeof(rc);
+
+		/* Tell there is more data to read */
+		*recv = TPMI_YES;
+		recv += sizeof(yes_no);
+
+		/* Repeat the capability */
+		put_unaligned_be32(capability, recv);
+		recv += sizeof(capability);
+
+		/* Give the number of properties that follow */
+		put_unaligned_be32(property_count, recv);
+		recv += sizeof(property_count);
+
+		/* Fill with the properties */
+		for (i = 0; i < property_count; i++) {
+			put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
+					   i, recv);
+			recv += sizeof(property);
+			put_unaligned_be32(tpm->properties[property + i],
+					   recv);
+			recv += sizeof(property);
+		}
+
+		/* Add trailing \0 */
+		*recv = '\0';
+
+		/* Write response length */
+		*recv_len = recv - recvbuf;
+		put_unaligned_be32(*recv_len, recvbuf + sizeof(tag));
+
+		break;
+
+	case TPM2_CC_DAM_PARAMETERS:
+		tpm->properties[TPM2_PROP_MAX_TRIES] = get_unaligned_be32(sent);
+		sent += sizeof(*tpm->properties);
+		tpm->properties[TPM2_RECOVERY_TIME] = get_unaligned_be32(sent);
+		sent += sizeof(*tpm->properties);
+		tpm->properties[TPM2_LOCKOUT_RECOVERY] = get_unaligned_be32(sent);
+		sent += sizeof(*tpm->properties);
+
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		break;
+
+	case TPM2_CC_PCR_READ:
+		selections = get_unaligned_be32(sent);
+		sent += sizeof(selections);
+		if (selections != 1) {
+			printf("Sandbox cannot handle more than one PCR\n");
+			rc = TPM2_RC_VALUE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		alg = get_unaligned_be16(sent);
+		sent += sizeof(alg);
+		if (alg != TPM2_ALG_SHA256) {
+			printf("Sandbox TPM only handle SHA256 algorithm\n");
+			rc = TPM2_RC_VALUE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		pcr_array_sz = *sent;
+		sent += sizeof(pcr_array_sz);
+		if (!pcr_array_sz || pcr_array_sz > 8) {
+			printf("Sandbox TPM cannot handle so much PCRs\n");
+			rc = TPM2_RC_VALUE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		for (i = 0; i < pcr_array_sz; i++)
+			pcr_map += (u64)sent[i] << (i * 8);
+
+		if (pcr_map >> SANDBOX_TPM_PCR_NB) {
+			printf("Sandbox TPM handles up to %d PCR(s)\n",
+			       SANDBOX_TPM_PCR_NB);
+			rc = TPM2_RC_VALUE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		if (pcr_map >> SANDBOX_TPM_PCR_NB) {
+			printf("Wrong PCR map.\n");
+			rc = TPM2_RC_VALUE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		for (i = 0; i < SANDBOX_TPM_PCR_NB; i++)
+			if (pcr_map & BIT(i))
+				pcr_index = i;
+
+		/* Write tag */
+		put_unaligned_be16(tag, recv);
+		recv += sizeof(tag);
+
+		/* Ignore length for now */
+		recv += sizeof(u32);
+
+		/* Write return code */
+		put_unaligned_be32(rc, recv);
+		recv += sizeof(rc);
+
+		/* Number of extensions */
+		put_unaligned_be32(tpm->pcr_extensions[pcr_index], recv);
+		recv += sizeof(u32);
+
+		/* Copy the PCR */
+		memcpy(recv, tpm->pcr[pcr_index], TPM2_DIGEST_LEN);
+		recv += TPM2_DIGEST_LEN;
+
+		/* Add trailing \0 */
+		*recv = '\0';
+
+		/* Write response length */
+		*recv_len = recv - recvbuf;
+		put_unaligned_be32(*recv_len, recvbuf + sizeof(tag));
+
+		break;
+
+	case TPM2_CC_PCR_EXTEND:
+		/* Get the PCR index */
+		pcr_index = get_unaligned_be32(sendbuf + sizeof(tag) +
+					       sizeof(length) +
+					       sizeof(command));
+		if (pcr_index > SANDBOX_TPM_PCR_NB) {
+			printf("Sandbox TPM handles up to %d PCR(s)\n",
+			       SANDBOX_TPM_PCR_NB);
+			rc = TPM2_RC_VALUE;
+		}
+
+		/* Check the number of hashes */
+		pcr_nb = get_unaligned_be32(sent);
+		sent += sizeof(pcr_nb);
+		if (pcr_nb != 1) {
+			printf("Sandbox cannot handle more than one PCR\n");
+			rc = TPM2_RC_VALUE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		/* Check the hash algorithm */
+		alg = get_unaligned_be16(sent);
+		sent += sizeof(alg);
+		if (alg != TPM2_ALG_SHA256) {
+			printf("Sandbox TPM only handle SHA256 algorithm\n");
+			rc = TPM2_RC_VALUE;
+			return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		}
+
+		/* Extend the PCR */
+		rc = sandbox_tpm2_extend(dev, pcr_index, sent);
+
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+		break;
+
+	default:
+		printf("TPM2 command %02x unknown in Sandbox\n", command);
+		rc = TPM2_RC_COMMAND_CODE;
+		sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc);
+	}
+
+	return 0;
+}
+
+static int sandbox_tpm2_get_desc(struct udevice *dev, char *buf, int size)
+{
+	if (size < 15)
+		return -ENOSPC;
+
+	return snprintf(buf, size, "Sandbox TPM2.x");
+}
+
+static int sandbox_tpm2_open(struct udevice *dev)
+{
+	struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+
+	if (tpm->init_done)
+		return -EIO;
+
+	tpm->init_done = true;
+
+	return 0;
+}
+
+static int sandbox_tpm2_probe(struct udevice *dev)
+{
+	struct sandbox_tpm2 *tpm = dev_get_priv(dev);
+	struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
+
+	memset(tpm, 0, sizeof(*tpm));
+
+	priv->pcr_count = 32;
+	priv->pcr_select_min = 2;
+
+	return 0;
+}
+
+static int sandbox_tpm2_close(struct udevice *dev)
+{
+	return 0;
+}
+
+static const struct tpm_ops sandbox_tpm2_ops = {
+	.open		= sandbox_tpm2_open,
+	.close		= sandbox_tpm2_close,
+	.get_desc	= sandbox_tpm2_get_desc,
+	.xfer		= sandbox_tpm2_xfer,
+};
+
+static const struct udevice_id sandbox_tpm2_ids[] = {
+	{ .compatible = "sandbox,tpm2" },
+	{ }
+};
+
+U_BOOT_DRIVER(sandbox_tpm2) = {
+	.name   = "sandbox_tpm2",
+	.id     = UCLASS_TPM,
+	.of_match = sandbox_tpm2_ids,
+	.ops    = &sandbox_tpm2_ops,
+	.probe	= sandbox_tpm2_probe,
+	.priv_auto_alloc_size = sizeof(struct sandbox_tpm2),
+};