From 6701b862aa96775609a7d42662ae4a98e43071bb Mon Sep 17 00:00:00 2001
From: kavsrf <kavsrf@gmail.com>
Date: Sun, 4 Dec 2016 13:46:48 +0300
Subject: TPM12 support

---
 DcsCfg/DcsCfg.h     |  13 ++++++
 DcsCfg/DcsCfg.inf   |   2 +
 DcsCfg/DcsCfg.man   |  19 +++++++-
 DcsCfg/DcsCfgMain.c | 128 +++++++++++++++++++++++++++++++++-------------------
 DcsCfg/DcsCfgTpm.c  |  88 ++++++++++++++++++++++++++++++++++++
 5 files changed, 201 insertions(+), 49 deletions(-)
 create mode 100644 DcsCfg/DcsCfgTpm.c

(limited to 'DcsCfg')

diff --git a/DcsCfg/DcsCfg.h b/DcsCfg/DcsCfg.h
index 2ffd50d..8a9a15a 100644
--- a/DcsCfg/DcsCfg.h
+++ b/DcsCfg/DcsCfg.h
@@ -161,6 +161,19 @@ TestTouch();
 EFI_STATUS
 DcsInteractiveSetup();
 
+//////////////////////////////////////////////////////////////////////////
+// TPM
+//////////////////////////////////////////////////////////////////////////
+EFI_STATUS
+Tpm12ListPcrs(
+	UINT32 sPcr,
+	UINT32 ePcr
+	);
 
+EFI_STATUS
+Tpm12NvList();
+
+EFI_STATUS
+Tpm12DcsConfigure();
 
 #endif // DcsCfg_h__
diff --git a/DcsCfg/DcsCfg.inf b/DcsCfg/DcsCfg.inf
index c7218aa..c057b96 100644
--- a/DcsCfg/DcsCfg.inf
+++ b/DcsCfg/DcsCfg.inf
@@ -34,6 +34,7 @@
   DcsCfgGraphics.c
   DcsCfgBlockio.c
   DcsCfgTouch.c
+  DcsCfgTpm.c
   DcsCfgSetup.c
 
 [Packages]
@@ -51,6 +52,7 @@
   GraphLib
   PasswordLib
   DcsCfgLib
+  DcsTpmLib
   VeraCryptLib
   ShellLib
 
diff --git a/DcsCfg/DcsCfg.man b/DcsCfg/DcsCfg.man
index bb6fda4..72575dc 100644
--- a/DcsCfg/DcsCfg.man
+++ b/DcsCfg/DcsCfg.man
@@ -35,16 +35,20 @@ DcsCfg -ds <BN> -wipe <start> <end>
 
 .SH OPTIONS
 
+ -dc - check devices (try to authorize)
  -dl - block device list (order numbers are used in -db and -se)
  -ds <BN> – select device
  -de <BN> – end device to check (starts from select)
- -dc check devices (try to authorize)
  -db <BN> - boot partition selection
  -aa - ask authorization parameters
  -ach - create header on block device
  -vec <BN> - block device encrypt
  -vdc <BN> - block device decrypt
  -vcp <BN> - block device change password
+ -rnd <type> <param>- select rnadom type (0 - none, 1 - file, 2- rdrand, 3 HMAC, 4 OPENSSL 5 TPM)
+ -rndgen <file> - generate random file
+ -rndload - load rnd generator state from file
+ -rndsave - save rnd generator state to file
  -ul - USB device list
  -tl - touch device 
  -tt <TN> - Test touch device
@@ -55,18 +59,29 @@ DcsCfg -ds <BN> -wipe <start> <end>
  -bt - Beep device test
  -setup - interactive setup
  -pl - GPT list
- -pf <gpt_file_name> - file with GPT
+ -pf <gpt_file_name> - file with GPT and params
  -ps - save GPT to file
+ -pz - delete info from GPT to file
  -pa - applay GPT from file to disk
  -pe - encrypt GPT
  -pd - decrypt GPT
  -pnt <PNT> - partition number as template (from -pl)
  -phide <PHS> <PHE> - hide partions from <PHS> to <PHE>; <PHS> - start sector of hidden partition, <PHE> - end sector of hidden partition
+ -pedt <PN> - partition number to edit(from -pl)
+ -pexec - edit executable parameter
+ -prndsave - save random state to params
+ -prndload - load random state from params
+ -pwdcache - edit password cache in params
  -kp <key_file_name> - keys file of platform to save
  -srm <SRT> - mark disk as security regions container(write CRC of platform to 61 sector); <SRT> - number of possible security regions
  -srw <SRT> - wipe security regions data with random data (write random data [62, 62 + 256 * SRT]) it has to be free! check first partition start sector!
  -sra <SRN> - add <gpt_file_name> to security region <SRN>
  -wipe <SS SE> - write random data to sectors range [SS,SE]
+ -osdecrypt - decrypt OS (rescue)
+ -osrestorekey - restore key (rescue)
+ -tpmpcrs <s> <e>- print PCRs
+ -tpmnvlist - List NV regions in TPM
+ -tpmcfg - Configure TPM
 
  .SH DESCRIPTION
 
diff --git a/DcsCfg/DcsCfgMain.c b/DcsCfg/DcsCfgMain.c
index 59ff730..6e4c863 100644
--- a/DcsCfg/DcsCfgMain.c
+++ b/DcsCfg/DcsCfgMain.c
@@ -34,51 +34,53 @@ https://opensource.org/licenses/LGPL-3.0
 //////////////////////////////////////////////////////////////////////////
 // Main
 //////////////////////////////////////////////////////////////////////////
-#define OPT_DISK_CHECK L"-dc"
-#define OPT_DISK_LIST L"-dl"
-#define OPT_DISK_START L"-ds"
-#define OPT_DISK_END L"-de"
-#define OPT_DISK_BOOT L"-db"
-#define OPT_AUTH_ASK L"-aa"
-#define OPT_AUTH_CREATE_HEADER L"-ach"
-#define OPT_RND L"-rnd"
-#define OPT_RND_GEN L"-rndgen"
-#define OPT_RND_LOAD L"-rndload"
-#define OPT_RND_SAVE L"-rndsave"
-#define OPT_VOLUME_ENCRYPT L"-vec"
-#define OPT_VOLUME_DECRYPT L"-vdc"
-#define OPT_VOLUME_CHANGEPWD L"-vcp"
-#define OPT_USB_LIST L"-ul"
-#define OPT_TOUCH_LIST L"-tl"
-#define OPT_TOUCH_TEST L"-tt"
-#define OPT_GRAPH_LIST L"-gl"
-#define OPT_GRAPH_DEVICE L"-gd"
-#define OPT_GRAPH_MODE L"-gm"
-#define OPT_BEEP_LIST L"-bl"
-#define OPT_BEEP_TEST L"-bt"
-#define OPT_SETUP L"-setup"
-#define OPT_PARTITION_LIST L"-pl"
-#define OPT_PARTITION_FILE L"-pf"
-#define OPT_PARTITION_SAVE L"-ps"
-#define OPT_PARTITION_ZERO L"-pz"
-#define OPT_PARTITION_APPLY L"-pa"
-#define OPT_PARTITION_ENCRYPT L"-pe"
-#define OPT_PARTITION_DECRYPT L"-pd"
-#define OPT_PARTITION_IDX_TEMPLATE L"-pnt"
-#define OPT_PARTITION_HIDE L"-phide"
-#define OPT_PARTITION_EDIT L"-pedt"
-#define OPT_PARTITION_EDIT_EXEC L"-pexec"
-#define OPT_PARTITION_RND_LOAD L"-prndload"
-#define OPT_PARTITION_RND_SAVE L"-prndsave"
+#define OPT_DISK_CHECK					L"-dc"
+#define OPT_DISK_LIST					L"-dl"
+#define OPT_DISK_START					L"-ds"
+#define OPT_DISK_END						L"-de"
+#define OPT_DISK_BOOT					L"-db"
+#define OPT_AUTH_ASK						L"-aa"
+#define OPT_AUTH_CREATE_HEADER		L"-ach"
+#define OPT_RND							L"-rnd"
+#define OPT_RND_GEN						L"-rndgen"
+#define OPT_RND_LOAD						L"-rndload"
+#define OPT_RND_SAVE						L"-rndsave"
+#define OPT_VOLUME_ENCRYPT				L"-vec"
+#define OPT_VOLUME_DECRYPT				L"-vdc"
+#define OPT_VOLUME_CHANGEPWD			L"-vcp"
+#define OPT_USB_LIST						L"-ul"
+#define OPT_TOUCH_LIST					L"-tl"
+#define OPT_TOUCH_TEST					L"-tt"
+#define OPT_GRAPH_LIST					L"-gl"
+#define OPT_GRAPH_DEVICE				L"-gd"
+#define OPT_GRAPH_MODE					L"-gm"
+#define OPT_BEEP_LIST					L"-bl"
+#define OPT_BEEP_TEST					L"-bt"
+#define OPT_SETUP							L"-setup"
+#define OPT_PARTITION_LIST				L"-pl"
+#define OPT_PARTITION_FILE				L"-pf"
+#define OPT_PARTITION_SAVE				L"-ps"
+#define OPT_PARTITION_ZERO				L"-pz"
+#define OPT_PARTITION_APPLY			L"-pa"
+#define OPT_PARTITION_ENCRYPT			L"-pe"
+#define OPT_PARTITION_DECRYPT			L"-pd"
+#define OPT_PARTITION_IDX_TEMPLATE	L"-pnt"
+#define OPT_PARTITION_HIDE				L"-phide"
+#define OPT_PARTITION_EDIT				L"-pedt"
+#define OPT_PARTITION_EDIT_EXEC		L"-pexec"
+#define OPT_PARTITION_RND_LOAD		L"-prndload"
+#define OPT_PARTITION_RND_SAVE		L"-prndsave"
 #define OPT_PARTITION_EDIT_PWD_CACHE L"-pwdcache"
-#define OPT_KEYFILE_PLATFORM L"-kp"
-#define OPT_SECREGION_MARK L"-srm"
-#define OPT_SECREGION_WIPE L"-srw"
-#define OPT_SECREGION_ADD L"-sra"
-#define OPT_WIPE L"-wipe"
-#define OPT_OS_DECRYPT L"-osdecrypt"
-#define OPT_OS_RESTORE_KEY L"-osrestorekey"
-
+#define OPT_KEYFILE_PLATFORM			L"-kp"
+#define OPT_SECREGION_MARK				L"-srm"
+#define OPT_SECREGION_WIPE				L"-srw"
+#define OPT_SECREGION_ADD				L"-sra"
+#define OPT_WIPE							L"-wipe"
+#define OPT_OS_DECRYPT					L"-osdecrypt"
+#define OPT_OS_RESTORE_KEY				L"-osrestorekey"
+#define OPT_TPM_PCRS						L"-tpmpcrs"
+#define OPT_TPM_NVLIST					L"-tpmnvlist"
+#define OPT_TPM_CFG						L"-tpmcfg"
 STATIC CONST SHELL_PARAM_ITEM ParamList[] = {
    { OPT_DISK_LIST,     TypeValue },
    { OPT_DISK_CHECK,    TypeFlag },
@@ -124,6 +126,9 @@ STATIC CONST SHELL_PARAM_ITEM ParamList[] = {
 	{ OPT_WIPE,                 TypeDoubleValue },
 	{ OPT_OS_DECRYPT,     TypeFlag },
 	{ OPT_OS_RESTORE_KEY, TypeFlag },
+	{ OPT_TPM_PCRS,       TypeDoubleValue },
+	{ OPT_TPM_NVLIST,     TypeFlag },
+	{ OPT_TPM_CFG,        TypeFlag },
 	{ NULL, TypeMax }
 };
 
@@ -257,6 +262,30 @@ DcsCfgMain(
 		TestTouch();
 	}
 
+	// TPM
+	if (ShellCommandLineGetFlag(Package, OPT_TPM_PCRS)) {
+		CONST CHAR16* opt1 = NULL;
+		CONST CHAR16* opt2 = NULL;
+		UINT32 sPcr;
+		UINT32 ePcr;
+		opt1 = ShellCommandLineGetValue(Package, OPT_TPM_PCRS);
+		sPcr = (UINT32)StrDecimalToUintn(opt1);
+		opt2 = StrStr(opt1, L" ");
+		if (opt2 != NULL) {
+			opt2++;
+		}
+		ePcr = (UINT32)StrDecimalToUintn(opt2);
+		Tpm12ListPcrs(sPcr, ePcr);
+	}
+
+	if (ShellCommandLineGetFlag(Package, OPT_TPM_NVLIST)) {
+		Tpm12NvList();
+	}
+
+	if (ShellCommandLineGetFlag(Package, OPT_TPM_CFG)) {
+		Tpm12DcsConfigure();
+	}
+
 	// Graph
 	if (ShellCommandLineGetFlag(Package, OPT_GRAPH_DEVICE)) {
 		CONST CHAR16* opt = NULL;
@@ -294,15 +323,20 @@ DcsCfgMain(
 	// Create random
 	if (ShellCommandLineGetFlag(Package, OPT_RND)) {
 		CONST CHAR16* opt = NULL;
-		CONST CHAR16* context = NULL;
+		CHAR16* context = NULL;
 		UINTN rndType;
+		UINTN contextSize = 0;
 		opt = ShellCommandLineGetValue(Package, OPT_RND);
 		rndType = StrDecimalToUintn(opt);
-		context = StrStr(opt, L" ");
+		context = (CHAR16*)StrStr(opt, L" ");
 		if (context != NULL) {
 			context++;
+			contextSize = StrLen(context) * 2;
+			if (!EFI_ERROR(FileExist(NULL, context))) {
+				FileLoad(NULL, context, &context, &contextSize);
+			}
 		}
-		res = RndInit(rndType, (CHAR16*)context, &gRnd);
+		res = RndInit(rndType, context, contextSize, &gRnd);
 		if (EFI_ERROR(res)) {
 			ERR_PRINT(L"Random: %r\n", res);
 		}
diff --git a/DcsCfg/DcsCfgTpm.c b/DcsCfg/DcsCfgTpm.c
new file mode 100644
index 0000000..5003132
--- /dev/null
+++ b/DcsCfg/DcsCfgTpm.c
@@ -0,0 +1,88 @@
+/** @file
+This is DCS configuration, TPM
+
+Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov
+Copyright (c) 2016. VeraCrypt, Mounir IDRASSI 
+
+This program and the accompanying materials
+are licensed and made available under the terms and conditions
+of the GNU Lesser General Public License, version 3.0 (LGPL-3.0).
+
+The full text of the license may be found at
+https://opensource.org/licenses/LGPL-3.0
+**/
+
+#include <Library/CommonLib.h>
+#include <Library/DcsTpmLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DcsCfgLib.h>
+#include "DcsVeraCrypt.h"
+
+EFI_STATUS
+Tpm12ListPcrs(
+	UINT32 sPcr,
+	UINT32 ePcr
+	) {
+	EFI_STATUS res;
+	res = InitTpm12();
+	if (EFI_ERROR(res)) {
+		ERR_PRINT(L"%r\n", res);
+		return res;
+	}
+	return Tpm12DumpPcrs(sPcr, ePcr);
+}
+
+EFI_STATUS
+Tpm12NvList(
+	) {
+	EFI_STATUS res;
+	UINT32  count;
+	UINT32  i;
+	UINT32  nv[256];
+	res = InitTpm12();
+	if (EFI_ERROR(res)) {
+		ERR_PRINT(L"%r\n", res);
+		return res;
+	}
+	count = sizeof(nv);
+	res = Tpm12GetNvList(&count, nv);
+	if (EFI_ERROR(res)) {
+		ERR_PRINT(L"%r\n", res);
+		return res;
+	}
+	count = count >> 2;
+	for (i = 0; i < count; ++i) {
+		UINT32 index = SwapBytes32(nv[i]);
+		UINT32 attr = 0;
+		UINT32 dataSz = 0;
+		UINT32 pcrR = 0;
+		UINT32 pcrW = 0;
+		OUT_PRINT(L"%H%08x%N ", index);
+		res = Tpm12NvDetails(index, &attr, &dataSz, &pcrR, &pcrW);
+		if (EFI_ERROR(res)) {
+			ERR_PRINT(L"%r\n", res);
+			continue;
+		}
+
+		OUT_PRINT(L"Attr[%08x] PcrR[%08x] PcrW[%08x] [%d] ", attr, pcrR, pcrW, dataSz);
+		OUT_PRINT(L"\n");
+	}
+	return res;
+}
+
+EFI_STATUS
+Tpm12DcsConfigure(
+	) {
+	EFI_STATUS res;
+	Password pwd;
+	ZeroMem(&pwd, sizeof(pwd));
+	CE(GetTpm());
+	CE(RndInit(RndTypeTpm, NULL, 0, &gRnd));
+	CE(gTpm->Configure(gTpm));
+	CE(gTpm->Apply(gTpm, &pwd));
+	return res;
+
+err:
+	ERR_PRINT(L"%r, line %d", res, gCELine);
+	return res;
+}
-- 
cgit v1.2.3