tpm: add TPM2_Clear command support

Add support for the TPM2_Clear command.

Change the command file and the help accordingly.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>

cmd/tpm-v2.c

@@ -51,11 +51,35 @@ static int do_tpm2_self_test(cmd_tbl_t *cmdtp, int flag, int argc,
 	return report_return_code(tpm2_self_test(full_test));
 }
 
+static int do_tpm2_clear(cmd_tbl_t *cmdtp, int flag, int argc,
+			 char * const argv[])
+{
+	u32 handle = 0;
+	const char *pw = (argc < 3) ? NULL : argv[2];
+	const ssize_t pw_sz = pw ? strlen(pw) : 0;
+
+	if (argc < 2 || argc > 3)
+		return CMD_RET_USAGE;
+
+	if (pw_sz > TPM2_DIGEST_LEN)
+		return -EINVAL;
+
+	if (!strcasecmp("TPM2_RH_LOCKOUT", argv[1]))
+		handle = TPM2_RH_LOCKOUT;
+	else if (!strcasecmp("TPM2_RH_PLATFORM", argv[1]))
+		handle = TPM2_RH_PLATFORM;
+	else
+		return CMD_RET_USAGE;
+
+	return report_return_code(tpm2_clear(handle, pw, pw_sz));
+}
+
 static cmd_tbl_t tpm2_commands[] = {
 	U_BOOT_CMD_MKENT(info, 0, 1, do_tpm_info, "", ""),
 	U_BOOT_CMD_MKENT(init, 0, 1, do_tpm_init, "", ""),
 	U_BOOT_CMD_MKENT(startup, 0, 1, do_tpm2_startup, "", ""),
 	U_BOOT_CMD_MKENT(self_test, 0, 1, do_tpm2_self_test, "", ""),
+	U_BOOT_CMD_MKENT(clear, 0, 1, do_tpm2_clear, "", ""),
 };
 
 cmd_tbl_t *get_tpm_commands(unsigned int *size)
@@ -82,4 +106,9 @@ U_BOOT_CMD(tpm, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
 "    <type> is one of:\n"
 "        * full (perform all tests)\n"
 "        * continue (only check untested tests)\n"
+"clear <hierarchy>\n"
+"    Issue a TPM2_Clear command.\n"
+"    <hierarchy> is one of:\n"
+"        * TPM2_RH_LOCKOUT\n"
+"        * TPM2_RH_PLATFORM\n"
 );

include/tpm-v2.h

@@ -143,4 +143,15 @@ u32 tpm2_startup(enum tpm2_startup_types mode);
  */
 u32 tpm2_self_test(enum tpm2_yes_no full_test);
 
+/**
+ * Issue a TPM2_Clear command.
+ *
+ * @handle	Handle
+ * @pw		Password
+ * @pw_sz	Length of the password
+ *
+ * @return code of the operation
+ */
+u32 tpm2_clear(u32 handle, const char *pw, const ssize_t pw_sz);
+
 #endif /* __TPM_V2_H */

lib/tpm-v2.c

@@ -42,3 +42,38 @@ u32 tpm2_self_test(enum tpm2_yes_no full_test)
 
 	return tpm_sendrecv_command(command_v2, NULL, NULL);
 }
+
+u32 tpm2_clear(u32 handle, const char *pw, const ssize_t pw_sz)
+{
+	u8 command_v2[COMMAND_BUFFER_SIZE] = {
+		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
+		tpm_u32(27 + pw_sz),		/* Length */
+		tpm_u32(TPM2_CC_CLEAR),		/* Command code */
+
+		/* HANDLE */
+		tpm_u32(handle),		/* TPM resource handle */
+
+		/* AUTH_SESSION */
+		tpm_u32(9 + pw_sz),		/* Authorization size */
+		tpm_u32(TPM2_RS_PW),		/* Session handle */
+		tpm_u16(0),			/* Size of <nonce> */
+						/* <nonce> (if any) */
+		0,				/* Attributes: Cont/Excl/Rst */
+		tpm_u16(pw_sz),			/* Size of <hmac/password> */
+		/* STRING(pw)			   <hmac/password> (if any) */
+	};
+	unsigned int offset = 27;
+	int ret;
+
+	/*
+	 * Fill the command structure starting from the first buffer:
+	 *     - the password (if any)
+	 */
+	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
+			       offset, pw, pw_sz);
+	offset += pw_sz;
+	if (ret)
+		return TPM_LIB_ERROR;
+
+	return tpm_sendrecv_command(command_v2, NULL, NULL);
+}