1 // This file was extracted from the TCG Published
2 // Trusted Platform Module Library
3 // Part 4: Supporting Routines
4 // Family "2.0"
5 // Level 00 Revision 01.16
6 // October 30, 2014
7 
8 #include     "InternalRoutines.h"
9 #include     "ExecCommand_fp.h"
10 #include     "HandleProcess_fp.h"
11 #include     "SessionProcess_fp.h"
12 #include     "CommandDispatcher_fp.h"
13 //
14 //     Uncomment this next #include if doing static command/response buffer sizing
15 //
16 // #include "CommandResponseSizes_fp.h"
17 //
18 //
19 //           ExecuteCommand()
20 //
21 //     The function performs the following steps.
22 //     a) Parses the command header from input buffer.
23 //     b) Calls ParseHandleBuffer() to parse the handle area of the command.
24 //     c) Validates that each of the handles references a loaded entity.
25 //
26 //     d) Calls ParseSessionBuffer() () to:
27 //          1) unmarshal and parse the session area;
28 //          2) check the authorizations; and
29 //          3) when necessary, decrypt a parameter.
30 //     e) Calls CommandDispatcher() to:
31 //          1) unmarshal the command parameters from the command buffer;
32 //          2) call the routine that performs the command actions; and
33 //          3) marshal the responses into the response buffer.
34 //     f)   If any error occurs in any of the steps above create the error response and return.
35 //     g) Calls BuildResponseSession() to:
36 //          1) when necessary, encrypt a parameter
37 //          2) build the response authorization sessions
38 //          3) update the audit sessions and nonces
39 //     h) Assembles handle, parameter and session buffers for response and return.
40 //
41 LIB_EXPORT void
ExecuteCommand(unsigned int requestSize,unsigned char * request,unsigned int * responseSize,unsigned char ** response)42 ExecuteCommand(
43     unsigned    int      requestSize,       //   IN: command buffer size
44     unsigned    char    *request,           //   IN: command buffer
45     unsigned    int     *responseSize,      //   OUT: response buffer size
46     unsigned    char    **response          //   OUT: response buffer
47     )
48 {
49     // Command local variables
50     TPM_ST               tag;                         // these first three variables are the
51     UINT32               commandSize;
52     TPM_CC               commandCode = 0;
53     BYTE                     *parmBufferStart;        // pointer to the first byte of an
54                                                       // optional parameter buffer
55     UINT32                    parmBufferSize = 0;// number of bytes in parameter area
56     UINT32                    handleNum = 0;          // number of handles unmarshaled into
57                                                       // the handles array
58     TPM_HANDLE                handles[MAX_HANDLE_NUM];// array to hold handles in the
59                                                  // command. Only handles in the handle
60                                                  // area are stored here, not handles
61                                                  // passed as parameters.
62     // Response local variables
63     TPM_RC               result;                      // return code for the command
64     TPM_ST                    resTag;                 // tag for the response
65     UINT32                    resHandleSize = 0; //       size of the handle area in the
66                                                  //       response. This is needed so that the
67                                                  //       handle area can be skipped when
68                                                  //       generating the rpHash.
69     UINT32                    resParmSize = 0;        // the size of the response parameters
70                                                       // These values go in the rpHash.
71     UINT32                    resAuthSize = 0;        // size of authorization area in the
72 //
73                                                    // response
74    INT32                      size;                // remaining data to be unmarshaled
75                                                    // or remaining space in the marshaling
76                                                    // buffer
77    BYTE                      *buffer;              // pointer into the buffer being used
78                                                    // for marshaling or unmarshaling
79    INT32                      bufferSize;          // size of buffer being used for
80                                                    // marshaling or unmarshaling
81    UINT32                     i;                    // local temp
82 // This next function call is used in development to size the command and response
83 // buffers. The values printed are the sizes of the internal structures and
84 // not the sizes of the canonical forms of the command response structures. Also,
85 // the sizes do not include the tag, commandCode, requestSize, or the authorization
86 // fields.
87 //CommandResponseSizes();
88    // Set flags for NV access state. This should happen before any other
89    // operation that may require a NV write. Note, that this needs to be done
90    // even when in failure mode. Otherwise, g_updateNV would stay SET while in
91    // Failure mode and the NB would be written on each call.
92    g_updateNV = FALSE;
93    g_clearOrderly = FALSE;
94    // As of Sept 25, 2013, the failure mode handling has been incorporated in the
95    // reference code. This implementation requires that the system support
96    // setjmp/longjmp. This code is put here because of the complexity being
97    // added to the platform and simulator code to deal with all the variations
98    // of errors.
99    if(g_inFailureMode)
100    {
101        // Do failure mode processing
102        TpmFailureMode (requestSize, request, responseSize, response);
103        return;
104    }
105 #ifndef EMBEDDED_MODE
106    if(setjmp(g_jumpBuffer) != 0)
107    {
108        // Get here if we got a longjump putting us into failure mode
109        g_inFailureMode = TRUE;
110        result = TPM_RC_FAILURE;
111        goto Fail;
112    }
113 #endif  // EMBEDDED_MODE   ^^^ not defined
114    // Assume that everything is going to work.
115    result = TPM_RC_SUCCESS;
116    // Query platform to get the NV state. The result state is saved internally
117    // and will be reported by NvIsAvailable(). The reference code requires that
118    // accessibility of NV does not change during the execution of a command.
119    // Specifically, if NV is available when the command execution starts and then
120    // is not available later when it is necessary to write to NV, then the TPM
121    // will go into failure mode.
122    NvCheckState();
123    // Due to the limitations of the simulation, TPM clock must be explicitly
124    // synchronized with the system clock whenever a command is received.
125    // This function call is not necessary in a hardware TPM. However, taking
126    // a snapshot of the hardware timer at the beginning of the command allows
127    // the time value to be consistent for the duration of the command execution.
128    TimeUpdateToCurrent();
129    // Any command through this function will unceremoniously end the
130    // _TPM_Hash_Data/_TPM_Hash_End sequence.
131    if(g_DRTMHandle != TPM_RH_UNASSIGNED)
132        ObjectTerminateEvent();
133      // Get command buffer size and command buffer.
134      size = requestSize;
135      buffer = request;
136      // Parse command header: tag, commandSize and commandCode.
137      // First parse the tag. The unmarshaling routine will validate
138      // that it is either TPM_ST_SESSIONS or TPM_ST_NO_SESSIONS.
139      result = TPMI_ST_COMMAND_TAG_Unmarshal(&tag, &buffer, &size);
140      if(result != TPM_RC_SUCCESS)
141          goto Cleanup;
142      // Unmarshal the commandSize indicator.
143      result = UINT32_Unmarshal(&commandSize, &buffer, &size);
144      if(result != TPM_RC_SUCCESS)
145          goto Cleanup;
146      // On a TPM that receives bytes on a port, the number of bytes that were
147      // received on that port is requestSize it must be identical to commandSize.
148      // In addition, commandSize must not be larger than MAX_COMMAND_SIZE allowed
149      // by the implementation. The check against MAX_COMMAND_SIZE may be redundant
150      // as the input processing (the function that receives the command bytes and
151      // places them in the input buffer) would likely have the input truncated when
152      // it reaches MAX_COMMAND_SIZE, and requestSize would not equal commandSize.
153      if(commandSize != requestSize || commandSize > MAX_COMMAND_SIZE)
154      {
155          result = TPM_RC_COMMAND_SIZE;
156          goto Cleanup;
157      }
158      // Unmarshal the command code.
159      result = TPM_CC_Unmarshal(&commandCode, &buffer, &size);
160      if(result != TPM_RC_SUCCESS)
161          goto Cleanup;
162      // Check to see if the command is implemented.
163      if(!CommandIsImplemented(commandCode))
164      {
165          result = TPM_RC_COMMAND_CODE;
166          goto Cleanup;
167      }
168 #if   FIELD_UPGRADE_IMPLEMENTED == YES
169    // If the TPM is in FUM, then the only allowed command is
170    // TPM_CC_FieldUpgradeData.
171    if(IsFieldUgradeMode() && (commandCode != TPM_CC_FieldUpgradeData))
172    {
173         result = TPM_RC_UPGRADE;
174         goto Cleanup;
175    }
176    else
177 #endif
178         // Excepting FUM, the TPM only accepts TPM2_Startup() after
179         // _TPM_Init. After getting a TPM2_Startup(), TPM2_Startup()
180         // is no longer allowed.
181         if((    !TPMIsStarted() && commandCode != TPM_CC_Startup)
182              || (TPMIsStarted() && commandCode == TPM_CC_Startup))
183         {
184              result = TPM_RC_INITIALIZE;
185              goto Cleanup;
186         }
187      // Start regular command process.
188      // Parse Handle buffer.
189      result = ParseHandleBuffer(commandCode, &buffer, &size, handles, &handleNum);
190      if(result != TPM_RC_SUCCESS)
191         goto Cleanup;
192    // Number of handles retrieved from handle area should be less than
193    // MAX_HANDLE_NUM.
194    pAssert(handleNum <= MAX_HANDLE_NUM);
195    // All handles in the handle area are required to reference TPM-resident
196    // entities.
197    for(i = 0; i < handleNum; i++)
198    {
199        result = EntityGetLoadStatus(&handles[i], commandCode);
200        if(result != TPM_RC_SUCCESS)
201        {
202            if(result == TPM_RC_REFERENCE_H0)
203                result = result + i;
204            else
205                result = RcSafeAddToResult(result, TPM_RC_H + g_rcIndex[i]);
206            goto Cleanup;
207        }
208    }
209    // Authorization session handling for the command.
210    if(tag == TPM_ST_SESSIONS)
211    {
212        BYTE        *sessionBufferStart;// address of the session area first byte
213                                        // in the input buffer
214         UINT32        authorizationSize;   // number of bytes in the session area
215         // Find out session buffer size.
216         result = UINT32_Unmarshal(&authorizationSize, &buffer, &size);
217         if(result != TPM_RC_SUCCESS)
218             goto Cleanup;
219         // Perform sanity check on the unmarshaled    value. If it is smaller than
220         // the smallest possible session or larger    than the remaining size of
221         // the command, then it is an error. NOTE:    This check could pass but the
222         // session size could still be wrong. That    will be determined after the
223         // sessions are unmarshaled.
224         if(    authorizationSize < 9
225             || authorizationSize > (UINT32) size)
226         {
227              result = TPM_RC_SIZE;
228              goto Cleanup;
229         }
230         // The sessions, if any, follows authorizationSize.
231         sessionBufferStart = buffer;
232         // The parameters follow the session area.
233         parmBufferStart = sessionBufferStart + authorizationSize;
234         // Any data left over after removing the authorization sessions is
235         // parameter data. If the command does not have parameters, then an
236         // error will be returned if the remaining size is not zero. This is
237         // checked later.
238         parmBufferSize = size - authorizationSize;
239         // The actions of ParseSessionBuffer() are described in the introduction.
240         result = ParseSessionBuffer(commandCode,
241                                     handleNum,
242                                     handles,
243                                     sessionBufferStart,
244                                     authorizationSize,
245                                     parmBufferStart,
246                                     parmBufferSize);
247          if(result != TPM_RC_SUCCESS)
248              goto Cleanup;
249    }
250    else
251    {
252        // Whatever remains in the input buffer is used for the parameters of the
253        // command.
254        parmBufferStart = buffer;
255        parmBufferSize = size;
256          // The command has no authorization sessions.
257          // If the command requires authorizations, then CheckAuthNoSession() will
258          // return an error.
259          result = CheckAuthNoSession(commandCode, handleNum, handles,
260                                       parmBufferStart, parmBufferSize);
261          if(result != TPM_RC_SUCCESS)
262              goto Cleanup;
263    }
264    // CommandDispatcher returns a response handle buffer and a response parameter
265    // buffer if it succeeds. It will also set the parameterSize field in the
266    // buffer if the tag is TPM_RC_SESSIONS.
267    result = CommandDispatcher(tag,
268                               commandCode,
269                               (INT32 *) &parmBufferSize,
270                               parmBufferStart,
271                               handles,
272                               &resHandleSize,
273                               &resParmSize);
274    if(result != TPM_RC_SUCCESS)
275        goto Cleanup;
276    // Build the session area at the end of the parameter area.
277    BuildResponseSession(tag,
278                         commandCode,
279                         resHandleSize,
280                         resParmSize,
281                         &resAuthSize);
282 Cleanup:
283    // This implementation loads an "evict" object to a transient object slot in
284    // RAM whenever an "evict" object handle is used in a command so that the
285    // access to any object is the same. These temporary objects need to be
286    // cleared from RAM whether the command succeeds or fails.
287    ObjectCleanupEvict();
288 #ifndef EMBEDDED_MODE
289 Fail:
290 #endif  // EMBEDDED_MODE  ^^^ not defined
291    // The response will contain at least a response header.
292    *responseSize = sizeof(TPM_ST) + sizeof(UINT32) + sizeof(TPM_RC);
293    // If the command completed successfully, then build the rest of the response.
294    if(result == TPM_RC_SUCCESS)
295    {
296        // Outgoing tag will be the same as the incoming tag.
297        resTag = tag;
298        // The overall response will include the handles, parameters,
299        // and authorizations.
300        *responseSize += resHandleSize + resParmSize + resAuthSize;
301          // Adding parameter size field.
302          if(tag == TPM_ST_SESSIONS)
303              *responseSize += sizeof(UINT32);
304          if(      g_clearOrderly == TRUE
305                && gp.orderlyState != SHUTDOWN_NONE)
306          {
307                 gp.orderlyState = SHUTDOWN_NONE;
308                 NvWriteReserved(NV_ORDERLY, &gp.orderlyState);
309                 g_updateNV = TRUE;
310          }
311      }
312      else
313      {
314          // The command failed.
315          // If this was a failure due to a bad command tag, then need to return
316          // a TPM 1.2 compatible response
317          if(result == TPM_RC_BAD_TAG)
318               resTag = TPM_ST_RSP_COMMAND;
319          else
320               // return 2.0 compatible response
321               resTag = TPM_ST_NO_SESSIONS;
322      }
323      // Try to commit all the writes to NV if any NV write happened during this
324      // command execution. This check should be made for both succeeded and failed
325      // commands, because a failed one may trigger a NV write in DA logic as well.
326      // This is the only place in the command execution path that may call the NV
327      // commit. If the NV commit fails, the TPM should be put in failure mode.
328      if(g_updateNV && !g_inFailureMode)
329      {
330          g_updateNV = FALSE;
331          if(!NvCommit())
332               FAIL(FATAL_ERROR_INTERNAL);
333      }
334      // Marshal the response header.
335      buffer = MemoryGetResponseBuffer(commandCode);
336      bufferSize = 10;
337      TPM_ST_Marshal(&resTag, &buffer, &bufferSize);
338      UINT32_Marshal((UINT32 *)responseSize, &buffer, &bufferSize);
339      pAssert(*responseSize <= MAX_RESPONSE_SIZE);
340      TPM_RC_Marshal(&result, &buffer, &bufferSize);
341      *response = MemoryGetResponseBuffer(commandCode);
342      // Clear unused bit in response buffer.
343      MemorySet(*response + *responseSize, 0, MAX_RESPONSE_SIZE - *responseSize);
344      return;
345 }
346