TSS_RESULT Tspi_TPM_SetStatus(TSS_HTPM hTPM, /* in */ TSS_FLAG statusFlag, /* in */ TSS_BOOL fTpmState) /* in */ { TPM_AUTH auth, *pAuth; TSS_RESULT result; TCPA_DIGEST hashDigest; TSS_HCONTEXT tspContext; TSS_HPOLICY hPolicy; TSS_HPOLICY hOperatorPolicy; Trspi_HashCtx hashCtx; UINT32 tpmVersion; if ((result = obj_tpm_get_tsp_context(hTPM, &tspContext))) return result; if ((result = obj_tpm_get_policy(hTPM, TSS_POLICY_USAGE, &hPolicy))) return result; switch (statusFlag) { case TSS_TPMSTATUS_DISABLEOWNERCLEAR: result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_DisableOwnerClear); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_DisableOwnerClear, hPolicy, FALSE, &hashDigest, &auth))) return result; if ((result = TCS_API(tspContext)->DisableOwnerClear(tspContext, &auth))) return result; result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, result); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_DisableOwnerClear); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = obj_policy_validate_auth_oiap(hPolicy, &hashDigest, &auth))) return result; break; case TSS_TPMSTATUS_DISABLEFORCECLEAR: result = TCS_API(tspContext)->DisableForceClear(tspContext); break; case TSS_TPMSTATUS_DISABLED: case TSS_TPMSTATUS_OWNERSETDISABLE: result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_OwnerSetDisable); result |= Trspi_Hash_BOOL(&hashCtx, fTpmState); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_OwnerSetDisable, hPolicy, FALSE, &hashDigest, &auth))) return result; if ((result = TCS_API(tspContext)->OwnerSetDisable(tspContext, fTpmState, &auth))) return result; result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, result); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_OwnerSetDisable); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = obj_policy_validate_auth_oiap(hPolicy, &hashDigest, &auth))) return result; break; case TSS_TPMSTATUS_PHYSICALDISABLE: if (fTpmState) result = TCS_API(tspContext)->PhysicalDisable(tspContext); else result = TCS_API(tspContext)->PhysicalEnable(tspContext); break; case TSS_TPMSTATUS_DEACTIVATED: case TSS_TPMSTATUS_PHYSICALSETDEACTIVATED: result = TCS_API(tspContext)->PhysicalSetDeactivated(tspContext, fTpmState); break; case TSS_TPMSTATUS_SETTEMPDEACTIVATED: if ((result = obj_context_get_tpm_version(tspContext, &tpmVersion))) return result; /* XXX Change 0,1,2 to #defines */ switch (tpmVersion) { case 0: case 1: result = TCS_API(tspContext)->SetTempDeactivated(tspContext); break; case 2: if ((result = obj_tpm_get_policy(hTPM, TSS_POLICY_OPERATOR, &hOperatorPolicy))) return result; if (hOperatorPolicy != NULL_HPOLICY) { result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_SetTempDeactivated); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; pAuth = &auth; if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_SetTempDeactivated, hOperatorPolicy, FALSE, &hashDigest, pAuth))) return result; } else pAuth = NULL; if ((result = TCS_API(tspContext)->SetTempDeactivated2(tspContext, pAuth))) return result; if (pAuth) { result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, result); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_SetTempDeactivated); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = obj_policy_validate_auth_oiap(hOperatorPolicy, &hashDigest, pAuth))) return result; } break; default: return TSPERR(TSS_E_INTERNAL_ERROR); } break; case TSS_TPMSTATUS_SETOWNERINSTALL: result = TCS_API(tspContext)->SetOwnerInstall(tspContext, fTpmState); break; case TSS_TPMSTATUS_DISABLEPUBEKREAD: result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_DisablePubekRead); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_DisablePubekRead, hPolicy, FALSE, &hashDigest, &auth))) return result; if ((result = TCS_API(tspContext)->DisablePubekRead(tspContext, &auth))) return result; result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, result); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_DisablePubekRead); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = obj_policy_validate_auth_oiap(hPolicy, &hashDigest, &auth))) return result; break; case TSS_TPMSTATUS_ALLOWMAINTENANCE: /* Allow maintenance cannot be set to TRUE in the TPM */ if (fTpmState) return TSPERR(TSS_E_BAD_PARAMETER); /* The path to setting allow maintenance to FALSE is through * KillMaintenanceFeature */ return Tspi_TPM_KillMaintenanceFeature(hTPM); break; #ifdef TSS_BUILD_TSS12 case TSS_TPMSTATUS_DISABLEPUBSRKREAD: /* The logic of setting a 'disable' flag is reversed in the TPM, where setting this * flag to TRUE will enable the SRK read, while FALSE disables it. So we need to * flip the bool here. Sigh... */ fTpmState = fTpmState ? FALSE : TRUE; result = TSP_SetCapability(tspContext, hTPM, hPolicy, TPM_SET_PERM_FLAGS, TPM_PF_READSRKPUB, fTpmState); break; case TSS_TPMSTATUS_RESETLOCK: /* ignoring the bool here */ result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ResetLockValue); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_ResetLockValue, hPolicy, FALSE, &hashDigest, &auth))) return result; if ((result = TCS_API(tspContext)->ResetLockValue(tspContext, &auth))) return result; result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); result |= Trspi_Hash_UINT32(&hashCtx, result); result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ResetLockValue); if ((result |= Trspi_HashFinal(&hashCtx, hashDigest.digest))) return result; if ((result = obj_policy_validate_auth_oiap(hPolicy, &hashDigest, &auth))) return result; break; #endif #ifndef TSS_SPEC_COMPLIANCE case TSS_TPMSTATUS_PHYSPRES_LIFETIMELOCK: /* set the lifetime lock bit */ result = TCS_API(tspContext)->PhysicalPresence(tspContext, TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK); break; case TSS_TPMSTATUS_PHYSPRES_HWENABLE: /* HWENABLE, TRUE -> set the TPM_PHYSICAL_PRESENCE_HW_ENABLE bit * HWENABLE, FALSE -> set the TPM_PHYSICAL_PRESENCE_HW_DISABLE bit */ if (fTpmState) result = TCS_API(tspContext)->PhysicalPresence(tspContext, TPM_PHYSICAL_PRESENCE_HW_ENABLE); else result = TCS_API(tspContext)->PhysicalPresence(tspContext, TPM_PHYSICAL_PRESENCE_HW_DISABLE); break; case TSS_TPMSTATUS_PHYSPRES_CMDENABLE: /* CMDENABLE, TRUE -> set the TPM_PHYSICAL_PRESENCE_CMD_ENABLE bit * CMDENABLE, FALSE -> set the TPM_PHYSICAL_PRESENCE_CMD_DISABLE bit */ if (fTpmState) result = TCS_API(tspContext)->PhysicalPresence(tspContext, TPM_PHYSICAL_PRESENCE_CMD_ENABLE); else result = TCS_API(tspContext)->PhysicalPresence(tspContext, TPM_PHYSICAL_PRESENCE_CMD_DISABLE); break; case TSS_TPMSTATUS_PHYSPRES_LOCK: /* set the physical presence lock bit */ result = TCS_API(tspContext)->PhysicalPresence(tspContext, TPM_PHYSICAL_PRESENCE_LOCK); break; case TSS_TPMSTATUS_PHYSPRESENCE: /* set the physical presence state */ result = TCS_API(tspContext)->PhysicalPresence(tspContext, (fTpmState ? TPM_PHYSICAL_PRESENCE_PRESENT : TPM_PHYSICAL_PRESENCE_NOTPRESENT)); break; #endif default: return TSPERR(TSS_E_BAD_PARAMETER); break; } return result; }
int main_v1_1( void ) { char *function = "Tspi_TPM_KillMaintenanceFeature01"; TSS_HCONTEXT hContext; TSS_HTPM hTPM; TSS_HPOLICY hTPMPolicy; TSS_RESULT result; UINT32 exitCode = 0; print_begin_test( function ); // Create Context result = Tspi_Context_Create( &hContext ); if ( result != TSS_SUCCESS ) { print_error( "Tspi_Context_Create", result ); exit( result ); } // Connect to Context result = Tspi_Context_Connect( hContext, get_server(GLOBALSERVER) ); if ( result != TSS_SUCCESS ) { print_error( "Tspi_Context_Connect", result ); Tspi_Context_FreeMemory( hContext, NULL ); Tspi_Context_Close( hContext ); exit( result ); } // Retrieve TPM object of context result = Tspi_Context_GetTpmObject( hContext, &hTPM ); if ( result != TSS_SUCCESS ) { print_error( "Tspi_Context_GetTpmObject", result ); Tspi_Context_FreeMemory( hContext, NULL ); Tspi_Context_Close( hContext ); exit( result ); } //Insert the owner auth into the TPM's policy result = Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hTPMPolicy); if (result != TSS_SUCCESS) { print_error("Tspi_GetPolicyObject", result); Tspi_Context_FreeMemory( hContext, NULL ); Tspi_Context_Close( hContext ); exit(result); } result = Tspi_Policy_SetSecret(hTPMPolicy, TESTSUITE_OWNER_SECRET_MODE, TESTSUITE_OWNER_SECRET_LEN, TESTSUITE_OWNER_SECRET); if (result != TSS_SUCCESS) { print_error("Tspi_Policy_SetSecret", result); Tspi_Context_FreeMemory( hContext, NULL ); Tspi_Context_Close( hContext ); exit(result); } //Get random number result = Tspi_TPM_KillMaintenanceFeature( hTPM ); if ( result != TSS_SUCCESS && TSS_ERROR_CODE(result) != TCPA_E_INACTIVE) { if( !(checkNonAPI(result)) ) { print_error( function, result ); } else { print_error_nonapi( function, result ); } exitCode = result; } else { print_success( function, result ); } print_end_test( function ); Tspi_Context_FreeMemory( hContext, NULL ); Tspi_Context_Close( hContext ); exit( exitCode ); }