tpm2_protocol/data/

tpms.rs

// SPDX-License-Identifier: MIT OR Apache-2.0
// Copyright (c) 2025 Opinsys Oy
// Copyright (c) 2024-2025 Jarkko Sakkinen

use crate::{
    constant::TPM_GENERATED_VALUE,
    constant::TPM_PCR_SELECT_MAX,
    data::{
        Tpm2b, Tpm2bAuth, Tpm2bData, Tpm2bDigest, Tpm2bEccParameter, Tpm2bMaxNvBuffer, Tpm2bName,
        Tpm2bNonce, Tpm2bSensitiveData, TpmAlgId, TpmAt, TpmCap, TpmEccCurve, TpmPt, TpmRh, TpmSt,
        TpmaAlgorithm, TpmaLocality, TpmaNv, TpmaNvExp, TpmaSession, TpmiAlgHash, TpmiRhNvExpIndex,
        TpmiYesNo, TpmlAlgProperty, TpmlCca, TpmlEccCurve, TpmlHandle, TpmlPcrSelection,
        TpmlTaggedTpmProperty, TpmtEccScheme, TpmtKdfScheme, TpmtKeyedhashScheme, TpmtRsaScheme,
        TpmtSymDefObject, TpmuAttest, TpmuCapabilities,
    },
    tpm_struct, TpmError, TpmHandle, TpmMarshal, TpmResult, TpmSized, TpmUnmarshal, TpmWriter,
};
use core::{
    convert::TryFrom,
    fmt::{Debug, Formatter},
    mem::size_of,
    ops::Deref,
};

/// A fixed-capacity list for a PCR selection bitmap.
#[derive(Clone, Copy, PartialEq, Eq)]
pub struct TpmsPcrSelect {
    size: u8,
    data: [u8; TPM_PCR_SELECT_MAX as usize],
}

impl TpmsPcrSelect {
    /// Creates a new, empty `TpmsPcrSelect`.
    #[must_use]
    pub const fn new() -> Self {
        Self {
            size: 0,
            data: [0; TPM_PCR_SELECT_MAX as usize],
        }
    }
}

impl Default for TpmsPcrSelect {
    fn default() -> Self {
        Self::new()
    }
}

impl Deref for TpmsPcrSelect {
    type Target = [u8];

    fn deref(&self) -> &Self::Target {
        &self.data[..self.size as usize]
    }
}

impl TryFrom<&[u8]> for TpmsPcrSelect {
    type Error = TpmError;

    fn try_from(slice: &[u8]) -> Result<Self, Self::Error> {
        if slice.len() > TPM_PCR_SELECT_MAX as usize {
            return Err(TpmError::CapacityExceeded);
        }
        let mut pcr_select = Self::new();
        let len_u8 = u8::try_from(slice.len()).map_err(|_| TpmError::Malformed)?;
        pcr_select.size = len_u8;
        pcr_select.data[..slice.len()].copy_from_slice(slice);
        Ok(pcr_select)
    }
}

impl Debug for TpmsPcrSelect {
    fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
        write!(f, "TpmsPcrSelect(")?;
        for byte in self.iter() {
            write!(f, "{byte:02X}")?;
        }
        write!(f, ")")
    }
}

impl TpmSized for TpmsPcrSelect {
    const SIZE: usize = size_of::<u8>() + TPM_PCR_SELECT_MAX as usize;

    fn len(&self) -> usize {
        size_of::<u8>() + self.size as usize
    }
}

impl TpmMarshal for TpmsPcrSelect {
    fn marshal(&self, writer: &mut TpmWriter) -> TpmResult<()> {
        self.size.marshal(writer)?;
        writer.write_bytes(self)
    }
}

impl TpmUnmarshal for TpmsPcrSelect {
    fn unmarshal(buf: &[u8]) -> TpmResult<(Self, &[u8])> {
        let (size, remainder) = u8::unmarshal(buf)?;

        if size > TPM_PCR_SELECT_MAX {
            return Err(TpmError::CapacityExceeded);
        }
        if remainder.len() < size as usize {
            return Err(TpmError::Truncated);
        }

        let (pcr_bytes, final_remainder) = remainder.split_at(size as usize);
        let pcr_select = Self::try_from(pcr_bytes)?;
        Ok((pcr_select, final_remainder))
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsAcOutput {
        pub tag: TpmAt,
        pub data: u32,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsAlgProperty {
        pub alg: TpmAlgId,
        pub alg_properties: TpmaAlgorithm,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsAuthCommand {
        pub session_handle: TpmHandle,
        pub nonce: Tpm2bNonce,
        pub session_attributes: TpmaSession,
        pub hmac: Tpm2bAuth,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsAuthResponse {
        pub nonce: Tpm2bNonce,
        pub session_attributes: TpmaSession,
        pub hmac: Tpm2bAuth,
    }
}

#[derive(Debug, PartialEq, Eq, Clone)]
pub struct TpmsCapabilityData {
    pub capability: TpmCap,
    pub data: TpmuCapabilities,
}

impl TpmSized for TpmsCapabilityData {
    const SIZE: usize = size_of::<u32>() + TpmuCapabilities::SIZE;
    fn len(&self) -> usize {
        self.capability.len() + self.data.len()
    }
}

impl TpmMarshal for TpmsCapabilityData {
    fn marshal(&self, writer: &mut TpmWriter) -> TpmResult<()> {
        self.capability.marshal(writer)?;
        self.data.marshal(writer)
    }
}

impl TpmUnmarshal for TpmsCapabilityData {
    fn unmarshal(buf: &[u8]) -> TpmResult<(Self, &[u8])> {
        let (capability, buf) = TpmCap::unmarshal(buf)?;
        let (data, buf) = match capability {
            TpmCap::Algs => {
                let (algs, buf) = TpmlAlgProperty::unmarshal(buf)?;
                (TpmuCapabilities::Algs(algs), buf)
            }
            TpmCap::Handles => {
                let (handles, buf) = TpmlHandle::unmarshal(buf)?;
                (TpmuCapabilities::Handles(handles), buf)
            }
            TpmCap::Pcrs => {
                let (pcrs, buf) = TpmlPcrSelection::unmarshal(buf)?;
                (TpmuCapabilities::Pcrs(pcrs), buf)
            }
            TpmCap::Commands => {
                let (cmds, buf) = TpmlCca::unmarshal(buf)?;
                (TpmuCapabilities::Commands(cmds), buf)
            }
            TpmCap::TpmProperties => {
                let (props, buf) = TpmlTaggedTpmProperty::unmarshal(buf)?;
                (TpmuCapabilities::TpmProperties(props), buf)
            }
            TpmCap::EccCurves => {
                let (curves, buf) = TpmlEccCurve::unmarshal(buf)?;
                (TpmuCapabilities::EccCurves(curves), buf)
            }
        };
        Ok((Self { capability, data }, buf))
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsClockInfo {
        pub clock: u64,
        pub reset_count: u32,
        pub restart_count: u32,
        pub safe: TpmiYesNo,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone)]
    pub struct TpmsContext {
        pub sequence: u64,
        pub saved_handle: TpmHandle,
        pub hierarchy: TpmRh,
        pub context_blob: Tpm2b,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsCreationData {
        pub pcr_select: TpmlPcrSelection,
        pub pcr_digest: Tpm2bDigest,
        pub locality: TpmaLocality,
        pub parent_name_alg: TpmAlgId,
        pub parent_name: Tpm2bName,
        pub parent_qualified_name: Tpm2bName,
        pub outside_info: Tpm2bData,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsEccPoint {
        pub x: Tpm2bEccParameter,
        pub y: Tpm2bEccParameter,
    }
}

tpm_struct! {
    #[derive(Debug, Default, Clone, Copy, PartialEq, Eq)]
    pub struct TpmsEmpty {}
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsKeyedhashParms {
        pub scheme: TpmtKeyedhashScheme,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsNvPublic {
        pub nv_index: TpmHandle,
        pub name_alg: TpmAlgId,
        pub attributes: TpmaNv,
        pub auth_policy: Tpm2bDigest,
        pub data_size: u16,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsNvPublicExpAttr {
        pub nv_index: TpmiRhNvExpIndex,
        pub name_alg: TpmAlgId,
        pub attributes: TpmaNvExp,
        pub auth_policy: Tpm2bDigest,
        pub data_size: u16,
    }
}

#[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
pub struct TpmsPcrSelection {
    pub hash: TpmAlgId,
    pub pcr_select: TpmsPcrSelect,
}

impl TpmSized for TpmsPcrSelection {
    const SIZE: usize = TpmAlgId::SIZE + 1 + TPM_PCR_SELECT_MAX as usize;

    fn len(&self) -> usize {
        self.hash.len() + self.pcr_select.len()
    }
}

impl TpmMarshal for TpmsPcrSelection {
    fn marshal(&self, writer: &mut TpmWriter) -> TpmResult<()> {
        self.hash.marshal(writer)?;
        self.pcr_select.marshal(writer)
    }
}

impl TpmUnmarshal for TpmsPcrSelection {
    fn unmarshal(buf: &[u8]) -> TpmResult<(Self, &[u8])> {
        let (hash, buf) = TpmAlgId::unmarshal(buf)?;
        let (pcr_select, buf) = TpmsPcrSelect::unmarshal(buf)?;
        Ok((Self { hash, pcr_select }, buf))
    }
}

tpm_struct! {
    #[derive(Debug, Default, PartialEq, Eq, Clone)]
    pub struct TpmsSensitiveCreate {
        pub user_auth: Tpm2bAuth,
        pub data: Tpm2bSensitiveData,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsIdObject {
        pub integrity_hmac: Tpm2bDigest,
        pub enc_identity: Tpm2bDigest,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsSymcipherParms {
        pub sym: TpmtSymDefObject,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy)]
    pub struct TpmsTaggedProperty {
        pub property: TpmPt,
        pub value: u32,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsTimeInfo {
        pub time: u64,
        pub clock_info: TpmsClockInfo,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsSignatureRsa {
        pub hash: TpmAlgId,
        pub sig: crate::data::Tpm2bPublicKeyRsa,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsSignatureEcc {
        pub hash: TpmAlgId,
        pub signature_r: Tpm2bEccParameter,
        pub signature_s: Tpm2bEccParameter,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsTimeAttestInfo {
        pub time: TpmsTimeInfo,
        pub firmware_version: u64,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsCertifyInfo {
        pub name: Tpm2bName,
        pub qualified_name: Tpm2bName,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsQuoteInfo {
        pub pcr_select: TpmlPcrSelection,
        pub pcr_digest: Tpm2bDigest,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsCommandAuditInfo {
        pub audit_counter: u64,
        pub digest_alg: TpmAlgId,
        pub audit_digest: Tpm2bDigest,
        pub command_digest: Tpm2bDigest,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default, Copy)]
    pub struct TpmsSessionAuditInfo {
        pub exclusive_session: TpmiYesNo,
        pub session_digest: Tpm2bDigest,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsCreationInfo {
        pub object_name: Tpm2bName,
        pub creation_hash: Tpm2bDigest,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsNvCertifyInfo {
        pub index_name: Tpm2bName,
        pub offset: u16,
        pub nv_contents: Tpm2bMaxNvBuffer,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Default)]
    pub struct TpmsNvDigestCertifyInfo {
        pub index_name: Tpm2bName,
        pub nv_digest: Tpm2bDigest,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsAlgorithmDetailEcc {
        pub curve_id: TpmEccCurve,
        pub key_size: u16,
        pub kdf: TpmtKdfScheme,
        pub sign: TpmtEccScheme,
        pub p: Tpm2bEccParameter,
        pub a: Tpm2bEccParameter,
        pub b: Tpm2bEccParameter,
        pub gx: Tpm2bEccParameter,
        pub gy: Tpm2bEccParameter,
        pub n: Tpm2bEccParameter,
        pub h: Tpm2bEccParameter,
    }
}

#[derive(Debug, PartialEq, Eq, Clone)]
pub struct TpmsAttest {
    pub magic: u32,
    pub attest_type: TpmSt,
    pub qualified_signer: Tpm2bName,
    pub extra_data: Tpm2bData,
    pub clock_info: TpmsClockInfo,
    pub firmware_version: u64,
    pub attested: TpmuAttest,
}

impl TpmSized for TpmsAttest {
    const SIZE: usize = size_of::<u32>()
        + TpmSt::SIZE
        + Tpm2bName::SIZE
        + Tpm2bData::SIZE
        + TpmsClockInfo::SIZE
        + size_of::<u64>()
        + TpmuAttest::SIZE;
    fn len(&self) -> usize {
        size_of::<u32>()
            + self.attest_type.len()
            + self.qualified_signer.len()
            + self.extra_data.len()
            + self.clock_info.len()
            + size_of::<u64>()
            + self.attested.len()
    }
}

impl TpmMarshal for TpmsAttest {
    fn marshal(&self, writer: &mut TpmWriter) -> TpmResult<()> {
        0xff54_4347_u32.marshal(writer)?;
        self.attest_type.marshal(writer)?;
        self.qualified_signer.marshal(writer)?;
        self.extra_data.marshal(writer)?;
        self.clock_info.marshal(writer)?;
        self.firmware_version.marshal(writer)?;
        self.attested.marshal(writer)
    }
}

impl TpmUnmarshal for TpmsAttest {
    fn unmarshal(buf: &[u8]) -> TpmResult<(Self, &[u8])> {
        let (magic, buf) = u32::unmarshal(buf)?;
        if magic != TPM_GENERATED_VALUE {
            return Err(TpmError::Malformed);
        }
        let (attest_type, buf) = TpmSt::unmarshal(buf)?;
        let (qualified_signer, buf) = Tpm2bName::unmarshal(buf)?;
        let (extra_data, buf) = Tpm2bData::unmarshal(buf)?;
        let (clock_info, buf) = TpmsClockInfo::unmarshal(buf)?;
        let (firmware_version, buf) = u64::unmarshal(buf)?;
        let (attested, buf) = match attest_type {
            TpmSt::AttestCertify => {
                let (val, buf) = TpmsCertifyInfo::unmarshal(buf)?;
                (TpmuAttest::Certify(val), buf)
            }
            TpmSt::AttestCreation => {
                let (val, buf) = TpmsCreationInfo::unmarshal(buf)?;
                (TpmuAttest::Creation(val), buf)
            }
            TpmSt::AttestQuote => {
                let (val, buf) = TpmsQuoteInfo::unmarshal(buf)?;
                (TpmuAttest::Quote(val), buf)
            }
            TpmSt::AttestCommandAudit => {
                let (val, buf) = TpmsCommandAuditInfo::unmarshal(buf)?;
                (TpmuAttest::CommandAudit(val), buf)
            }
            TpmSt::AttestSessionAudit => {
                let (val, buf) = TpmsSessionAuditInfo::unmarshal(buf)?;
                (TpmuAttest::SessionAudit(val), buf)
            }
            TpmSt::AttestTime => {
                let (val, buf) = TpmsTimeAttestInfo::unmarshal(buf)?;
                (TpmuAttest::Time(val), buf)
            }
            TpmSt::AttestNv => {
                let (val, buf) = TpmsNvCertifyInfo::unmarshal(buf)?;
                (TpmuAttest::Nv(val), buf)
            }
            TpmSt::AttestNvDigest => {
                let (val, buf) = TpmsNvDigestCertifyInfo::unmarshal(buf)?;
                (TpmuAttest::NvDigest(val), buf)
            }
            _ => return Err(TpmError::Malformed),
        };

        Ok((
            Self {
                magic,
                attest_type,
                qualified_signer,
                extra_data,
                clock_info,
                firmware_version,
                attested,
            },
            buf,
        ))
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsSchemeHash {
        pub hash_alg: TpmiAlgHash,
    }
}

pub type TpmsSchemeHmac = TpmsSchemeHash;

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsSchemeXor {
        pub hash_alg: TpmiAlgHash,
        pub kdf: TpmtKdfScheme,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsRsaParms {
        pub symmetric: TpmtSymDefObject,
        pub scheme: TpmtRsaScheme,
        pub key_bits: u16,
        pub exponent: u32,
    }
}

tpm_struct! {
    #[derive(Debug, PartialEq, Eq, Clone, Copy, Default)]
    pub struct TpmsEccParms {
        pub symmetric: TpmtSymDefObject,
        pub scheme: TpmtEccScheme,
        pub curve_id: TpmEccCurve,
        pub kdf: TpmtKdfScheme,
    }
}