tpm: Add v2 Tcg methods related to PCR banks

nicholasbishop · nicholasbishop · commit 82011f894f0c · 2023-01-14T12:38:14.000-05:00
diff --git a/uefi-test-runner/src/proto/tcg.rs b/uefi-test-runner/src/proto/tcg.rs
@@ -197,6 +197,25 @@ pub fn test_tcg_v2(bt: &BootServices) {
     assert_eq!(capability.manufacturer_id, 0x4d4249);
     assert_eq!(capability.number_of_pcr_banks, 4);
     assert_eq!(capability.active_pcr_banks, expected_banks);
+
+    // Check the active PCR banks.
+    assert_eq!(
+        tcg.get_active_pcr_banks()
+            .expect("get_active_pcr_banks failed"),
+        expected_banks,
+    );
+
+    // Set the active PCR banks. This should succeed, but won't have any effect
+    // since we're not rebooting the system.
+    tcg.set_active_pcr_banks(HashAlgorithm::SHA256)
+        .expect("set_active_pcr_banks failed");
+
+    // Check that there was no attempt to change the active banks in the
+    // previous boot.
+    assert!(tcg
+        .get_result_of_set_active_pcr_banks()
+        .expect("get_result_of_set_active_pcr_banks failed")
+        .is_none());
 }
 
 pub fn test(bt: &BootServices) {
diff --git a/uefi/src/proto/tcg/v2.rs b/uefi/src/proto/tcg/v2.rs
@@ -190,4 +190,47 @@ impl Tcg {
         let mut capability = BootServiceCapability::default();
         unsafe { (self.get_capability)(self, &mut capability).into_with_val(|| capability) }
     }
+
+    /// Get a bitmap of the active PCR banks. Each bank corresponds to a hash
+    /// algorithm.
+    pub fn get_active_pcr_banks(&mut self) -> Result<HashAlgorithm> {
+        let mut active_pcr_banks = HashAlgorithm::empty();
+
+        let status = unsafe { (self.get_active_pcr_banks)(self, &mut active_pcr_banks) };
+
+        status.into_with_val(|| active_pcr_banks)
+    }
+
+    /// Set the active PCR banks. Each bank corresponds to a hash
+    /// algorithm. This change will not take effect until the system is
+    /// rebooted twice.
+    pub fn set_active_pcr_banks(&mut self, active_pcr_banks: HashAlgorithm) -> Result {
+        unsafe { (self.set_active_pcr_banks)(self, active_pcr_banks) }.into()
+    }
+
+    /// Get the stored result of calling [`Tcg::set_active_pcr_banks`] in a
+    /// previous boot.
+    ///
+    /// If there was no attempt to set the active PCR banks in a previous boot,
+    /// this returns `None`. Otherwise, it returns a numeric response code:
+    /// * `0x00000000`: Success
+    /// * `0x00000001..=0x00000FFF`: TPM error code
+    /// * `0xfffffff0`: The operation was canceled by the user or timed out
+    /// * `0xfffffff1`: Firmware error
+    pub fn get_result_of_set_active_pcr_banks(&mut self) -> Result<Option<u32>> {
+        let mut operation_present = 0;
+        let mut response = 0;
+
+        let status = unsafe {
+            (self.get_result_of_set_active_pcr_banks)(self, &mut operation_present, &mut response)
+        };
+
+        status.into_with_val(|| {
+            if operation_present == 0 {
+                None
+            } else {
+                Some(response)
+            }
+        })
+    }
 }
