AxlTpm — TPM 2.0 presence + capability

TPM 2.0 presence and capability via EFI_TCG2_PROTOCOL.

Header: <axl/axl-tpm.h>. Unlike the other platform readers there is nothing to enumerate — the TCG2 protocol is a singleton — so this is a presence check plus one typed capability struct. Scope is the boot-service capability fields a diagnostic/inventory view reports; measurement, the event log, and PCR extension are out of scope.

The protocol is located lazily and cached (like the CPU-arch / MP-services helpers). axl_tpm_present() reports whether the TCG2 protocol is published; axl_tpm_get_capability() calls GetCapability and projects EFI_TCG2_BOOT_SERVICE_CAPABILITY into AxlTpmCapability.

if (axl_tpm_present()) {
    AxlTpmCapability cap;
    if (axl_tpm_get_capability(&cap) == AXL_OK && cap.present) {
        axl_printf("TPM mfr=0x%08x banks=%u active=0x%x\n",
                   cap.manufacturer_id, cap.number_of_pcr_banks,
                   cap.active_pcr_banks);
    }
}

Two presence concepts: axl_tpm_present() is “the TCG2 protocol is published” (a stack is available to query); AxlTpmCapability.present is the firmware’s TPMPresentFlag (“a chip is installed and responding”). When the protocol is absent axl_tpm_get_capability returns AXL_ERR and the consumer reports the TPM as not present (the QEMU-default golden, {"tpm":{"present":false}}).

active_pcr_banks is a hash-algorithm bitmask (EFI_TCG2_BOOT_HASH_ALG_*, consumer decodes names); number_of_pcr_banks is a count. Both are valid only when the capability structure version is >= 1.1.

API Reference

TPM 2.0 presence and capability readout.

Reads the platform’s TPM 2.0 capability via the firmware’s TCG2 protocol (EFI_TCG2_PROTOCOL.GetCapability). Unlike the other platform readers there is nothing to enumerate — the TCG2 protocol is a singleton — so this is a presence check plus one typed capability struct.

if (axl_tpm_present()) {
    AxlTpmCapability cap;
    if (axl_tpm_get_capability(&cap) == AXL_OK) {
        // ... report manufacturer, banks, sizes ...
    }
}

Scope is the boot-service capability fields a diagnostic/inventory view reports. Measurement, the event log, and PCR extension are out of scope.

Functions

bool axl_tpm_present(void)

Report whether the firmware publishes the TCG2 protocol.

A cheap presence gate: true means a TPM 2.0 software stack is available to query (call axl_tpm_get_capability for the details). It does not by itself guarantee a physical TPM is responding — that is AxlTpmCapability.present (TPMPresentFlag). Result is cached after the first call.

Returns:

true if the TCG2 protocol is published, false otherwise.

int axl_tpm_get_capability(AxlTpmCapability *out)

Read the TPM 2.0 boot-service capability.

Parameters:

  • out – [out] populated on success

Returns:

AXL_OK on success, AXL_ERR if the TCG2 protocol is not published, the GetCapability call fails, or out is NULL. A present-but-wedged TPM (protocol published, GetCapability fails) reports the same AXL_ERR as an absent protocol — the consumer reports the TPM as not present in both cases (the axl_tpm_present() == false case).

struct AxlTpmCapability
#include <axl-tpm.h>

TPM 2.0 boot-service capability.

Typed projection of the firmware’s EFI_TCG2_BOOT_SERVICE_CAPABILITY. present is the firmware’s own TPMPresentFlag — a TPM chip is installed and responding — which is distinct from axl_tpm_present() reporting that the TCG2 protocol is published.

Note the two PCR fields are different kinds of value: number_of_pcr_banks is a count, active_pcr_banks is a hash-algorithm bitmask (not a count). Both are meaningful only when the structure version is >= 1.1; on older firmware they read 0 — and since a present TPM always has at least one bank, number_of_pcr_banks == 0 on a present TPM means the firmware predates struct ver 1.1, not a bankless TPM.

The event-log format flags (SupportedEventLogs) are omitted — the event log is measurement-domain (out of scope). The two hash-algorithm bitmasks below are the supported/active pair an inventory view reports.

Public Members

bool present

TPMPresentFlag: a TPM is installed and responding.

uint8_t structure_version_major

capability structure version major

uint8_t structure_version_minor

capability structure version minor

uint8_t protocol_version_major

TCG2 protocol version major.

uint8_t protocol_version_minor

TCG2 protocol version minor.

uint32_t manufacturer_id

TPM manufacturer ID (TCG vendor ID, 4 packed ASCII bytes)

uint32_t max_command_size

max supported command buffer size in bytes

uint32_t max_response_size

max supported response buffer size in bytes

uint32_t number_of_pcr_banks

COUNT of PCR banks the TPM supports (struct ver >= 1.1)

uint32_t supported_hash_algorithms

hash algorithms the TCG2 stack supports, EFI_TCG2_BOOT_HASH_ALG_* BITMASK (HashAlgorithmBitmap; superset of active_pcr_banks; consumer decodes names)

uint32_t active_pcr_banks

active PCR-bank hash-algorithm BITMASK, EFI_TCG2_BOOT_HASH_ALG_* (struct ver >= 1.1; consumer decodes names)