xref: /linux/tools/testing/selftests/tpm2/tpm2.py (revision a1c3be890440a1769ed6f822376a3e3ab0d42994)
1# SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2
3import hashlib
4import os
5import socket
6import struct
7import sys
8import unittest
9import fcntl
10import select
11
12TPM2_ST_NO_SESSIONS = 0x8001
13TPM2_ST_SESSIONS = 0x8002
14
15TPM2_CC_FIRST = 0x01FF
16
17TPM2_CC_CREATE_PRIMARY = 0x0131
18TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET = 0x0139
19TPM2_CC_CREATE = 0x0153
20TPM2_CC_LOAD = 0x0157
21TPM2_CC_UNSEAL = 0x015E
22TPM2_CC_FLUSH_CONTEXT = 0x0165
23TPM2_CC_START_AUTH_SESSION = 0x0176
24TPM2_CC_GET_CAPABILITY	= 0x017A
25TPM2_CC_GET_RANDOM = 0x017B
26TPM2_CC_PCR_READ = 0x017E
27TPM2_CC_POLICY_PCR = 0x017F
28TPM2_CC_PCR_EXTEND = 0x0182
29TPM2_CC_POLICY_PASSWORD = 0x018C
30TPM2_CC_POLICY_GET_DIGEST = 0x0189
31
32TPM2_SE_POLICY = 0x01
33TPM2_SE_TRIAL = 0x03
34
35TPM2_ALG_RSA = 0x0001
36TPM2_ALG_SHA1 = 0x0004
37TPM2_ALG_AES = 0x0006
38TPM2_ALG_KEYEDHASH = 0x0008
39TPM2_ALG_SHA256 = 0x000B
40TPM2_ALG_NULL = 0x0010
41TPM2_ALG_CBC = 0x0042
42TPM2_ALG_CFB = 0x0043
43
44TPM2_RH_OWNER = 0x40000001
45TPM2_RH_NULL = 0x40000007
46TPM2_RH_LOCKOUT = 0x4000000A
47TPM2_RS_PW = 0x40000009
48
49TPM2_RC_SIZE            = 0x01D5
50TPM2_RC_AUTH_FAIL       = 0x098E
51TPM2_RC_POLICY_FAIL     = 0x099D
52TPM2_RC_COMMAND_CODE    = 0x0143
53
54TSS2_RC_LAYER_SHIFT = 16
55TSS2_RESMGR_TPM_RC_LAYER = (11 << TSS2_RC_LAYER_SHIFT)
56
57TPM2_CAP_HANDLES = 0x00000001
58TPM2_CAP_COMMANDS = 0x00000002
59TPM2_CAP_TPM_PROPERTIES = 0x00000006
60
61TPM2_PT_FIXED = 0x100
62TPM2_PT_TOTAL_COMMANDS = TPM2_PT_FIXED + 41
63
64HR_SHIFT = 24
65HR_LOADED_SESSION = 0x02000000
66HR_TRANSIENT = 0x80000000
67
68SHA1_DIGEST_SIZE = 20
69SHA256_DIGEST_SIZE = 32
70
71TPM2_VER0_ERRORS = {
72    0x000: "TPM_RC_SUCCESS",
73    0x030: "TPM_RC_BAD_TAG",
74}
75
76TPM2_VER1_ERRORS = {
77    0x000: "TPM_RC_FAILURE",
78    0x001: "TPM_RC_FAILURE",
79    0x003: "TPM_RC_SEQUENCE",
80    0x00B: "TPM_RC_PRIVATE",
81    0x019: "TPM_RC_HMAC",
82    0x020: "TPM_RC_DISABLED",
83    0x021: "TPM_RC_EXCLUSIVE",
84    0x024: "TPM_RC_AUTH_TYPE",
85    0x025: "TPM_RC_AUTH_MISSING",
86    0x026: "TPM_RC_POLICY",
87    0x027: "TPM_RC_PCR",
88    0x028: "TPM_RC_PCR_CHANGED",
89    0x02D: "TPM_RC_UPGRADE",
90    0x02E: "TPM_RC_TOO_MANY_CONTEXTS",
91    0x02F: "TPM_RC_AUTH_UNAVAILABLE",
92    0x030: "TPM_RC_REBOOT",
93    0x031: "TPM_RC_UNBALANCED",
94    0x042: "TPM_RC_COMMAND_SIZE",
95    0x043: "TPM_RC_COMMAND_CODE",
96    0x044: "TPM_RC_AUTHSIZE",
97    0x045: "TPM_RC_AUTH_CONTEXT",
98    0x046: "TPM_RC_NV_RANGE",
99    0x047: "TPM_RC_NV_SIZE",
100    0x048: "TPM_RC_NV_LOCKED",
101    0x049: "TPM_RC_NV_AUTHORIZATION",
102    0x04A: "TPM_RC_NV_UNINITIALIZED",
103    0x04B: "TPM_RC_NV_SPACE",
104    0x04C: "TPM_RC_NV_DEFINED",
105    0x050: "TPM_RC_BAD_CONTEXT",
106    0x051: "TPM_RC_CPHASH",
107    0x052: "TPM_RC_PARENT",
108    0x053: "TPM_RC_NEEDS_TEST",
109    0x054: "TPM_RC_NO_RESULT",
110    0x055: "TPM_RC_SENSITIVE",
111    0x07F: "RC_MAX_FM0",
112}
113
114TPM2_FMT1_ERRORS = {
115    0x001: "TPM_RC_ASYMMETRIC",
116    0x002: "TPM_RC_ATTRIBUTES",
117    0x003: "TPM_RC_HASH",
118    0x004: "TPM_RC_VALUE",
119    0x005: "TPM_RC_HIERARCHY",
120    0x007: "TPM_RC_KEY_SIZE",
121    0x008: "TPM_RC_MGF",
122    0x009: "TPM_RC_MODE",
123    0x00A: "TPM_RC_TYPE",
124    0x00B: "TPM_RC_HANDLE",
125    0x00C: "TPM_RC_KDF",
126    0x00D: "TPM_RC_RANGE",
127    0x00E: "TPM_RC_AUTH_FAIL",
128    0x00F: "TPM_RC_NONCE",
129    0x010: "TPM_RC_PP",
130    0x012: "TPM_RC_SCHEME",
131    0x015: "TPM_RC_SIZE",
132    0x016: "TPM_RC_SYMMETRIC",
133    0x017: "TPM_RC_TAG",
134    0x018: "TPM_RC_SELECTOR",
135    0x01A: "TPM_RC_INSUFFICIENT",
136    0x01B: "TPM_RC_SIGNATURE",
137    0x01C: "TPM_RC_KEY",
138    0x01D: "TPM_RC_POLICY_FAIL",
139    0x01F: "TPM_RC_INTEGRITY",
140    0x020: "TPM_RC_TICKET",
141    0x021: "TPM_RC_RESERVED_BITS",
142    0x022: "TPM_RC_BAD_AUTH",
143    0x023: "TPM_RC_EXPIRED",
144    0x024: "TPM_RC_POLICY_CC",
145    0x025: "TPM_RC_BINDING",
146    0x026: "TPM_RC_CURVE",
147    0x027: "TPM_RC_ECC_POINT",
148}
149
150TPM2_WARN_ERRORS = {
151    0x001: "TPM_RC_CONTEXT_GAP",
152    0x002: "TPM_RC_OBJECT_MEMORY",
153    0x003: "TPM_RC_SESSION_MEMORY",
154    0x004: "TPM_RC_MEMORY",
155    0x005: "TPM_RC_SESSION_HANDLES",
156    0x006: "TPM_RC_OBJECT_HANDLES",
157    0x007: "TPM_RC_LOCALITY",
158    0x008: "TPM_RC_YIELDED",
159    0x009: "TPM_RC_CANCELED",
160    0x00A: "TPM_RC_TESTING",
161    0x010: "TPM_RC_REFERENCE_H0",
162    0x011: "TPM_RC_REFERENCE_H1",
163    0x012: "TPM_RC_REFERENCE_H2",
164    0x013: "TPM_RC_REFERENCE_H3",
165    0x014: "TPM_RC_REFERENCE_H4",
166    0x015: "TPM_RC_REFERENCE_H5",
167    0x016: "TPM_RC_REFERENCE_H6",
168    0x018: "TPM_RC_REFERENCE_S0",
169    0x019: "TPM_RC_REFERENCE_S1",
170    0x01A: "TPM_RC_REFERENCE_S2",
171    0x01B: "TPM_RC_REFERENCE_S3",
172    0x01C: "TPM_RC_REFERENCE_S4",
173    0x01D: "TPM_RC_REFERENCE_S5",
174    0x01E: "TPM_RC_REFERENCE_S6",
175    0x020: "TPM_RC_NV_RATE",
176    0x021: "TPM_RC_LOCKOUT",
177    0x022: "TPM_RC_RETRY",
178    0x023: "TPM_RC_NV_UNAVAILABLE",
179    0x7F: "TPM_RC_NOT_USED",
180}
181
182RC_VER1 = 0x100
183RC_FMT1 = 0x080
184RC_WARN = 0x900
185
186ALG_DIGEST_SIZE_MAP = {
187    TPM2_ALG_SHA1: SHA1_DIGEST_SIZE,
188    TPM2_ALG_SHA256: SHA256_DIGEST_SIZE,
189}
190
191ALG_HASH_FUNCTION_MAP = {
192    TPM2_ALG_SHA1: hashlib.sha1,
193    TPM2_ALG_SHA256: hashlib.sha256
194}
195
196NAME_ALG_MAP = {
197    "sha1": TPM2_ALG_SHA1,
198    "sha256": TPM2_ALG_SHA256,
199}
200
201
202class UnknownAlgorithmIdError(Exception):
203    def __init__(self, alg):
204        self.alg = alg
205
206    def __str__(self):
207        return '0x%0x' % (alg)
208
209
210class UnknownAlgorithmNameError(Exception):
211    def __init__(self, name):
212        self.name = name
213
214    def __str__(self):
215        return name
216
217
218class UnknownPCRBankError(Exception):
219    def __init__(self, alg):
220        self.alg = alg
221
222    def __str__(self):
223        return '0x%0x' % (alg)
224
225
226class ProtocolError(Exception):
227    def __init__(self, cc, rc):
228        self.cc = cc
229        self.rc = rc
230
231        if (rc & RC_FMT1) == RC_FMT1:
232            self.name = TPM2_FMT1_ERRORS.get(rc & 0x3f, "TPM_RC_UNKNOWN")
233        elif (rc & RC_WARN) == RC_WARN:
234            self.name = TPM2_WARN_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
235        elif (rc & RC_VER1) == RC_VER1:
236            self.name = TPM2_VER1_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
237        else:
238            self.name = TPM2_VER0_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
239
240    def __str__(self):
241        if self.cc:
242            return '%s: cc=0x%08x, rc=0x%08x' % (self.name, self.cc, self.rc)
243        else:
244            return '%s: rc=0x%08x' % (self.name, self.rc)
245
246
247class AuthCommand(object):
248    """TPMS_AUTH_COMMAND"""
249
250    def __init__(self, session_handle=TPM2_RS_PW, nonce=bytes(),
251                 session_attributes=0, hmac=bytes()):
252        self.session_handle = session_handle
253        self.nonce = nonce
254        self.session_attributes = session_attributes
255        self.hmac = hmac
256
257    def __bytes__(self):
258        fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
259        return struct.pack(fmt, self.session_handle, len(self.nonce),
260                           self.nonce, self.session_attributes, len(self.hmac),
261                           self.hmac)
262
263    def __len__(self):
264        fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
265        return struct.calcsize(fmt)
266
267
268class SensitiveCreate(object):
269    """TPMS_SENSITIVE_CREATE"""
270
271    def __init__(self, user_auth=bytes(), data=bytes()):
272        self.user_auth = user_auth
273        self.data = data
274
275    def __bytes__(self):
276        fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
277        return struct.pack(fmt, len(self.user_auth), self.user_auth,
278                           len(self.data), self.data)
279
280    def __len__(self):
281        fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
282        return struct.calcsize(fmt)
283
284
285class Public(object):
286    """TPMT_PUBLIC"""
287
288    FIXED_TPM = (1 << 1)
289    FIXED_PARENT = (1 << 4)
290    SENSITIVE_DATA_ORIGIN = (1 << 5)
291    USER_WITH_AUTH = (1 << 6)
292    RESTRICTED = (1 << 16)
293    DECRYPT = (1 << 17)
294
295    def __fmt(self):
296        return '>HHIH%us%usH%us' % \
297            (len(self.auth_policy), len(self.parameters), len(self.unique))
298
299    def __init__(self, object_type, name_alg, object_attributes,
300                 auth_policy=bytes(), parameters=bytes(),
301                 unique=bytes()):
302        self.object_type = object_type
303        self.name_alg = name_alg
304        self.object_attributes = object_attributes
305        self.auth_policy = auth_policy
306        self.parameters = parameters
307        self.unique = unique
308
309    def __bytes__(self):
310        return struct.pack(self.__fmt(),
311                           self.object_type,
312                           self.name_alg,
313                           self.object_attributes,
314                           len(self.auth_policy),
315                           self.auth_policy,
316                           self.parameters,
317                           len(self.unique),
318                           self.unique)
319
320    def __len__(self):
321        return struct.calcsize(self.__fmt())
322
323
324def get_digest_size(alg):
325    ds = ALG_DIGEST_SIZE_MAP.get(alg)
326    if not ds:
327        raise UnknownAlgorithmIdError(alg)
328    return ds
329
330
331def get_hash_function(alg):
332    f = ALG_HASH_FUNCTION_MAP.get(alg)
333    if not f:
334        raise UnknownAlgorithmIdError(alg)
335    return f
336
337
338def get_algorithm(name):
339    alg = NAME_ALG_MAP.get(name)
340    if not alg:
341        raise UnknownAlgorithmNameError(name)
342    return alg
343
344
345def hex_dump(d):
346    d = [format(ord(x), '02x') for x in d]
347    d = [d[i: i + 16] for i in range(0, len(d), 16)]
348    d = [' '.join(x) for x in d]
349    d = os.linesep.join(d)
350
351    return d
352
353class Client:
354    FLAG_DEBUG = 0x01
355    FLAG_SPACE = 0x02
356    FLAG_NONBLOCK = 0x04
357    TPM_IOC_NEW_SPACE = 0xa200
358
359    def __init__(self, flags = 0):
360        self.flags = flags
361
362        if (self.flags & Client.FLAG_SPACE) == 0:
363            self.tpm = open('/dev/tpm0', 'r+b', buffering=0)
364        else:
365            self.tpm = open('/dev/tpmrm0', 'r+b', buffering=0)
366
367        if (self.flags & Client.FLAG_NONBLOCK):
368            flags = fcntl.fcntl(self.tpm, fcntl.F_GETFL)
369            flags |= os.O_NONBLOCK
370            fcntl.fcntl(self.tpm, fcntl.F_SETFL, flags)
371            self.tpm_poll = select.poll()
372
373    def close(self):
374        self.tpm.close()
375
376    def send_cmd(self, cmd):
377        self.tpm.write(cmd)
378
379        if (self.flags & Client.FLAG_NONBLOCK):
380            self.tpm_poll.register(self.tpm, select.POLLIN)
381            self.tpm_poll.poll(10000)
382
383        rsp = self.tpm.read()
384
385        if (self.flags & Client.FLAG_NONBLOCK):
386            self.tpm_poll.unregister(self.tpm)
387
388        if (self.flags & Client.FLAG_DEBUG) != 0:
389            sys.stderr.write('cmd' + os.linesep)
390            sys.stderr.write(hex_dump(cmd) + os.linesep)
391            sys.stderr.write('rsp' + os.linesep)
392            sys.stderr.write(hex_dump(rsp) + os.linesep)
393
394        rc = struct.unpack('>I', rsp[6:10])[0]
395        if rc != 0:
396            cc = struct.unpack('>I', cmd[6:10])[0]
397            raise ProtocolError(cc, rc)
398
399        return rsp
400
401    def read_pcr(self, i, bank_alg = TPM2_ALG_SHA1):
402        pcrsel_len = max((i >> 3) + 1, 3)
403        pcrsel = [0] * pcrsel_len
404        pcrsel[i >> 3] = 1 << (i & 7)
405        pcrsel = ''.join(map(chr, pcrsel)).encode()
406
407        fmt = '>HII IHB%us' % (pcrsel_len)
408        cmd = struct.pack(fmt,
409                          TPM2_ST_NO_SESSIONS,
410                          struct.calcsize(fmt),
411                          TPM2_CC_PCR_READ,
412                          1,
413                          bank_alg,
414                          pcrsel_len, pcrsel)
415
416        rsp = self.send_cmd(cmd)
417
418        pcr_update_cnt, pcr_select_cnt = struct.unpack('>II', rsp[10:18])
419        assert pcr_select_cnt == 1
420        rsp = rsp[18:]
421
422        alg2, pcrsel_len2 = struct.unpack('>HB', rsp[:3])
423        assert bank_alg == alg2 and pcrsel_len == pcrsel_len2
424        rsp = rsp[3 + pcrsel_len:]
425
426        digest_cnt = struct.unpack('>I', rsp[:4])[0]
427        if digest_cnt == 0:
428            return None
429        rsp = rsp[6:]
430
431        return rsp
432
433    def extend_pcr(self, i, dig, bank_alg = TPM2_ALG_SHA1):
434        ds = get_digest_size(bank_alg)
435        assert(ds == len(dig))
436
437        auth_cmd = AuthCommand()
438
439        fmt = '>HII I I%us IH%us' % (len(auth_cmd), ds)
440        cmd = struct.pack(
441            fmt,
442            TPM2_ST_SESSIONS,
443            struct.calcsize(fmt),
444            TPM2_CC_PCR_EXTEND,
445            i,
446            len(auth_cmd),
447            bytes(auth_cmd),
448            1, bank_alg, dig)
449
450        self.send_cmd(cmd)
451
452    def start_auth_session(self, session_type, name_alg = TPM2_ALG_SHA1):
453        fmt = '>HII IIH16sHBHH'
454        cmd = struct.pack(fmt,
455                          TPM2_ST_NO_SESSIONS,
456                          struct.calcsize(fmt),
457                          TPM2_CC_START_AUTH_SESSION,
458                          TPM2_RH_NULL,
459                          TPM2_RH_NULL,
460                          16,
461                          ('\0' * 16).encode(),
462                          0,
463                          session_type,
464                          TPM2_ALG_NULL,
465                          name_alg)
466
467        return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
468
469    def __calc_pcr_digest(self, pcrs, bank_alg = TPM2_ALG_SHA1,
470                          digest_alg = TPM2_ALG_SHA1):
471        x = []
472        f = get_hash_function(digest_alg)
473
474        for i in pcrs:
475            pcr = self.read_pcr(i, bank_alg)
476            if pcr is None:
477                return None
478            x += pcr
479
480        return f(bytearray(x)).digest()
481
482    def policy_pcr(self, handle, pcrs, bank_alg = TPM2_ALG_SHA1,
483                   name_alg = TPM2_ALG_SHA1):
484        ds = get_digest_size(name_alg)
485        dig = self.__calc_pcr_digest(pcrs, bank_alg, name_alg)
486        if not dig:
487            raise UnknownPCRBankError(bank_alg)
488
489        pcrsel_len = max((max(pcrs) >> 3) + 1, 3)
490        pcrsel = [0] * pcrsel_len
491        for i in pcrs:
492            pcrsel[i >> 3] |= 1 << (i & 7)
493        pcrsel = ''.join(map(chr, pcrsel)).encode()
494
495        fmt = '>HII IH%usIHB3s' % ds
496        cmd = struct.pack(fmt,
497                          TPM2_ST_NO_SESSIONS,
498                          struct.calcsize(fmt),
499                          TPM2_CC_POLICY_PCR,
500                          handle,
501                          len(dig),
502                          bytes(dig),
503                          1,
504                          bank_alg,
505                          pcrsel_len, pcrsel)
506
507        self.send_cmd(cmd)
508
509    def policy_password(self, handle):
510        fmt = '>HII I'
511        cmd = struct.pack(fmt,
512                          TPM2_ST_NO_SESSIONS,
513                          struct.calcsize(fmt),
514                          TPM2_CC_POLICY_PASSWORD,
515                          handle)
516
517        self.send_cmd(cmd)
518
519    def get_policy_digest(self, handle):
520        fmt = '>HII I'
521        cmd = struct.pack(fmt,
522                          TPM2_ST_NO_SESSIONS,
523                          struct.calcsize(fmt),
524                          TPM2_CC_POLICY_GET_DIGEST,
525                          handle)
526
527        return self.send_cmd(cmd)[12:]
528
529    def flush_context(self, handle):
530        fmt = '>HIII'
531        cmd = struct.pack(fmt,
532                          TPM2_ST_NO_SESSIONS,
533                          struct.calcsize(fmt),
534                          TPM2_CC_FLUSH_CONTEXT,
535                          handle)
536
537        self.send_cmd(cmd)
538
539    def create_root_key(self, auth_value = bytes()):
540        attributes = \
541            Public.FIXED_TPM | \
542            Public.FIXED_PARENT | \
543            Public.SENSITIVE_DATA_ORIGIN | \
544            Public.USER_WITH_AUTH | \
545            Public.RESTRICTED | \
546            Public.DECRYPT
547
548        auth_cmd = AuthCommand()
549        sensitive = SensitiveCreate(user_auth=auth_value)
550
551        public_parms = struct.pack(
552            '>HHHHHI',
553            TPM2_ALG_AES,
554            128,
555            TPM2_ALG_CFB,
556            TPM2_ALG_NULL,
557            2048,
558            0)
559
560        public = Public(
561            object_type=TPM2_ALG_RSA,
562            name_alg=TPM2_ALG_SHA1,
563            object_attributes=attributes,
564            parameters=public_parms)
565
566        fmt = '>HIII I%us H%us H%us HI' % \
567            (len(auth_cmd), len(sensitive), len(public))
568        cmd = struct.pack(
569            fmt,
570            TPM2_ST_SESSIONS,
571            struct.calcsize(fmt),
572            TPM2_CC_CREATE_PRIMARY,
573            TPM2_RH_OWNER,
574            len(auth_cmd),
575            bytes(auth_cmd),
576            len(sensitive),
577            bytes(sensitive),
578            len(public),
579            bytes(public),
580            0, 0)
581
582        return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
583
584    def seal(self, parent_key, data, auth_value, policy_dig,
585             name_alg = TPM2_ALG_SHA1):
586        ds = get_digest_size(name_alg)
587        assert(not policy_dig or ds == len(policy_dig))
588
589        attributes = 0
590        if not policy_dig:
591            attributes |= Public.USER_WITH_AUTH
592            policy_dig = bytes()
593
594        auth_cmd =  AuthCommand()
595        sensitive = SensitiveCreate(user_auth=auth_value, data=data)
596
597        public = Public(
598            object_type=TPM2_ALG_KEYEDHASH,
599            name_alg=name_alg,
600            object_attributes=attributes,
601            auth_policy=policy_dig,
602            parameters=struct.pack('>H', TPM2_ALG_NULL))
603
604        fmt = '>HIII I%us H%us H%us HI' % \
605            (len(auth_cmd), len(sensitive), len(public))
606        cmd = struct.pack(
607            fmt,
608            TPM2_ST_SESSIONS,
609            struct.calcsize(fmt),
610            TPM2_CC_CREATE,
611            parent_key,
612            len(auth_cmd),
613            bytes(auth_cmd),
614            len(sensitive),
615            bytes(sensitive),
616            len(public),
617            bytes(public),
618            0, 0)
619
620        rsp = self.send_cmd(cmd)
621
622        return rsp[14:]
623
624    def unseal(self, parent_key, blob, auth_value, policy_handle):
625        private_len = struct.unpack('>H', blob[0:2])[0]
626        public_start = private_len + 2
627        public_len = struct.unpack('>H', blob[public_start:public_start + 2])[0]
628        blob = blob[:private_len + public_len + 4]
629
630        auth_cmd = AuthCommand()
631
632        fmt = '>HII I I%us %us' % (len(auth_cmd), len(blob))
633        cmd = struct.pack(
634            fmt,
635            TPM2_ST_SESSIONS,
636            struct.calcsize(fmt),
637            TPM2_CC_LOAD,
638            parent_key,
639            len(auth_cmd),
640            bytes(auth_cmd),
641            blob)
642
643        data_handle = struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
644
645        if policy_handle:
646            auth_cmd = AuthCommand(session_handle=policy_handle, hmac=auth_value)
647        else:
648            auth_cmd = AuthCommand(hmac=auth_value)
649
650        fmt = '>HII I I%us' % (len(auth_cmd))
651        cmd = struct.pack(
652            fmt,
653            TPM2_ST_SESSIONS,
654            struct.calcsize(fmt),
655            TPM2_CC_UNSEAL,
656            data_handle,
657            len(auth_cmd),
658            bytes(auth_cmd))
659
660        try:
661            rsp = self.send_cmd(cmd)
662        finally:
663            self.flush_context(data_handle)
664
665        data_len = struct.unpack('>I', rsp[10:14])[0] - 2
666
667        return rsp[16:16 + data_len]
668
669    def reset_da_lock(self):
670        auth_cmd = AuthCommand()
671
672        fmt = '>HII I I%us' % (len(auth_cmd))
673        cmd = struct.pack(
674            fmt,
675            TPM2_ST_SESSIONS,
676            struct.calcsize(fmt),
677            TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET,
678            TPM2_RH_LOCKOUT,
679            len(auth_cmd),
680            bytes(auth_cmd))
681
682        self.send_cmd(cmd)
683
684    def __get_cap_cnt(self, cap, pt, cnt):
685        handles = []
686        fmt = '>HII III'
687
688        cmd = struct.pack(fmt,
689                          TPM2_ST_NO_SESSIONS,
690                          struct.calcsize(fmt),
691                          TPM2_CC_GET_CAPABILITY,
692                          cap, pt, cnt)
693
694        rsp = self.send_cmd(cmd)[10:]
695        more_data, cap, cnt = struct.unpack('>BII', rsp[:9])
696        rsp = rsp[9:]
697
698        for i in range(0, cnt):
699            handle = struct.unpack('>I', rsp[:4])[0]
700            handles.append(handle)
701            rsp = rsp[4:]
702
703        return handles, more_data
704
705    def get_cap(self, cap, pt):
706        handles = []
707
708        more_data = True
709        while more_data:
710            next_handles, more_data = self.__get_cap_cnt(cap, pt, 1)
711            handles += next_handles
712            pt += 1
713
714        return handles
715