aboutsummaryrefslogtreecommitdiffstats
path: root/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests
diff options
context:
space:
mode:
Diffstat (limited to 'roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests')
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/.cvsignore1
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.bat147
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.sh130
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.bat79
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.sh71
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.bat143
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.sh114
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.bat142
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.sh114
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.bat580
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.sh442
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.bat162
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.sh132
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.bat658
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.sh427
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.bat179
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.sh144
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.bat208
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.sh157
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.bat104
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.sh91
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.bat237
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.sh182
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.bat299
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.sh231
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.bat504
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.sh404
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.bat203
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.sh152
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.bat786
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.sh626
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.bat324
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.sh279
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.bat483
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.sh340
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.bat125
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.sh99
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.bat158
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.sh125
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.bat369
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.sh244
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.bat331
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.sh254
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.bat111
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.sh90
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.bat963
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.sh707
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.bat1029
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.sh739
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.bat348
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.sh300
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat2715
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.sh2031
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.bat600
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.sh477
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.bat224
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.sh175
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.bat59
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.sh54
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.bat432
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.sh350
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.bat433
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.sh347
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.bat541
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.sh396
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.bat504
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.sh402
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.bat205
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.sh164
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.bat765
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.sh619
-rw-r--r--roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.bat426
-rwxr-xr-xroms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.sh342
73 files changed, 27528 insertions, 0 deletions
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/.cvsignore b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/.cvsignore
new file mode 100644
index 000000000..8ea2fe2e2
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/.cvsignore
@@ -0,0 +1 @@
+testdevel.sh
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.bat
new file mode 100644
index 000000000..0f04aad82
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.bat
@@ -0,0 +1,147 @@
+REM #############################################################################
+REM #
+REM TPM2 regression test #
+REM Written by Ken Goldman #
+REM IBM Thomas J. Watson Research Center #
+REM #
+REM (c) Copyright IBM Corporation 2015 - 2020 #
+REM #
+REM All rights reserved. #
+REM #
+REM Redistribution and use in source and binary forms, with or without #
+REM modification, are permitted provided that the following conditions are #
+REM met: #
+REM #
+REM Redistributions of source code must retain the above copyright notice, #
+REM this list of conditions and the following disclaimer. #
+REM #
+REM Redistributions in binary form must reproduce the above copyright #
+REM notice, this list of conditions and the following disclaimer in the #
+REM documentation and/or other materials provided with the distribution. #
+REM #
+REM Neither the names of the IBM Corporation nor the names of its #
+REM contributors may be used to endorse or promote products derived from #
+REM this software without specific prior written permission. #
+REM #
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo | set /p="1234567890123456" > msg.bin
+touch zero.bin
+
+REM try to undefine any NV index left over from a previous test. Do not check for errors.
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 -pwdp ppp > run.out
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000002 > run.out
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000003 > run.out
+
+REM same for persistent objects
+%TPM_EXE_PATH%evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+
+echo ""
+echo "Initialize Regression Test Keys"
+echo ""
+
+echo "Create a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin -tk pritk.bin -ch prich.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create an RSA storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pol policies/policycccreate-auth.bin -opr storersa2048priv.bin -opu storersa2048pub.bin -tk storsatk.bin -ch storsach.bin -pwdp sto -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create an ECC storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -st -kt f -kt p -opr storeeccpriv.bin -opu storeeccpub.bin -pwdp sto -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%B in (2048 3072) do (
+
+ echo "Create an unrestricted RSA %%B signing key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr signrsa%%Bpriv.bin -opu signrsa%%Bpub.bin -opem signrsa%%Bpub.pem -pwdp sto -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create an RSA decryption key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -den -kt f -kt p -opr derrsa%%Bpriv.bin -opu derrsa%%Bpub.bin -pwdp sto -pwdk dec > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Create an unrestricted ECC signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -si -kt f -kt p -opr signeccpriv.bin -opu signeccpub.bin -opem signeccpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a restricted RSA signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -sir -kt f -kt p -opr signrsa2048rpriv.bin -opu signrsa2048rpub.bin -opem signrsa2048rpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a restricted ECC signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -sir -kt f -kt p -opr signeccrpriv.bin -opu signeccrpub.bin -opem signeccrpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a not fixedTPM RSA signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -sir -opr signrsa2048nfpriv.bin -opu signrsa2048nfpub.bin -opem signrsa2048nfpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a not fixedTPM ECC signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -sir -opr signeccnfpriv.bin -opu signeccnfpub.bin -opem signeccnfpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a symmetric cipher key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -des -kt f -kt p -opr despriv.bin -opu despub.bin -pwdp sto -pwdk aes > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a %%H unrestricted keyed hash key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -kh -kt f -kt p -opr khpriv%%H.bin -opu khpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a %%H restricted keyed hash key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -khr -kt f -kt p -opr khrpriv%%H.bin -opu khrpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+exit /B 0
+
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.sh
new file mode 100755
index 000000000..fba615342
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.sh
@@ -0,0 +1,130 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo -n "1234567890123456" > msg.bin
+touch zero.bin
+
+# try to undefine any NV index left over from a previous test. Do not check for errors.
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+${PREFIX}nvundefinespace -hi p -ha 01000000 -pwdp ppp > run.out
+${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out
+${PREFIX}nvundefinespace -hi o -ha 01000002 > run.out
+${PREFIX}nvundefinespace -hi o -ha 01000003 > run.out
+# same for persistent objects
+${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+
+echo ""
+echo "Initialize Regression Test Keys"
+echo ""
+
+# Create a platform primary RSA storage key
+initprimary
+
+echo "Create an RSA storage key under the primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pol policies/policycccreate-auth.bin -opr storersa2048priv.bin -opu storersa2048pub.bin -tk storsatk.bin -ch storsach.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Create an ECC storage key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -st -kt f -kt p -opr storeeccpriv.bin -opu storeeccpub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+for BITS in 2048 3072
+do
+
+ echo "Create an unrestricted RSA $BITS signing key under the primary key"
+ ${PREFIX}create -hp 80000000 -rsa ${BITS} -si -kt f -kt p -opr signrsa${BITS}priv.bin -opu signrsa${BITS}pub.bin -opem signrsa${BITS}pub.pem -pwdp sto -pwdk sig > run.out
+ checkSuccess $?
+
+ echo "Create an RSA $BITS decryption key under the primary key"
+ ${PREFIX}create -hp 80000000 -den -kt f -kt p -opr derrsa${BITS}priv.bin -opu derrsa${BITS}pub.bin -pwdp sto -pwdk dec > run.out
+ checkSuccess $?
+
+done
+
+echo "Create an unrestricted ECC signing key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -si -kt f -kt p -opr signeccpriv.bin -opu signeccpub.bin -opem signeccpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a restricted RSA signing key under the primary key"
+${PREFIX}create -hp 80000000 -rsa 2048 -sir -kt f -kt p -opr signrsa2048rpriv.bin -opu signrsa2048rpub.bin -opem signrsa2048rpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create an restricted ECC signing key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -sir -kt f -kt p -opr signeccrpriv.bin -opu signeccrpub.bin -opem signeccrpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a not fixedTPM RSA signing key under the primary key"
+${PREFIX}create -hp 80000000 -sir -opr signrsa2048nfpriv.bin -opu signrsa2048nfpub.bin -opem signrsa2048nfpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a not fixedTPM ECC signing key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -sir -opr signeccnfpriv.bin -opu signeccnfpub.bin -opem signeccnfpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a symmetric cipher key under the primary key"
+${PREFIX}create -hp 80000000 -des -kt f -kt p -opr despriv.bin -opu despub.bin -pwdp sto -pwdk aes > run.out
+RC=$?
+checkWarning $RC "Symmetric cipher key may not support sign attribute"
+
+if [ $RC -ne 0 ]; then
+ echo "Create a rev 116 symmetric cipher key under the primary key"
+ ${PREFIX}create -hp 80000000 -des -116 -kt f -kt p -opr despriv.bin -opu despub.bin -pwdp sto -pwdk aes > run.out
+ checkSuccess $?
+fi
+
+for HALG in ${ITERATE_ALGS}
+
+do
+
+ echo "Create a ${HALG} unrestricted keyed hash key under the primary key"
+ ${PREFIX}create -hp 80000000 -kh -kt f -kt p -opr khpriv${HALG}.bin -opu khpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Create a ${HALG} restricted keyed hash key under the primary key"
+ ${PREFIX}create -hp 80000000 -khr -kt f -kt p -opr khrpriv${HALG}.bin -opu khrpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+ checkSuccess $?
+
+
+
+done
+
+exit ${WARN}
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.bat
new file mode 100644
index 000000000..bfd094213
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.bat
@@ -0,0 +1,79 @@
+REM #############################################################################
+REM #
+REM TPM2 regression test #
+REM Written by Ken Goldman #
+REM IBM Thomas J. Watson Research Center #
+REM $Id: inittpm.bat 1276 2018-07-23 19:25:13Z kgoldman $ #
+REM #
+REM (c) Copyright IBM Corporation 2015, 2018 #
+REM #
+REM All rights reserved. #
+REM #
+REM Redistribution and use in source and binary forms, with or without #
+REM modification, are permitted provided that the following conditions are #
+REM met: #
+REM #
+REM Redistributions of source code must retain the above copyright notice, #
+REM this list of conditions and the following disclaimer. #
+REM #
+REM Redistributions in binary form must reproduce the above copyright #
+REM notice, this list of conditions and the following disclaimer in the #
+REM documentation and/or other materials provided with the distribution. #
+REM #
+REM Neither the names of the IBM Corporation nor the names of its #
+REM contributors may be used to endorse or promote products derived from #
+REM this software without specific prior written permission. #
+REM #
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup -c -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Test Result"
+%TPM_EXE_PATH%gettestresult > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Allocate PCRs for SHA-1, SHA-256, SHA-384 SHA-512 PCRs"
+%TPM_EXE_PATH%pcrallocate +sha1 +sha256 +sha384 +sha512 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup -c -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.sh
new file mode 100755
index 000000000..eaefab4cc
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: inittpm.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Initialize TPM"
+echo ""
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
+echo "Get Test Result"
+${PREFIX}gettestresult > run.out
+checkSuccess $?
+
+echo "Allocate initial SHA-1, SHA-256, SHA-384 SHA-512 PCRs"
+${PREFIX}pcrallocate +sha1 +sha256 +sha384 +sha512 > run.out
+checkSuccess $?
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.bat
new file mode 100644
index 000000000..9220824f1
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.bat
@@ -0,0 +1,143 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testaes.bat 1301 2018-08-15 21:46:19Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+
+ echo "Load the symmetric cipher key under the primary key %%~S"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Encrypt using the symmetric cipher key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Decrypt using the symmetric cipher key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Encrypt using the symmetric cipher key 0 length message %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -if zero.bin -of enc.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Decrypt using the symmetric cipher key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ diff zero.bin dec.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the symmetric cipher key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary symmetric cipher key %%~S"
+ %TPM_EXE_PATH%createprimary -des -pwdk aesp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Encrypt using the symmetric cipher primary key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Decrypt using the symmetric cipher primary key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the symmetric cipher key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.sh
new file mode 100755
index 000000000..dd0d5580b
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testaes.sh 1301 2018-08-15 21:46:19Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "Load the symmetric cipher key under the primary key ${SESS}"
+ ${PREFIX}load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Encrypt using the symmetric cipher key ${SESS}"
+ ${PREFIX}encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Decrypt using the symmetric cipher key ${SESS}"
+ ${PREFIX}encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ checkSuccess $?
+
+ echo "Encrypt using the symmetric cipher key 0 length message ${SESS}"
+ ${PREFIX}encryptdecrypt -hk 80000001 -if zero.bin -of enc.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Decrypt using the symmetric cipher key ${SESS}"
+ ${PREFIX}encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ diff zero.bin dec.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the symmetric cipher key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a primary symmetric cipher key ${SESS}"
+ ${PREFIX}createprimary -des -pwdk aesp ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Encrypt using the symmetric cipher primary key ${SESS}"
+ ${PREFIX}encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp ${SESS}> run.out
+ checkSuccess $?
+
+ echo "Decrypt using the symmetric cipher primary key ${SESS}"
+ ${PREFIX}encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp ${SESS}> run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the symmetric cipher key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.bat
new file mode 100644
index 000000000..a2d17b120
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.bat
@@ -0,0 +1,142 @@
+REM #################################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testaes.sh 714 2016-08-11 21:46:03Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015, 2016 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Load the symmetric cipher key under the primary key %%~S"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Encrypt using the symmetric cipher key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Decrypt using the symmetric cipher key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Encrypt using the symmetric cipher key 0 length message %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -if zero.bin -of enc.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Decrypt using the symmetric cipher key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ diff zero.bin dec.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the symmetric cipher key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary symmetric cipher key %%~S"
+ %TPM_EXE_PATH%createprimary -des -pwdk aesp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Encrypt using the symmetric cipher primary key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp %%~S> run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Decrypt using the symmetric cipher primary key %%~S"
+ %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp %%~S> run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the symmetric cipher key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000000
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.sh
new file mode 100755
index 000000000..49eb6fed8
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testaes.sh 714 2016-08-11 21:46:03Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "Load the symmetric cipher key under the primary key ${SESS}"
+ ${PREFIX}load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Encrypt using the symmetric cipher key ${SESS}"
+ ${PREFIX}encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Decrypt using the symmetric cipher key ${SESS}"
+ ${PREFIX}encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ checkSuccess $?
+
+ echo "Encrypt using the symmetric cipher key 0 length message ${SESS}"
+ ${PREFIX}encryptdecrypt -2 -hk 80000001 -if zero.bin -of enc.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Decrypt using the symmetric cipher key ${SESS}"
+ ${PREFIX}encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ diff zero.bin dec.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the symmetric cipher key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a primary symmetric cipher key ${SESS}"
+ ${PREFIX}createprimary -des -pwdk aesp ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Encrypt using the symmetric cipher primary key ${SESS}"
+ ${PREFIX}encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp ${SESS}> run.out
+ checkSuccess $?
+
+ echo "Decrypt using the symmetric cipher primary key ${SESS}"
+ ${PREFIX}encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp ${SESS}> run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ diff msg.bin dec.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the symmetric cipher key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.bat
new file mode 100644
index 000000000..d019bb1f7
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.bat
@@ -0,0 +1,580 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2018 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Attestation"
+echo ""
+
+echo "Load the RSA signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the ECC signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read Public, unwritten Name"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if msg.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ for %%H in (%ITERATE_ALGS%) do (
+
+ for %%A in (rsa ecc) do (
+
+ IF "%%A" == "rsa" (
+ set K=80000001
+ )
+ IF "%%A" == "ecc" (
+ set K=80000002
+ )
+
+ echo "Signing Key Self Certify %%H %%A %%~S"
+ %TPM_EXE_PATH%certify -hk !K! -ho 80000001 -halg %%H -pwdk sig -pwdo sig %%~S -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the %%A signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Quote %%H %%A %%~S"
+ %TPM_EXE_PATH%quote -hp 0 -hk !K! -halg %%H -palg %%H -pwdk sig %%~S -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the %%A signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get Time %%H %%A %%~S"
+ %TPM_EXE_PATH%gettime -hk !K! -halg %%H -pwdk sig %%~S -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the %%A signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Certify %%H %%A %%~S"
+ %TPM_EXE_PATH%nvcertify -ha 01000000 -pwdn nnn -hk !K! -pwdk sig -halg %%H -sz 16 %%~S -os sig.bin -oa tmp.bin -salg %%A > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the %%A signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Set command audit digest ${HALG}"
+ %TPM_EXE_PATH%setcommandcodeauditstatus -hi p -halg null -clr 00000144 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get command audit digest %%H %%A %%~S"
+ %TPM_EXE_PATH%getcommandauditdigest -hk !K! -halg %%H %%~S -pwdk sig -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the %%A signature"
+ %TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+ )
+)
+
+echo "Flush the RSA attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the ECC attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Attestation with an HMAC key"
+echo ""
+
+echo "Generate an HMAC key"
+%TPM_EXE_PATH%getrandom -by 32 -of tmphkey.bin -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a %%H HMAC key"
+ %TPM_EXE_PATH%create -hp 80000000 -pwdp sto -kh -halg %%H -if tmphkey.bin -opu tmppub.bin -opr tmppriv.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the %%H HMAC key"
+ %TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Self Certify with an HMAC key %%H"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using TPM"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using OpenSSL"
+ %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Quote with an HMAC key %%H"
+ %TPM_EXE_PATH%quote -hp 0 -hk 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using TPM"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using OpenSSL"
+ %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Gettime signed with an HMAC key %%H"
+ %TPM_EXE_PATH%gettime -hk 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using TPM"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using OpenSSL"
+ %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Certify with an HMAC key %%H"
+ %TPM_EXE_PATH%nvcertify -ha 01000000 -pwdn nnn -hk 80000001 -halg %%H -salg hmac -sz 16 -os sig.bin -oa tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using TPM"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using OpenSSL"
+ %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get command audit digest with an HMAC key %%H"
+ %TPM_EXE_PATH%getcommandauditdigest -hk 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using TPM"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H using OpenSSL"
+ %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the %%H HMAC key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Audit"
+echo ""
+
+REM 80000001 signing key
+REM 02000000 hmac and audit session
+
+echo ""
+echo "Audit with one session"
+echo ""
+
+echo "Load the audit signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%B in ("" "-bi 80000001 -pwdb sig") do (
+
+ for %%H in (%ITERATE_ALGS%) do (
+
+
+ echo "Start an HMAC auth session %%H %%~B"
+ %TPM_EXE_PATH%startauthsession -se h -halg %%H %%~B > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest %%H"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000000 81 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest %%H"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000000 81 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get Session Audit Digest %%H"
+ %TPM_EXE_PATH%getsessionauditdigest -hs 02000000 -hk 80000001 -pwdk sig -halg %%H -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the session"
+ %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM 80000001 signing key
+REM 02000000 hmac session
+REM 02000001 audit session
+
+echo ""
+echo "Audit with HMAC and audit sessions"
+echo ""
+
+echo "Load the audit signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Start an audit session %%H"
+ %TPM_EXE_PATH%startauthsession -se h -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest %%H"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000001 81 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get Session Audit Digest %%~S"
+ %TPM_EXE_PATH%getsessionauditdigest -hs 02000001 -hk 80000001 -pwdk sig -os sig.bin -oa tmp.bin %%~S -qd policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the session"
+ %TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Certify Creation"
+echo ""
+
+echo "Load the RSA signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Certify the creation data for the primary key 80000000"
+%TPM_EXE_PATH%certifycreation -ho 80000000 -hk 80000001 -pwdk sig -tk pritk.bin -ch prich.bin -os sig.bin -oa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the RSA storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Certify the creation data for the storage key 80000002"
+%TPM_EXE_PATH%certifycreation -ho 80000002 -hk 80000001 -pwdk sig -tk storsatk.bin -ch storsach.bin -os sig.bin -oa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Audit a PCR Read"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Start an audit session %%H"
+ %TPM_EXE_PATH%startauthsession -se h -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR 16 reset"
+ %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ cp policies/zero%%H.bin tmpdigestr.bin
+
+ echo "PCR 16 read %%H"
+ %TPM_EXE_PATH%pcrread -ha 16 -halg %%H -se0 02000000 81 -ahalg %%H -iosad tmpdigestr.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get session audit digest"
+ %TPM_EXE_PATH%getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Check session audit digest"
+ diff tmpdigestr.bin tmpdigestg.bin
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Extend PCR 16"
+ %TPM_EXE_PATH%pcrextend -ha 16 -halg %%H -ic aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR 16 read %%H"
+ %TPM_EXE_PATH%pcrread -ha 16 -halg %%H -se0 02000000 81 -ahalg %%H -iosad tmpdigestr.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get session audit digest"
+ %TPM_EXE_PATH%getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Check session audit digest"
+ diff tmpdigestr.bin tmpdigestg.bin
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the audit session"
+ %TPM_EXE_PATH%flushcontext -ha 02000000
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+REM cleanup
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+rm -f tmpdigestr.bin
+rm -f tmpdigestg.bin
+rm -f sig.bin
+rm -f tmp.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.sh
new file mode 100755
index 000000000..7cc6747f8
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.sh
@@ -0,0 +1,442 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Attestation"
+echo ""
+
+
+# 80000001 RSA signing key
+# 80000002 ECC signing key
+
+echo "Load the RSA signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load the ECC signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkSuccess $?
+
+echo "NV Read Public, unwritten Name"
+${PREFIX}nvreadpublic -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV write"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if msg.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ for SALG in rsa ecc
+ do
+
+ if [ ${SALG} == rsa ]; then
+ HANDLE=80000001
+ else
+ HANDLE=80000002
+ fi
+
+ echo "Signing Key Self Certify ${HALG} ${SALG} ${SESS}"
+ ${PREFIX}certify -hk ${HANDLE} -ho 80000001 -halg ${HALG} -pwdk sig -pwdo sig ${SESS} -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+ checkSuccess $?
+
+ echo "Verify the ${SALG} signature ${HALG}"
+ ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Quote ${HALG} ${SALG} ${SALG} ${SESS}"
+ ${PREFIX}quote -hp 0 -hk ${HANDLE} -halg ${HALG} -palg ${HALG} -pwdk sig ${SESS} -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+ checkSuccess $?
+
+ echo "Verify the ${SALG} signature ${HALG}"
+ ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Get Time ${HALG} ${SALG} ${SESS}"
+ ${PREFIX}gettime -hk ${HANDLE} -halg ${HALG} -pwdk sig ${SESS} -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+ checkSuccess $?
+
+ echo "Verify the ${SALG} signature ${HALG}"
+ ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "NV Certify ${HALG} ${SALG} ${SESS}"
+ ${PREFIX}nvcertify -ha 01000000 -pwdn nnn -hk ${HANDLE} -pwdk sig -halg ${HALG} -sz 16 ${SESS} -os sig.bin -oa tmp.bin -salg ${SALG} > run.out
+ checkSuccess $?
+
+ echo "Verify the ${SALG} signature ${HALG}"
+ ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Set command audit digest ${HALG}"
+ ${PREFIX}setcommandcodeauditstatus -hi p -halg null -clr 00000144 > run.out
+ checkSuccess $?
+
+ echo "Get command audit digest ${HALG} ${SALG} ${SESS}"
+ ${PREFIX}getcommandauditdigest -hk ${HANDLE} -halg ${HALG} ${SESS} -pwdk sig -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+ checkSuccess $?
+
+ echo "Verify the ${SALG} signature ${HALG}"
+ ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ done
+ done
+done
+
+echo "Flush the RSA attestation key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the ECC attestation key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Attestation with an HMAC key"
+echo ""
+
+echo "Generate an HMAC key"
+${PREFIX}getrandom -by 32 -of tmphkey.bin -ns > run.out
+checkSuccess $?
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Create a ${HALG} HMAC key ${HMACKEY}"
+ ${PREFIX}create -hp 80000000 -pwdp sto -kh -halg ${HALG} -if tmphkey.bin -opu tmppub.bin -opr tmppriv.bin > run.out
+ checkSuccess $?
+
+ echo "Load the ${HALG} HMAC key"
+ ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ checkSuccess $?
+
+ echo "Signing Key Self Certify with an HMAC key ${HALG}"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using TPM"
+ ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using OpenSSL"
+ ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ checkSuccess $?
+
+ echo "Quote with an HMAC key ${HALG}"
+ ${PREFIX}quote -hp 0 -hk 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using TPM"
+ ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using OpenSSL"
+ ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ checkSuccess $?
+
+ echo "Gettime signed with an HMAC key ${HALG}"
+ ${PREFIX}gettime -hk 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using TPM"
+ ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using OpenSSL"
+ ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ checkSuccess $?
+
+ echo "NV Certify with an HMAC key ${HALG}"
+ ${PREFIX}nvcertify -ha 01000000 -pwdn nnn -hk 80000001 -halg ${HALG} -salg hmac -sz 16 -os sig.bin -oa tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using TPM"
+ ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using OpenSSL"
+ ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ checkSuccess $?
+
+ echo "Get command audit digest with an HMAC key ${HALG}"
+ ${PREFIX}getcommandauditdigest -hk 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using TPM"
+ ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG} using OpenSSL"
+ ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the ${HALG} HMAC key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Audit"
+echo ""
+
+# 80000001 signing key
+# 02000000 hmac and audit session
+
+echo ""
+echo "Audit with one session"
+echo ""
+
+echo "Load the audit signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+for BIND in "" "-bi 80000001 -pwdb sig"
+do
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ echo "Start an HMAC auth session ${HALG} ${BIND}"
+ ${PREFIX}startauthsession -se h -halg ${HALG} ${BIND} > run.out
+ checkSuccess $?
+
+ echo "Sign a digest ${HALG}"
+ ${PREFIX}sign -hk 80000001 -halg ${HALG} -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000000 81 > run.out
+ checkSuccess $?
+
+ echo "Sign a digest ${HALG}"
+ ${PREFIX}sign -hk 80000001 -halg ${HALG} -if policies/aaa -os sig.bin -pwdk sig -se0 02000000 81 -ipu signrsa2048pub.bin > run.out
+ checkWarning $? "Interaction between bind and audit session response HMAC may not be fixed"
+
+ echo "Get Session Audit Digest ${HALG}"
+ ${PREFIX}getsessionauditdigest -hs 02000000 -hk 80000001 -pwdk sig -halg ${HALG} -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG}"
+ ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the session"
+ ${PREFIX}flushcontext -ha 02000000 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# 80000001 signing key
+# 02000000 hmac session
+# 02000001 audit session
+
+echo ""
+echo "Audit with HMAC and audit sessions"
+echo ""
+
+echo "Load the audit signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ echo "Start an audit session ${HALG}"
+ ${PREFIX}startauthsession -se h -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Sign a digest ${HALG}"
+ ${PREFIX}sign -hk 80000001 -halg $HALG -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000001 81 > run.out
+ checkSuccess $?
+
+ echo "Get Session Audit Digest ${SESS}"
+ ${PREFIX}getsessionauditdigest -hs 02000001 -hk 80000001 -pwdk sig -os sig.bin -oa tmp.bin ${SESS} -qd policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Verify the signature"
+ ${PREFIX}verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the session"
+ ${PREFIX}flushcontext -ha 02000001 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Certify Creation"
+echo ""
+
+echo "Load the RSA signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Certify the creation data for the primary key 80000000"
+${PREFIX}certifycreation -ho 80000000 -hk 80000001 -pwdk sig -tk pritk.bin -ch prich.bin -os sig.bin -oa tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Load the RSA storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Certify the creation data for the storage key 80000002"
+${PREFIX}certifycreation -ho 80000002 -hk 80000001 -pwdk sig -tk storsatk.bin -ch storsach.bin -os sig.bin -oa tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the storage key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Audit a PCR Read"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Start an audit session ${HALG}"
+ ${PREFIX}startauthsession -se h -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "PCR 16 reset"
+ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+
+ cp policies/zero${HALG}.bin tmpdigestr.bin
+
+ echo "PCR 16 read ${HALG}"
+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out
+ checkSuccess $?
+
+ echo "Get session audit digest"
+ ${PREFIX}getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+ checkSuccess $?
+
+ echo "Check session audit digest"
+ diff tmpdigestr.bin tmpdigestg.bin
+ checkSuccess $?
+
+ echo "Extend PCR 16"
+ ${PREFIX}pcrextend -ha 16 -halg ${HALG} -ic aaa > run.out
+ checkSuccess $?
+
+ echo "PCR 16 read ${HALG}"
+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out
+ checkSuccess $?
+
+ echo "Get session audit digest"
+ ${PREFIX}getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+ checkSuccess $?
+
+ echo "Check session audit digest"
+ diff tmpdigestr.bin tmpdigestg.bin
+ checkSuccess $?
+
+ echo "Flush the audit session"
+ ${PREFIX}flushcontext -ha 02000000
+ checkSuccess $?
+
+done
+
+# cleanup
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+rm -f tmpdigestr.bin
+rm -f tmpdigestg.bin
+rm -f sig.bin
+rm -f tmp.bin
+rm -f tmphkey.bin
+
+exit ${WARN}
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.bat
new file mode 100644
index 000000000..cc5874d2c
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.bat
@@ -0,0 +1,162 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2019 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Attestation - rev 155"
+echo ""
+
+rem # 80000001 RSA signing key
+rem # 80000002 ECC signing key
+
+echo "Load the RSA signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the ECC signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read Public, unwritten Name"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if msg.bin -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ for %%H in (%ITERATE_ALGS%) do (
+
+ for %%A in (rsa ecc) do (
+
+ IF "%%A" == "rsa" (
+ set K=80000001
+ )
+ IF "%%A" == "ecc" (
+ set K=80000002
+ )
+
+ echo "NV Certify a digest %%H %%A %%~S"
+ %TPM_EXE_PATH%nvcertify -ha 01000000 -pwdn nnn -hk !K! -pwdk sig -halg %%H -sz 0 %%~S -os sig.bin -oa tmp.bin -salg %%A -od tmpdigest1.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the %%A signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -of tmpdata.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Digest the hashed and certified NV data %%H"
+ %TPM_EXE_PATH%hash -halg %%H -if tmpdata.bin -oh tmpdigest2.bin
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Check the digest %%H results"
+ diff tmpdigest1.bin tmpdigest2.bin
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+ )
+)
+
+echo "Flush the RSA attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the ECC attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rem # cleanup
+
+rm tmpdigest1.bin
+rm tmpdata.bin
+rm tmpdigest2.bin
+
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.sh
new file mode 100755
index 000000000..1f974740e
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2019 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Attestation - rev 155"
+echo ""
+
+# 80000001 RSA signing key
+# 80000002 ECC signing key
+
+echo "Load the RSA signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load the ECC signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkSuccess $?
+
+echo "NV Read Public, unwritten Name"
+${PREFIX}nvreadpublic -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV write"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if msg.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ for SALG in rsa ecc
+ do
+
+ if [ ${SALG} == rsa ]; then
+ HANDLE=80000001
+ else
+ HANDLE=80000002
+ fi
+
+ echo "NV Certify a digest ${HALG} ${SALG} ${SESS}"
+ ${PREFIX}nvcertify -ha 01000000 -pwdn nnn -hk ${HANDLE} -pwdk sig -halg ${HALG} -sz 0 ${SESS} -os sig.bin -oa tmp.bin -salg ${SALG} -od tmpdigest1.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the ${SALG} signature ${HALG}"
+ ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "NV read"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -of tmpdata.bin > run.out
+ checkSuccess $?
+
+ echo "Digest the hashed and certified NV data ${HALG}"
+ ${PREFIX}hash -halg ${HALG} -if tmpdata.bin -oh tmpdigest2.bin
+ checkSuccess $?
+
+ echo "Check the digest ${HALG} results"
+ diff tmpdigest1.bin tmpdigest2.bin
+ checkSuccess $?
+
+ done
+ done
+done
+
+echo "Flush the RSA attestation key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the ECC attestation key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f tmpdigest1.bin
+rm -f tmpdata.bin
+rm -f tmpdigest2.bin
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.bat
new file mode 100644
index 000000000..8bbad8374
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.bat
@@ -0,0 +1,658 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testbind.bat 1278 2018-07-23 21:20:42Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+REM
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Bind session"
+echo ""
+
+echo ""
+echo "Bind session to Primary Key"
+echo ""
+
+echo "Bind session bound to primary key at 80000000"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000000 -pwdb sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create storage key using that bind session, same object 80000000"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create storage key using that bind session, same object 80000000, wrong password does not matter"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create second primary key with different password 000 and Name"
+%TPM_EXE_PATH%createprimary -hi o -pwdk 000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Bind session bound to second primary key at 80000001, correct password"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb 000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using that bind session, different object 80000000"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using that bind session, different object 80000000, wrong password - should fail"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 1 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Bind session bound to primary key at 80000000, wrong password"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000000 -pwdb xxx > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using that bind session, same object 80000000 - should fail"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo "Flush the failing session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the second primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "Bind session to Hierarchy"
+echo ""
+
+echo "Change platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Bind session bound to platform hierarchy"
+%TPM_EXE_PATH%startauthsession -se h -bi 4000000c -pwdb ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using that bind session, wrong password - should fail"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using that bind session"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Bind session bound to platform hierarchy, wrong password"
+%TPM_EXE_PATH%startauthsession -se h -bi 4000000c -pwdb xxx > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using that bind session - should fail"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo "Change platform hierarchy auth back to null"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "Bind session to NV"
+echo ""
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 3 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "NV Read Public, unwritten Name"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Bind session bound to unwritten NV index at 01000000"
+%TPM_EXE_PATH%startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "NV write HMAC using bind session to set written"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Bind session bound to written NV index at 01000000"
+%TPM_EXE_PATH%startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "NV Write HMAC using bind session"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "NV Read HMAC using bind session"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 3 -se0 02000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "NV Read HMAC using bind session, wrong password does not matter"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn xxx -sz 3 -se0 02000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using that bind session"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "Encrypt with bind to same object"
+echo ""
+
+for %%M in (xor aes) do (
+
+ echo "Start an HMAC auth session with %%M encryption and bind to primary key at 80000000"
+ %TPM_EXE_PATH%startauthsession -se h -sym %%M -bi 80000000 -pwdb sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create storage key using bind session, same object, wrong password"
+ %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create storage key using bind session, same object 80000000"
+ %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the key, with %%M encryption"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sealed object"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the %%M session"
+ %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "Encrypt with bind to different object"
+echo ""
+
+for %%M in (xor aes) do (
+
+ echo "Start an HMAC auth session with %%M encryption and bind to platform auth"
+ %TPM_EXE_PATH%startauthsession -se h -sym %%M -bi 4000000c > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create storage key using bind session, different object, wrong password, should fail"
+ %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Create storage key using bind session, different object"
+ %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the key, with %%M encryption"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sealed object"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the %%M session"
+ %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "Encrypt with bind to different object, xor"
+echo ""
+
+echo "Start an HMAC auth session with xor encryption and bind to platform auth"
+%TPM_EXE_PATH%startauthsession -se h -sym xor -bi 4000000c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using bind session, different object, wrong password, should fail"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using bind session, different object"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the key, with xor encryption"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the xor session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "Encrypt with bind to different object, aes"
+echo ""
+
+echo "Start an HMAC auth session with aes encryption and bind to platform auth"
+%TPM_EXE_PATH%startauthsession -se h -sym aes -bi 4000000c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using bind session, different object, wrong password, should fail"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo "Create storage key using bind session, different object"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the key, with aes encryption"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the aes session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "PolicyAuthValue and bind to different object, command encryption"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Start a policy session, bind to primary key"
+%TPM_EXE_PATH%startauthsession -se p -bi 80000000 -pwdb sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Sign a digest - policy, command encrypt"
+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "PolicyAuthValue and bind to same object, command encryption"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -bi 80000001 -pwdb sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Sign a digest - policy, command encrypt"
+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "PolicyAuthValue and bind to different object, response encryption"
+echo ""
+
+echo "Create a storage key under the primary key - policy command code - create, auth"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Start a policy session, bind to primary key"
+%TPM_EXE_PATH%startauthsession -se p -bi 80000000 -pwdb sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy command code - create"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 153 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create a signing key with response encryption"
+%TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the signing key to verify response encryption"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "PolicyAuthValue and bind to same object, response encryption"
+echo ""
+
+echo "Create a storage key under the primary key - policy command code - create, auth"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Start a policy session, bind to storage key"
+%TPM_EXE_PATH%startauthsession -se p -bi 80000001 -pwdb sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy command code - create"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 153 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create a signing key with response encryption"
+%TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the signing key to verify response encryption"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+exit /B 0
+
+REM # getcapability -cap 1 -pr 80000000
+REM # getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.sh
new file mode 100755
index 000000000..6af2408d7
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.sh
@@ -0,0 +1,427 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testbind.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Bind session"
+echo ""
+
+echo ""
+echo "Bind session to Primary Key"
+echo ""
+
+echo "Bind session bound to primary key at 80000000"
+${PREFIX}startauthsession -se h -bi 80000000 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, same object 80000000"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, same object 80000000, wrong password does not matter"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Create second primary key with different password 000 and Name"
+${PREFIX}createprimary -hi o -pwdk 000 > run.out
+checkSuccess $?
+
+echo "Bind session bound to second primary key at 80000001, correct password"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb 000 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, different object 80000000"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, different object 80000000, wrong password - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Bind session bound to primary key at 80000000, wrong password"
+${PREFIX}startauthsession -se h -bi 80000000 -pwdb xxx > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, same object 80000000 - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Flush the failing session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the second primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind session to Hierarchy"
+echo ""
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Bind session bound to platform hierarchy"
+${PREFIX}startauthsession -se h -bi 4000000c -pwdb ppp > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, wrong password - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Create storage key using that bind session"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Bind session bound to platform hierarchy, wrong password"
+${PREFIX}startauthsession -se h -bi 4000000c -pwdb xxx > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind session to NV"
+echo ""
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 3 > run.out
+checkSuccess $?
+
+echo "NV Read Public, unwritten Name"
+${PREFIX}nvreadpublic -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Bind session bound to unwritten NV index at 01000000"
+${PREFIX}startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+checkSuccess $?
+
+echo "NV write HMAC using bind session to set written"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Bind session bound to written NV index at 01000000"
+${PREFIX}startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+checkSuccess $?
+
+echo "NV Write HMAC using bind session"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "NV Read HMAC using bind session"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 3 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "NV Read HMAC using bind session, wrong password does not matter"
+${PREFIX}nvread -ha 01000000 -pwdn xxx -sz 3 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Encrypt with bind to same object"
+echo ""
+
+for MODE0 in xor aes
+
+do
+
+ echo "Start an HMAC auth session with $MODE0 encryption and bind to primary key at 80000000"
+ ${PREFIX}startauthsession -se h -sym $MODE0 -bi 80000000 -pwdb sto > run.out
+ checkSuccess $?
+
+ echo "Create storage key using bind session, same object, wrong password"
+ ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ checkSuccess $?
+
+ echo "Create storage key using bind session, same object 80000000"
+ ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ checkSuccess $?
+
+ echo "Load the key, with $MODE0 encryption"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+ checkSuccess $?
+
+ echo "Flush the sealed object"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the $MODE0 session"
+ ${PREFIX}flushcontext -ha 02000000 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Encrypt with bind to different object"
+echo ""
+
+for MODE0 in xor aes
+
+do
+
+ echo "Start an HMAC auth session with $MODE0 encryption and bind to platform auth"
+ ${PREFIX}startauthsession -se h -sym $MODE0 -bi 4000000c > run.out
+ checkSuccess $?
+
+ echo "Create storage key using bind session, different object, wrong password, should fail"
+ ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ checkFailure $?
+
+ echo "Create storage key using bind session, different object"
+ ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+ checkSuccess $?
+
+ echo "Load the key, with $MODE0 encryption"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+ checkSuccess $?
+
+ echo "Flush the sealed object"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the $MODE0 session"
+ ${PREFIX}flushcontext -ha 02000000 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "PolicyAuthValue and bind to different object, command encryption"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session, bind to primary key"
+${PREFIX}startauthsession -se p -bi 80000000 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, command encrypt"
+${PREFIX}sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "PolicyAuthValue and bind to same object, command encryption"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, command encrypt"
+${PREFIX}sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "PolicyAuthValue and bind to different object, response encryption"
+echo ""
+
+#intermediate policy digest length 32
+# 54 a0 de 17 1d 03 c6 9b 17 b3 61 22 33 a5 e8 b2
+# d8 ee e0 87 f9 c6 ea 85 8c 9c 2e 51 05 52 8b 14
+# policy
+# 4b 50 04 f7 3f 2e f8 c0 96 c9 18 d0 bc 18 0e 6b
+# 49 0c 8a ed 14 bb 8f 86 fc 5a 54 ef 0c d3 90 44
+
+echo "Create a storage key under the primary key - policy command code - create, auth"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session, bind to primary key"
+${PREFIX}startauthsession -se p -bi 80000000 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Policy command code - create"
+${PREFIX}policycommandcode -ha 03000000 -cc 153 > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key with response encryption"
+${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out
+checkSuccess $?
+
+echo "Load the signing key to verify response encryption"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "PolicyAuthValue and bind to same object, response encryption"
+echo ""
+
+echo "Create a storage key under the primary key - policy command code - create, auth"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session, bind to storage key"
+${PREFIX}startauthsession -se p -bi 80000001 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Policy command code - create"
+${PREFIX}policycommandcode -ha 03000000 -cc 153 > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key with response encryption"
+${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out
+checkSuccess $?
+
+echo "Load the signing key to verify response encryption"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.bat
new file mode 100644
index 000000000..9bff8418c
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.bat
@@ -0,0 +1,179 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Object Change Auth"
+echo ""
+
+for %%B in ("" "-bi 80000001 -pwdb sig") do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Load the signing key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start an HMAC session %%~B"
+ %TPM_EXE_PATH%startauthsession -se h %%~B > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Object change auth, change password to xxx %%~S"
+ %TPM_EXE_PATH%objectchangeauth -ho 80000001 -pwdo sig -pwdn xxx -hp 80000000 -opr tmppriv.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key with the changed auth %%~S"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu signrsa2048pub.bin -pwdp sto %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest with the original key %%~S"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest with the changed key"
+ %TPM_EXE_PATH%sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the auth session"
+ %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+)
+
+echo ""
+echo "Object Change Auth with password from file"
+echo ""
+
+echo "Load the decryption key under the primary key 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr derrsa2048priv.bin -ipu derrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Generate a random password"
+%TPM_EXE_PATH%getrandom -by 16 -ns -nz -of tmppwd.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Object change auth, change password"
+%TPM_EXE_PATH%objectchangeauth -hp 80000000 -ho 80000001 -pwdo dec -ipwdn tmppwd.bin -opr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the decryption key with the changed auth 800000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr tmppriv.bin -ipu derrsa2048pub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Encrypt the message"
+%TPM_EXE_PATH%rsaencrypt -hk 80000002 -id policies/aaa -oe tmpenc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Decrypt the message"
+%TPM_EXE_PATH%rsadecrypt -hk 80000002 -ipwdk tmppwd.bin -ie tmpenc.bin -od tmpdec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Compare the result"
+tail --bytes=3 tmpdec.bin > tmp.bin
+diff policies/aaa tmp.bin
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the keypair 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the keypair 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM cleanup
+
+rm tmppwd.bin
+rm tmpenc.bin
+rm tmpdec.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+
+REM flushcontext -ha 80000001
+REM flushcontext -ha 80000002
+REM flushcontext -ha 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.sh
new file mode 100755
index 000000000..303b31893
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.sh
@@ -0,0 +1,144 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Object Change Auth"
+echo ""
+
+for BIND in "" "-bi 80000001 -pwdb sig"
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Load the signing key under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Start an HMAC session ${BIND}"
+ ${PREFIX}startauthsession -se h ${BIND} > run.out
+ checkSuccess $?
+
+ echo "Object change auth, change password to xxx ${SESS}"
+ ${PREFIX}objectchangeauth -ho 80000001 -pwdo sig -pwdn xxx -hp 80000000 -opr tmppriv.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Load the signing key with the changed auth ${SESS}"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu signrsa2048pub.bin -pwdp sto ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Sign a digest with the original key ${SESS}"
+ ${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Sign a digest with the changed key"
+ ${PREFIX}sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out
+ checkSuccess $?
+
+ echo "Flush the key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Flush the auth session"
+ ${PREFIX}flushcontext -ha 02000000 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo ""
+echo "Object Change Auth with password from file"
+echo ""
+
+echo "Load the decryption key under the primary key 80000001"
+${PREFIX}load -hp 80000000 -ipr derrsa2048priv.bin -ipu derrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Generate a random password"
+RANDOM_PASSWORD=`${PREFIX}getrandom -by 16 -ns -nz -of tmppwd.bin`
+echo " INFO: Random password ${RANDOM_PASSWORD}"
+
+echo "Object change auth, change password to ${RANDOM_PASSWORD}"
+${PREFIX}objectchangeauth -hp 80000000 -ho 80000001 -pwdo dec -ipwdn tmppwd.bin -opr tmppriv.bin > run.out
+checkSuccess $?
+
+echo "Load the decryption key with the changed auth 800000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr tmppriv.bin -ipu derrsa2048pub.bin > run.out
+checkSuccess $?
+
+echo "Encrypt the message"
+${PREFIX}rsaencrypt -hk 80000002 -id policies/aaa -oe tmpenc.bin > run.out
+checkSuccess $?
+
+echo "Decrypt the message"
+${PREFIX}rsadecrypt -hk 80000002 -ipwdk tmppwd.bin -ie tmpenc.bin -od tmpdec.bin > run.out
+checkSuccess $?
+
+echo "Compare the result"
+tail -c 3 tmpdec.bin > tmp.bin
+diff policies/aaa tmp.bin
+checkSuccess $?
+
+echo "Flush the keypair 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the keypair 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f tmppwd.bin
+rm -f tmpenc.bin
+rm -f tmpdec.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+
+# ${PREFIX}flushcontext -ha 80000001
+# ${PREFIX}flushcontext -ha 80000002
+# ${PREFIX}flushcontext -ha 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.bat
new file mode 100644
index 000000000..22d5e79bf
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.bat
@@ -0,0 +1,208 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testchangeseed.bat 1278 2018-07-23 21:20:42Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015-2018 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Change PPS"
+echo ""
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change STO, no password"
+%TPM_EXE_PATH%changepps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change PPS, bad password"
+%TPM_EXE_PATH%changepps > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Change PPS, good password"
+%TPM_EXE_PATH%changepps -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary key - platform hierarchy"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change PPS - flushes primary key"
+%TPM_EXE_PATH%changepps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the flushed primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a different primary key - new PPS"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the new primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+
+echo ""
+echo "Change EPS"
+echo ""
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change EPS, no password"
+%TPM_EXE_PATH%changeeps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary key - endorsement hierarchy"
+%TPM_EXE_PATH%createprimary -hi e -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change EPS, no password"
+%TPM_EXE_PATH%changeeps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the flushed primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a different primary key - new EPS"
+%TPM_EXE_PATH%createprimary -hi e -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the new primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a storage key under the new primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the new primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.sh
new file mode 100755
index 000000000..22ec2dcce
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.sh
@@ -0,0 +1,157 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testchangeseed.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Change PPS"
+echo ""
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000000 > run.out
+checkSuccess $?
+
+echo "Change PPS, no password"
+${PREFIX}changepps > run.out
+checkSuccess $?
+
+echo "Set platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Change PPS, bad password"
+${PREFIX}changepps > run.out
+checkFailure $?
+
+echo "Change PPS, good password"
+${PREFIX}changepps -pwda ppp > run.out
+checkSuccess $?
+
+echo "Clear platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Create a primary key - platform hierarchy"
+${PREFIX}createprimary -hi p -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkSuccess $?
+
+echo "Change PPS - flushes primary key"
+${PREFIX}changepps > run.out
+checkSuccess $?
+
+echo "Load the storage key under the flushed primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+echo "Create a different primary key - new PPS"
+${PREFIX}createprimary -hi p -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the new primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
+
+echo ""
+echo "Change EPS"
+echo ""
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000000 > run.out
+checkSuccess $?
+
+echo "Change EPS, no password"
+${PREFIX}changeeps > run.out
+checkSuccess $?
+
+echo "Create a primary key - endorsement hierarchy"
+${PREFIX}createprimary -hi e -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkSuccess $?
+
+echo "Change EPS, no password"
+${PREFIX}changeeps > run.out
+checkSuccess $?
+
+echo "Load the storage key under the flushed primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+echo "Create a different primary key - new EPS"
+${PREFIX}createprimary -hi e -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the new primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+echo "Create a storage key under the new primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the new primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.bat
new file mode 100644
index 000000000..b9aa750fb
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.bat
@@ -0,0 +1,104 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testclocks.bat 1292 2018-08-01 17:27:24Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2018 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Clocks"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Read Clock"
+ %TPM_EXE_PATH%readclock -oclock tmpclk.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Clock set, time 0 %%~S - should fail"
+ %TPM_EXE_PATH%clockset -iclock tmpclk.bin %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Clock set, time plus 20 sec %%~S"
+ %TPM_EXE_PATH%clockset -iclock tmpclk.bin -addsec 20 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ for %%A in (-3 0 3) do (
+
+ echo "Clock rate adjust %%A %%~S"
+ %TPM_EXE_PATH%clockrateadjust -adj %%A %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+
+ for %%A in (-4 4) do (
+
+ echo "Clock rate adjust %%A %%~S - should fail"
+ %TPM_EXE_PATH%clockrateadjust -adj %%A %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rm -f tmpclk.bin
+
+exit /B 0
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.sh
new file mode 100755
index 000000000..4f58a7ec8
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testclocks.sh 1115 2017-12-13 23:35:20Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015, 2016 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Clocks"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "Read Clock"
+ ${PREFIX}readclock -oclock tmpclk.bin > run.out
+ checkSuccess $?
+
+ echo "Clock set, current time ${SESS} - should fail"
+ ${PREFIX}clockset -iclock tmpclk.bin ${SESS} > run.out
+ checkFailure $?
+
+ echo "Clock set, time plus 20 sec ${SESS}"
+ ${PREFIX}clockset -iclock tmpclk.bin -addsec 20 ${SESS} > run.out
+ checkSuccess $?
+
+ for ADJ in -3 0 3
+ do
+
+ echo "Clock rate adjust ${ADJ} ${SESS}"
+ ${PREFIX}clockrateadjust -adj ${ADJ} ${SESS} > run.out
+ checkSuccess $?
+
+ done
+
+ for ADJ in -4 4
+ do
+
+ echo "Clock rate adjust ${ADJ} ${SESS} - should fail"
+ ${PREFIX}clockrateadjust -adj ${ADJ} ${SESS} > run.out
+ checkFailure $?
+
+ done
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+rm -f tmpclk.bin
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.bat
new file mode 100644
index 000000000..8b672b6d9
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.bat
@@ -0,0 +1,237 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Basic Context"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if msg.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save context for the key"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign to verify that the original key is not flushed"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the original key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign with original key - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Load context"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign with the loaded context"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save context for the session"
+%TPM_EXE_PATH%contextsave -ha 02000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign with the saved session context - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Load context for the session"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign with the saved session context"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the loaded context"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Context Public Key for Salt"
+echo ""
+
+echo "Load the storage key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save context for the storage key at 80000001"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load context at 80000002"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the original key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC auth session at 02000000 using the storage key 80000002 salt"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the salt key at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Context Primary Key"
+echo ""
+
+echo "Save context for the primary key at 80000000"
+%TPM_EXE_PATH%contextsave -ha 80000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load context primary key at 80000001"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key at 80000002 under the primary key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.sh
new file mode 100755
index 000000000..f640d77d0
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.sh
@@ -0,0 +1,182 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Context"
+echo ""
+
+echo ""
+echo "Basic Context"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Save context for the key"
+${PREFIX}contextsave -ha 80000001 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign to verify that the original key is not flushed"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the original key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Sign with original key - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load context"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign with the loaded context"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Save context for the session"
+${PREFIX}contextsave -ha 02000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign with the saved session context - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load context for the session"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign with the saved session context"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the loaded context"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Context Public Key for Salt"
+echo ""
+
+echo "Load the storage key at 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Save context for the storage key at 80000001"
+${PREFIX}contextsave -ha 80000001 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Load context at 80000002"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the original key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session at 02000000 using the storage key 80000002 salt"
+${PREFIX}startauthsession -se h -hs 80000002 > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key at 80000001"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the signing key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the salt key at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "Context Primary Key"
+echo ""
+
+echo "Save context for the primary key at 80000000"
+${PREFIX}contextsave -ha 80000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Load context primary key at 80000001"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key at 80000002 under the primary key at 80000001"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the signing key at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.bat
new file mode 100644
index 000000000..b03400a9f
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.bat
@@ -0,0 +1,299 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2019 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "CreateLoaded"
+echo ""
+
+echo ""
+echo "CreateLoaded Primary Key, Hierarchy Parent"
+echo ""
+
+for %%H in ("40000001" "4000000c" "4000000b") do (
+
+ echo "CreateLoaded primary key, parent %%~H"
+ %TPM_EXE_PATH%createloaded -hp %%~H -st -kt f -kt p -pwdk ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a storage key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the storage key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the primary storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the storage key under the primary key - should fail"
+ %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "CreateLoaded recreate owner primary key"
+ %TPM_EXE_PATH%createloaded -hp %%~H -st -kt f -kt p -pwdk ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the storage key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the primary storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "CreateLoaded Child Key, Primary Parent"
+echo ""
+
+echo "CreateLoaded child storage key at 80000001, parent 80000000"
+%TPM_EXE_PATH%createloaded -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk ppp -opu tmpppub.bin -opr tmpppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key under the child storage key 80000001"
+%TPM_EXE_PATH%create -hp 80000001 -si -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key at 80000002 under the child storage key 80000001"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the child storage key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the child signing key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Reload the createloaded child storage key at 80000001, parent 80000000"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpppriv.bin -ipu tmpppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Reload the child signing key at 80000002 under the child storage key 80000001"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the child storage key 80000002 "
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the child signing key 80000001 "
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "CreateLoaded Primary Derived Key, Hierarchy Parent"
+echo ""
+
+for %%H in ("e" "o" "p") do (
+
+ echo "Create a primary %%~H derivation parent 80000001"
+ %TPM_EXE_PATH%createprimary -hi %%~H -dp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a derived key 80000002"
+ %TPM_EXE_PATH%createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the derived key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a derived key 80000002"
+ %TPM_EXE_PATH%createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub1.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the derived key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify that the two derived keys are the same"
+ diff tmppub.bin tmppub1.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the derivation parent"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "CreateLoaded Child Derived Key, Primary Parent"
+echo ""
+
+echo "Create a derivation parent under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -dp -opr tmpdppriv.bin -opu tmpdppub.bin -pwdp sto -pwdk dp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the derivation parent to 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpdppriv.bin -ipu tmpdppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create an EC signing key under the derivation parent key"
+%TPM_EXE_PATH%createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -opem tmppub.pem -pwdp dp -ecc nistp256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -salg ecc -if policies/aaa -os sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the ECC signature using the TPM"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -ecc -if policies/aaa -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature using PEM"
+%TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg sha256 -if policies/aaa -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create another EC signing key 80000002 under the derivation parent key"
+%TPM_EXE_PATH%createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv1.bin -opu tmppub1.bin -opem tmppub1.pem -pwdp dp -ecc nistp256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify that the two derived keys are the same"
+diff tmppub.bin tmppub1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the derivation parent"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rm -f tmpdppriv.bin
+rm -f tmpdppub.bin
+rm -f tmpppriv.bin
+rm -f tmpppub.bin
+rm -f tmppub.pem
+rm -f tmppriv1.bin
+rm -f tmppub1.bin
+rm -f tmppub1.pem
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.sh
new file mode 100755
index 000000000..99d3753d3
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.sh
@@ -0,0 +1,231 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2019 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "CreateLoaded"
+echo ""
+
+echo ""
+echo "CreateLoaded Primary Key, Hierarchy Parent"
+echo ""
+
+for HIER in "40000001" "4000000c" "4000000b"
+do
+
+ echo "CreateLoaded primary key, parent ${HIER}"
+ ${PREFIX}createloaded -hp ${HIER} -st -kt f -kt p -pwdk ppp > run.out
+ checkSuccess $?
+
+ echo "Create a storage key under the primary key"
+ ${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+ checkSuccess $?
+
+ echo "Load the storage key under the primary key"
+ ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+ checkSuccess $?
+
+ echo "Flush the storage key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Flush the primary storage key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Load the storage key under the primary key - should fail"
+ ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+ checkFailure $?
+
+ echo "CreateLoaded recreate owner primary key"
+ ${PREFIX}createloaded -hp ${HIER} -st -kt f -kt p -pwdk ppp > run.out
+ checkSuccess $?
+
+ echo "Load the storage key under the primary key"
+ ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+ checkSuccess $?
+
+ echo "Flush the storage key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Flush the primary storage key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "CreateLoaded Child Key, Primary Parent"
+echo ""
+
+echo "CreateLoaded child storage key at 80000001, parent 80000000"
+${PREFIX}createloaded -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk ppp -opu tmpppub.bin -opr tmpppriv.bin > run.out
+checkSuccess $?
+
+echo "Create a signing key under the child storage key 80000001"
+${PREFIX}create -hp 80000001 -si -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Load the signing key at 80000002 under the child storage key 80000001"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Flush the child storage key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the child signing key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Reload the createloaded child storage key at 80000001, parent 80000000"
+${PREFIX}load -hp 80000000 -ipr tmpppriv.bin -ipu tmpppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Reload the child signing key at 80000002 under the child storage key 80000001"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Flush the child storage key 80000002 "
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the child signing key 80000001 "
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "CreateLoaded Primary Derived Key, Hierarchy Parent"
+echo ""
+
+for HIER in "e" "o" "p"
+do
+
+ echo "Create a primary ${HIER} derivation parent 80000001"
+ ${PREFIX}createprimary -hi ${HIER} -dp > run.out
+ checkSuccess $?
+
+ echo "Create a derived key 80000002"
+ ${PREFIX}createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the derived key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Create a derived key 80000002"
+ ${PREFIX}createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub1.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the derived key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Verify that the two derived keys are the same"
+ diff tmppub.bin tmppub1.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the derivation parent"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "CreateLoaded Child Derived Key, Primary Parent"
+echo ""
+
+echo "Create a derivation parent under the primary key"
+${PREFIX}create -hp 80000000 -dp -opr tmpdppriv.bin -opu tmpdppub.bin -pwdp sto -pwdk dp > run.out
+checkSuccess $?
+
+echo "Load the derivation parent to 80000001"
+${PREFIX}load -hp 80000000 -ipr tmpdppriv.bin -ipu tmpdppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Create an EC signing key 80000002 under the derivation parent key"
+${PREFIX}createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -opem tmppub.pem -pwdp dp -ecc nistp256 > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -salg ecc -if policies/aaa -os sig.bin > run.out
+checkSuccess $?
+
+echo "Verify the ECC signature using the TPM"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -ecc -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Verify the signature using PEM"
+${PREFIX}verifysignature -ipem tmppub.pem -halg sha256 -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Create another EC signing key 80000002 under the derivation parent key"
+${PREFIX}createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv1.bin -opu tmppub1.bin -opem tmppub1.pem -pwdp dp -ecc nistp256 > run.out
+checkSuccess $?
+
+echo "Verify that the two derived keys are the same"
+diff tmppub.bin tmppub1.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the derivation parent"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+rm -f tmpppriv.bin
+rm -f tmpppub.bin
+rm -f tmpppub1.bin
+rm -f tmpppub.pem
+rm -f tmppub.pem
+rm -f tmppub1.pem
+rm -f tmppriv.bin
+rm -f tmppriv1.bin
+rm -f tmppub1.bin
+rm -f tmpdppriv.bin
+rm -f tmpdppub.bin
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.bat
new file mode 100644
index 000000000..c65e9659a
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.bat
@@ -0,0 +1,504 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+REM
+REM # primary key 80000000
+REM # storage key 80000001
+REM # signing key 80000002test
+REM # policy session 03000000
+REM # e5 87 c1 1a b5 0f 9d 87 30 f7 21 e3 fe a4 2b 46
+REM # c0 45 5b 24 6f 96 ae e8 5d 18 eb 3b e6 4d 66 6a
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Credential"
+echo ""
+
+echo "Use a random number as the credential input"
+%TPM_EXE_PATH%getrandom -by 32 -of tmpcredin.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key under the primary key, 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a restricted signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -sir -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk sig -pol policies/policyccactivate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key, 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Encrypt the credential using makecredential"
+%TPM_EXE_PATH%makecredential -ha 80000001 -icred tmpcredin.bin -in h80000002.bin -ocred tmpcredenc.bin -os tmpsecret.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code - activatecredential"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 00000147 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Activate credential"
+%TPM_EXE_PATH%activatecredential -ha 80000002 -hk 80000001 -icred tmpcredenc.bin -is tmpsecret.bin -pwdk sto -ocred tmpcreddec.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Check the decrypted result"
+diff tmpcredin.bin tmpcreddec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "EK Certificate"
+echo ""
+
+echo "Set platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%A in (rsa ecc) do (
+
+ echo "Create an %%A EK certificate"
+ %TPM_EXE_PATH%createekcert -alg %%A -cakey cakey.pem -capwd rrrr -pwdp ppp -of tmp.der > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the %%A EK certificate"
+ %TPM_EXE_PATH%createek -alg %%A -ce > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the %%A template - should fail"
+ %TPM_EXE_PATH%createek -alg %%A -te > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Read the %%A nonce - should fail"
+ %TPM_EXE_PATH%createek -alg %%A -no > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "CreatePrimary and validate the %%A EK against the EK certificate"
+ %TPM_EXE_PATH%createek -alg %%A -cp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Validate the %%A EK certificate against the root"
+ %TPM_EXE_PATH%createek -alg %%A -root certificates/rootcerts.windows.txt > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Clear platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "EK Policies using optional policy in NV"
+echo ""
+
+REM # Section B.8.2 Computing PolicyA - the standard IWG PolicySecret with endorsement auth
+REM # policyiwgek.txt
+REM # 000001514000000B
+REM # (blank line for policyRef)
+REM #
+REM # policymaker -if policies/policyiwgek.txt -ns -halg sha256 -of policies/policyiwgeksha256.bin
+REM # policymaker -if policies/policyiwgek.txt -ns -halg sha384 -of policies/policyiwgeksha384.bin
+REM # policymaker -if policies/policyiwgek.txt -ns -halg sha512 -of policies/policyiwgeksha512.bin
+REM
+REM # 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+REM # 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+REM # 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+REM
+REM # Section B.8.3 Computing Policy Index Names - attributes 220F1008
+REM
+REM # For test, put PolicySecret + platform auth in NV Index. This is NOT the IWG standard, just for test.
+REM
+REM # for prepending the hash algorithm identifier to make the TPMT_HA structure
+REM # printf "%b" '\x00\x0b' > policies/sha256.bin
+REM # printf "%b" '\x00\x0c' > policies/sha384.bin
+REM # printf "%b" '\x00\x0d' > policies/sha512.bin
+REM
+REM # policymaker -if policies/policysecretp.txt -halg sha256 -pr -of policies/policysecretpsha256.bin -pr
+REM # policymaker -if policies/policysecretp.txt -halg sha384 -pr -of policies/policysecretpsha384.bin -pr
+REM # policymaker -if policies/policysecretp.txt -halg sha512 -pr -of policies/policysecretpsha512.bin -pr
+REM
+REM # prepend the algorithm identifiers
+REM # cat policies/sha256.bin policies/policysecretpsha256.bin >! policies/policysecretpsha256ha.bin
+REM # cat policies/sha384.bin policies/policysecretpsha384.bin >! policies/policysecretpsha384ha.bin
+REM # cat policies/sha512.bin policies/policysecretpsha512.bin >! policies/policysecretpsha512ha.bin
+REM
+REM # NV Index Name calculation
+REM
+
+set HALG=sha256 sha384 sha512
+set IDX=01c07f01 01c07f02 01c07f03
+set SIZ=34 50 66
+REM # algorithms from Algorithm Registry
+set HBIN=000b 000c 000d
+REM # Name from Table 14: Policy Index Names
+set NVNAME=000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f 000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c 000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+)
+
+set j=0
+for %%h in (!HALG!) do set /A j+=1 & set HALG[!j!]=%%h
+set j=0
+for %%i in (!IDX!) do set /A j+=1 & set IDX[!j!]=%%i
+set j=0
+for %%z in (!SIZ!) do set /A j+=1 & set SIZ[!j!]=%%z
+set j=0
+for %%b in (!HBIN!) do set /A j+=1 & set HBIN[!j!]=%%b
+set j=0
+for %%n in (!NVNAME!) do set /A j+=1 & set NVNAME[!j!]=%%n
+set L=!j!
+
+for /L %%j in (1,1,!L!) do (
+
+ echo "Undefine optional !HALG[%%j]! NV index !IDX[%%j]!"
+ %TPM_EXE_PATH%nvundefinespace -ha !IDX[%%j]! -hi o > run.out
+
+ echo "Define optional !HALG[%%j]! NV index !IDX[%%j]! size !SIZ[%%j]! with PolicySecret for TPM_RH_ENDORSEMENT"
+ %TPM_EXE_PATH%nvdefinespace -ha !IDX[%%j]! -nalg !HALG[%%j]! -hi o -pol policies/policyiwgek!HALG[%%j]!.bin -sz !SIZ[%%j]! +at wa +at or +at ppr +at ar -at aw > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a !HALG[%%j]! policy session"
+ %TPM_EXE_PATH%startauthsession -se p -halg !HALG[%%j]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Satisfy the policy"
+ %TPM_EXE_PATH%policysecret -hs 03000000 -ha 4000000B > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get the session digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Write the !HALG[%%j]! index !IDX[%%j]! to set the written bit before reading the Name"
+ %TPM_EXE_PATH%nvwrite -ha !IDX[%%j]! -if policies/policysecretp!HALG[%%j]!ha.bin -se0 03000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the !HALG[%%j]! Name"
+ %TPM_EXE_PATH%nvreadpublic -ha !IDX[%%j]! -ns > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the !HALG[%%j]! !HBIN[%%j]! Name"
+ grep !HBIN[%%j]! run.out > tmp.txt
+ grep -v nvreadpublic tmp.txt > tmpactual.txt
+ echo !NVNAME[%%j]! > tmpexpect.txt
+ diff -w tmpactual.txt tmpexpect.txt > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+REM # B.8.4 Computing PolicyC - TPM_CC_PolicyAuthorizeNV || nvIndex->Name)
+REM
+REM # policyiwgekcsha256.txt
+REM # 00000192000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f
+REM
+REM # policyiwgekcsha384.txt
+REM # 00000192000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c
+REM
+REM # policyiwgekcsha512.txt
+REM # 00000192000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+REM
+REM # policymaker -if policies/policyiwgekcsha256.txt -ns -halg sha256 -pr -of policies/policyiwgekcsha256.bin
+REM # 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+REM
+REM # policymaker -if policies/policyiwgekcsha384.txt -ns -halg sha384 -pr -of policies/policyiwgekcsha384.bin
+REM # d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+REM
+REM # policymaker -if policies/policyiwgekcsha512.txt -ns -halg sha512 -pr -of policies/policyiwgekcsha512.bin
+REM # 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+REM
+REM # B.8.5 Computing PolicyB - TPM_CC_PolicyOR || digests
+REM
+REM # policyiwgekbsha256.txt
+REM # 00000171
+REM # 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+REM # 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+REM # policymaker -if policies/policyiwgekbsha256.txt -halg sha256 -pr -of policies/policyiwgekbsha256.bin
+REM # ca 3d 0a 99 a2 b9 39 06 f7 a3 34 24 14 ef cf b3
+REM # a3 85 d4 4c d1 fd 45 90 89 d1 9b 50 71 c0 b7 a0
+REM
+REM # policyiwgekbsha384.txt
+REM # 00000171
+REM # 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+REM # d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+REM # policymaker -if policies/policyiwgekbsha384.txt -halg sha384 -pr -of policies/policyiwgekbsha384.bin
+REM # b2 6e 7d 28 d1 1a 50 bc 53 d8 82 bc f5 fd 3a 1a
+REM # 07 41 48 bb 35 d3 b4 e4 cb 1c 0a d9 bd e4 19 ca
+REM # cb 47 ba 09 69 96 46 15 0f 9f c0 00 f3 f8 0e 12
+REM
+REM # policyiwgekbsha512.txt
+REM # 00000171
+REM # 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+REM # 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+REM # policymaker -if policies/policyiwgekbsha512.txt -halg sha512 -pr -of policies/policyiwgekbsha512.bin
+REM # b8 22 1c a6 9e 85 50 a4 91 4d e3 fa a6 a1 8c 07
+REM # 2c c0 12 08 07 3a 92 8d 5d 66 d5 9e f7 9e 49 a4
+REM # 29 c4 1a 6b 26 95 71 d5 7e db 25 fb db 18 38 42
+REM # 56 08 b4 13 cd 61 6a 5f 6d b5 b6 07 1a f9 9b ea
+
+echo ""
+echo "Test the EK policies"
+echo ""
+
+REM # Change endorsement and platform hierarchy passwords for testing
+
+echo "Change endorsement hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi e -pwdn eee
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for /L %%j in (1,1,!L!) do (
+
+ echo "Create an RSA primary key !HALG[%%j]! 80000001"
+ %TPM_EXE_PATH%createprimary -si -nalg !HALG[%%j]! -pwdk kkk -pol policies/policyiwgekb!HALG[%%j]!.bin -rsa 2048 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session !HALG[%%j]! 03000000"
+ %TPM_EXE_PATH%startauthsession -se p -halg !HALG[%%j]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Satisfy Policy A - Policy Secret with PWAP session and endorsement hierarchy auth"
+ %TPM_EXE_PATH%policysecret -ha 4000000b -hs 03000000 -pwde eee > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get the session digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy OR !HALG[%%j]!"
+ %TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyiwgek!HALG[%%j]!.bin -if policies/policyiwgekc!HALG[%%j]!.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get the !HALG[%%j]! session digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy A"
+ %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy restart !HALG[%%j]! 03000000"
+ %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Satisfy NV Index Policy - Policy Secret with PWAP session and platform hierarchy auth"
+ %TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get the !HALG[%%j]! session digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Satisfy Policy C - Policy Authorize NV"
+ %TPM_EXE_PATH%policyauthorizenv -ha !IDX[%%j]! -hs 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get the !HALG[%%j]! session digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy OR !HALG[%%j]!"
+ %TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyiwgek!HALG[%%j]!.bin -if policies/policyiwgekc!HALG[%%j]!.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get the !HALG[%%j]! session digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy A"
+ %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the policy session !HALG[%%j]! 03000000"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the primary key !HALG[%%j]! 80000001"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Reset endorsement hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi e -pwda eee
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Reset platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+set L=!j!
+
+for /L %%j in (1,1,!L!) do (
+
+ echo "Undefine optional !HALG[%%j]! NV index !IDX[%%j]!"
+ %TPM_EXE_PATH%nvundefinespace -ha !IDX[%%j]! -hi o > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+rm run.out
+rm sig.bin
+rm tmp.der
+rm tmpcreddec.bin
+rm tmpcredenc.bin
+rm tmpcredin.bin
+rm tmprpriv.bin
+rm tmprpub.bin
+rm tmpsecret.bin
+rm tmp.txt
+rm tmpactual.txt
+rm tmpexpect.txt
+
+
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000000
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 02000000
+
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.sh
new file mode 100755
index 000000000..447e0530a
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.sh
@@ -0,0 +1,404 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# primary key 80000000
+# storage key 80000001
+# signing key 80000002
+# policy session 03000000
+# e5 87 c1 1a b5 0f 9d 87 30 f7 21 e3 fe a4 2b 46
+# c0 45 5b 24 6f 96 ae e8 5d 18 eb 3b e6 4d 66 6a
+
+echo ""
+echo "Make and Activate Credential"
+echo ""
+
+echo "Use a random number as the credential input"
+${PREFIX}getrandom -by 32 -of tmpcredin.bin > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key, 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Create a restricted signing key under the primary key"
+${PREFIX}create -hp 80000000 -sir -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk sig -pol policies/policyccactivate.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key, 80000002"
+${PREFIX}load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Encrypt the credential using makecredential"
+${PREFIX}makecredential -ha 80000001 -icred tmpcredin.bin -in h80000002.bin -ocred tmpcredenc.bin -os tmpsecret.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code - activatecredential"
+${PREFIX}policycommandcode -ha 03000000 -cc 00000147 > run.out
+checkSuccess $?
+
+echo "Activate credential"
+${PREFIX}activatecredential -ha 80000002 -hk 80000001 -icred tmpcredenc.bin -is tmpsecret.bin -pwdk sto -ocred tmpcreddec.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Check the decrypted result"
+diff tmpcredin.bin tmpcreddec.bin > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "EK Certificate"
+echo ""
+
+# The mbedtls port does not support EC certificate creation yet */
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+
+ echo "Set platform hierarchy auth"
+ ${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+ checkSuccess $?
+
+ for ALG in "rsa" "ecc"
+ do
+
+ echo "Create an ${ALG} EK certificate"
+ ${PREFIX}createekcert -alg ${ALG} -cakey cakey.pem -capwd rrrr -pwdp ppp -of tmp.der > run.out
+ checkSuccess $?
+
+ echo "Read the ${ALG} EK certificate"
+ ${PREFIX}createek -alg ${ALG} -ce > run.out
+ checkSuccess $?
+
+ echo "Read the ${ALG} template - should fail"
+ ${PREFIX}createek -alg ${ALG} -te > run.out
+ checkFailure $?
+
+ echo "Read the ${ALG} nonce - should fail"
+ ${PREFIX}createek -alg ${ALG} -no > run.out
+ checkFailure $?
+
+ echo "CreatePrimary and validate the ${ALG} EK against the EK certificate"
+ ${PREFIX}createek -alg ${ALG} -cp > run.out
+ checkSuccess $?
+
+ echo "Validate the ${ALG} EK certificate against the root"
+ ${PREFIX}createek -alg ${ALG} -root certificates/rootcerts.txt > run.out
+ checkSuccess $?
+
+ done
+
+ echo "Clear platform hierarchy auth"
+ ${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+ checkSuccess $?
+
+# openssl vs mbedtls
+fi
+
+echo ""
+echo "EK Policies using optional policy in NV"
+echo ""
+
+# Section B.8.2 Computing PolicyA - the standard IWG PolicySecret with endorsement auth
+# policyiwgek.txt
+# 000001514000000B
+# (blank line for policyRef)
+#
+# policymaker -if policies/policyiwgek.txt -ns -halg sha256 -of policies/policyiwgeksha256.bin
+# policymaker -if policies/policyiwgek.txt -ns -halg sha384 -of policies/policyiwgeksha384.bin
+# policymaker -if policies/policyiwgek.txt -ns -halg sha512 -of policies/policyiwgeksha512.bin
+
+# 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+# 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+# 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+
+# Section B.8.3 Computing Policy Index Names - attributes 220F1008
+
+# For test, put PolicySecret + platform auth in NV Index. This is NOT the IWG standard, just for test.
+
+# for prepending the hash algorithm identifier to make the TPMT_HA structure
+# printf "%b" '\x00\x0b' > policies/sha256.bin
+# printf "%b" '\x00\x0c' > policies/sha384.bin
+# printf "%b" '\x00\x0d' > policies/sha512.bin
+
+# policymaker -if policies/policysecretp.txt -halg sha256 -pr -of policies/policysecretpsha256.bin -pr
+# policymaker -if policies/policysecretp.txt -halg sha384 -pr -of policies/policysecretpsha384.bin -pr
+# policymaker -if policies/policysecretp.txt -halg sha512 -pr -of policies/policysecretpsha512.bin -pr
+
+# prepend the algorithm identifiers
+# cat policies/sha256.bin policies/policysecretpsha256.bin >! policies/policysecretpsha256ha.bin
+# cat policies/sha384.bin policies/policysecretpsha384.bin >! policies/policysecretpsha384ha.bin
+# cat policies/sha512.bin policies/policysecretpsha512.bin >! policies/policysecretpsha512ha.bin
+
+# NV Index Name calculation
+
+HALG=(sha256 sha384 sha512)
+IDX=(01c07f01 01c07f02 01c07f03)
+SIZ=(34 50 66)
+# algorithms from Algorithm Registry
+HBIN=(000b 000c 000d)
+# Name from Table 14: Policy Index Names
+NVNAME=(
+ 000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f
+ 000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c
+ 000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+)
+
+for ((i = 0 ; i < 3; i++))
+do
+
+ echo "Undefine optional ${HALG[i]} NV index ${IDX[i]}"
+ ${PREFIX}nvundefinespace -ha ${IDX[i]} -hi o > run.out
+ echo " INFO:"
+
+ echo "Define optional ${HALG[i]} NV index ${IDX[i]} with PolicySecret for TPM_RH_ENDORSEMENT"
+ ${PREFIX}nvdefinespace -ha ${IDX[i]} -nalg ${HALG[i]} -hi o -pol policies/policyiwgek${HALG[i]}.bin -sz ${SIZ[i]} +at wa +at or +at ppr +at ar -at aw > run.out
+ checkSuccess $?
+
+ echo "Start a ${HALG[i]} policy session"
+ ${PREFIX}startauthsession -se p -halg ${HALG[i]} > run.out
+ checkSuccess $?
+
+ echo "Satisfy the policy"
+ ${PREFIX}policysecret -hs 03000000 -ha 4000000B > run.out
+ checkSuccess $?
+
+ echo "Get the session digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Write the ${HALG[i]} ${IDX[i]} index to set the written bit before reading the Name"
+ ${PREFIX}nvwrite -ha ${IDX[i]} -if policies/policysecretp${HALG[i]}ha.bin -se0 03000000 0 > run.out
+ checkSuccess $?
+
+ echo "Read the ${HALG[i]} Name"
+ ${PREFIX}nvreadpublic -ha ${IDX[i]} -ns > run.out
+ checkSuccess $?
+
+ echo "Verify the ${HALG[i]} Name"
+ ACTUAL=`grep ${HBIN[i]} run.out |grep -v nvreadpublic`
+ diff <(echo "${ACTUAL}" ) <(echo "${NVNAME[i]}" )
+ checkSuccess $?
+
+done
+
+# B.8.4 Computing PolicyC - TPM_CC_PolicyAuthorizeNV || nvIndex->Name)
+
+# policyiwgekcsha256.txt
+# 00000192000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f
+
+# policyiwgekcsha384.txt
+# 00000192000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c
+
+# policyiwgekcsha512.txt
+# 00000192000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+
+# policymaker -if policies/policyiwgekcsha256.txt -ns -halg sha256 -pr -of policies/policyiwgekcsha256.bin
+# 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+
+# policymaker -if policies/policyiwgekcsha384.txt -ns -halg sha384 -pr -of policies/policyiwgekcsha384.bin
+# d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+
+# policymaker -if policies/policyiwgekcsha512.txt -ns -halg sha512 -pr -of policies/policyiwgekcsha512.bin
+# 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+
+# B.8.5 Computing PolicyB - TPM_CC_PolicyOR || digests
+
+# policyiwgekbsha256.txt
+# 00000171
+# 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+# 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+# policymaker -if policies/policyiwgekbsha256.txt -halg sha256 -pr -of policies/policyiwgekbsha256.bin
+ # ca 3d 0a 99 a2 b9 39 06 f7 a3 34 24 14 ef cf b3
+ # a3 85 d4 4c d1 fd 45 90 89 d1 9b 50 71 c0 b7 a0
+
+# policyiwgekbsha384.txt
+# 00000171
+# 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+# d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+# policymaker -if policies/policyiwgekbsha384.txt -halg sha384 -pr -of policies/policyiwgekbsha384.bin
+ # b2 6e 7d 28 d1 1a 50 bc 53 d8 82 bc f5 fd 3a 1a
+ # 07 41 48 bb 35 d3 b4 e4 cb 1c 0a d9 bd e4 19 ca
+ # cb 47 ba 09 69 96 46 15 0f 9f c0 00 f3 f8 0e 12
+
+# policyiwgekbsha512.txt
+# 00000171
+# 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+# 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+# policymaker -if policies/policyiwgekbsha512.txt -halg sha512 -pr -of policies/policyiwgekbsha512.bin
+ # b8 22 1c a6 9e 85 50 a4 91 4d e3 fa a6 a1 8c 07
+ # 2c c0 12 08 07 3a 92 8d 5d 66 d5 9e f7 9e 49 a4
+ # 29 c4 1a 6b 26 95 71 d5 7e db 25 fb db 18 38 42
+ # 56 08 b4 13 cd 61 6a 5f 6d b5 b6 07 1a f9 9b ea
+
+echo ""
+echo "Test the EK policies"
+echo ""
+
+# test message to be signed
+echo -n "1234567890123456" > msg.bin
+
+# Change endorsement and platform hierarchy passwords for testing
+
+echo "Change endorsement hierarchy password"
+${PREFIX}hierarchychangeauth -hi e -pwdn eee
+checkSuccess $?
+
+echo "Change platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp
+checkSuccess $?
+
+for ((i = 0 ; i < 3; i++))
+do
+
+ echo "Create an RSA primary key ${HALG[i]} 80000001"
+ ${PREFIX}createprimary -si -nalg ${HALG[i]} -pwdk kkk -pol policies/policyiwgekb${HALG[i]}.bin -rsa 2048 > run.out
+ checkSuccess $?
+
+ echo "Start a policy session ${HALG[i]} 03000000"
+ ${PREFIX}startauthsession -se p -halg ${HALG[i]} > run.out
+ checkSuccess $?
+
+ echo "Satisfy Policy A - Policy Secret with PWAP session and endorsement hierarchy auth"
+ ${PREFIX}policysecret -ha 4000000b -hs 03000000 -pwde eee > run.out
+ checkSuccess $?
+
+ echo "Get the session digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Policy OR ${HALG[i]}"
+ ${PREFIX}policyor -ha 03000000 -if policies/policyiwgek${HALG[i]}.bin -if policies/policyiwgekc${HALG[i]}.bin > run.out
+ checkSuccess $?
+
+ echo "Get the ${HALG[i]} session digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy A"
+ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Policy restart ${HALG[i]} 03000000"
+ ${PREFIX}policyrestart -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Satisfy NV Index Policy - Policy Secret with PWAP session and platform hierarchy auth"
+ ${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+ checkSuccess $?
+
+ echo "Get the ${HALG[i]} session digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Satisfy Policy C - Policy Authorize NV"
+ ${PREFIX}policyauthorizenv -ha ${IDX[i]} -hs 03000000 > run.out
+ checkSuccess $?
+
+ echo "Get the ${HALG[i]} session digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Policy OR ${HALG[i]}"
+ ${PREFIX}policyor -ha 03000000 -if policies/policyiwgek${HALG[i]}.bin -if policies/policyiwgekc${HALG[i]}.bin > run.out
+ checkSuccess $?
+
+ echo "Get the ${HALG[i]} session digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy A"
+ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Flush the policy session ${HALG[i]} 03000000"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Flush the primary key ${HALG[i]} 80000001"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Reset endorsement hierarchy password"
+${PREFIX}hierarchychangeauth -hi e -pwda eee
+checkSuccess $?
+
+echo "Reset platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp
+checkSuccess $?
+
+for ((i = 0 ; i < 3; i++))
+do
+
+ echo "Undefine optional ${HALG[i]} NV index ${IDX[i]}"
+ ${PREFIX}nvundefinespace -ha ${IDX[i]} -hi o > run.out
+ checkSuccess $?
+
+done
+
+rm -f run.out
+rm -f sig.bin
+rm -f tmprpub.bin
+rm -f tmprpriv.bin
+rm -f tmpcredin.bin
+rm -f tmpcredenc.bin
+rm -f tmpcreddec.bin
+rm -f tmpsecret.bin
+rm -f tmp.der
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.bat
new file mode 100644
index 000000000..f991bfe98
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.bat
@@ -0,0 +1,203 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testda.bat 1278 2018-07-23 21:20:42Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "DA Logic"
+echo ""
+
+echo "Create an signing key with DA protection"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -da > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set DA recovery time to 0, disables DA"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with good password, no lockout"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set DA recovery time to 120 sec, enables DA"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 120 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with good password, lockout - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Reset DA lock"
+%TPM_EXE_PATH%dictionaryattacklockreset > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with good password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set DA recovery time to 120 sec, enables DA, max tries 2"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 120 -nmt 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with good password, no lockout yet"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with good password, lockout - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Reset DA lock"
+%TPM_EXE_PATH%dictionaryattacklockreset > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with good password, no lockout"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set DA recovery time to 0, disables DA"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Lockout Auth"
+echo ""
+
+echo "Change lockout auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi l -pwdn lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Reset DA lock with good password"
+%TPM_EXE_PATH%dictionaryattacklockreset -pwd lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set DA recovery time to 0 with good password"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 -pwd lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear lockout auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi l -pwda lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set DA recovery time to 0"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Reset DA lock"
+%TPM_EXE_PATH%dictionaryattacklockreset > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.sh
new file mode 100755
index 000000000..7cfa9a3b7
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testda.sh
@@ -0,0 +1,152 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testda.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "DA Logic"
+echo ""
+
+echo "Create an signing key with DA protection"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -da > run.out
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0, disables DA"
+${PREFIX}dictionaryattackparameters -nrt 0 > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, no lockout"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 120 sec, enables DA"
+${PREFIX}dictionaryattackparameters -nrt 120 > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, lockout - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Reset DA lock"
+${PREFIX}dictionaryattacklockreset > run.out
+checkSuccess $?
+
+echo "Sign a digest with good password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 120 sec, enables DA, max tries 2"
+${PREFIX}dictionaryattackparameters -nrt 120 -nmt 2 > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, no lockout yet"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, lockout - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Reset DA lock"
+${PREFIX}dictionaryattacklockreset > run.out
+checkSuccess $?
+
+echo "Sign a digest with good password, no lockout"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0, disables DA"
+${PREFIX}dictionaryattackparameters -nrt 0 > run.out
+checkSuccess $?
+
+echo ""
+echo "Lockout Auth"
+echo ""
+
+echo "Change lockout auth"
+${PREFIX}hierarchychangeauth -hi l -pwdn lll > run.out
+checkSuccess $?
+
+echo "Reset DA lock with good password"
+${PREFIX}dictionaryattacklockreset -pwd lll > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0 with good password"
+${PREFIX}dictionaryattackparameters -nrt 0 -pwd lll > run.out
+checkSuccess $?
+
+echo "Clear lockout auth"
+${PREFIX}hierarchychangeauth -hi l -pwda lll > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0"
+${PREFIX}dictionaryattackparameters -nrt 0 > run.out
+checkSuccess $?
+
+echo "Reset DA lock"
+${PREFIX}dictionaryattacklockreset > run.out
+checkSuccess $?
+
+echo "Flush signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.bat
new file mode 100644
index 000000000..a748bc497
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.bat
@@ -0,0 +1,786 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+REM 80000001 K1 storage key
+REM 80000002 K2 signing key to be duplicated
+REM 80000002 K2 duplicated
+REM 03000000 policy session
+
+REM policy
+REM be f5 6b 8c 1c c8 4e 11 ed d7 17 52 8d 2c d9 93
+REM 56 bd 2b bf 8f 01 52 09 c3 f8 4a ee ab a8 e8 a2
+
+REM used for the name in rewrap
+
+echo ""
+echo "Duplication"
+echo ""
+
+echo ""
+echo "Duplicate Child Key"
+echo ""
+
+REM # primary key 80000000
+REM # target storage key K1 80000001
+REM # originally under primary key
+REM # duplicate to K1
+REM # import to K1
+REM # signing key K2 80000002
+
+set SALG=rsa ecc
+set SKEY=rsa2048 ecc
+
+set i=0
+for %%a in (!SALG!) do set /A i+=1 & set SALG[!i!]=%%a
+set i=0
+for %%b in (!SKEY!) do set /A i+=1 & set SKEY[!i!]=%%b
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ for %%E in ("" "-salg aes -ik tmprnd.bin") do (
+
+ for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a signing key K2 under the primary key, with policy"
+ %TPM_EXE_PATH%create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the !SALG[%%i]! storage key K1"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr store!SKEY[%%i]!priv.bin -ipu store!SKEY[%%i]!pub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key K2"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest, %%H"
+ %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -if policies/aaa -os sig.bin -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature, %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code, duplicate"
+ %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get policy digest"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get random AES encryption key"
+ %TPM_EXE_PATH%getrandom -by 16 -of tmprnd.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Duplicate K2 under !SALG[%%i]! K1, %%~E"
+ %TPM_EXE_PATH%duplicate -ho 80000002 -pwdo sig -hp 80000001 -od tmpdup.bin -oss tmpss.bin %%~E -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the original K2 to free object slot for import"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Import K2 under !SALG[%%i]! K1, %%~E"
+ %TPM_EXE_PATH%import -hp 80000001 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin %%~E -opr tmppriv.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign under K2, %%H - should fail"
+ %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -if policies/aaa -os sig.bin -pwdk sig > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Load the duplicated signing key K2"
+ %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign using duplicated K2, %%H"
+ %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -if policies/aaa -os sig.bin -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature, %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the duplicated K2"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the parent K1"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the session"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+ )
+)
+
+echo ""
+echo "Duplicate Primary Key"
+echo ""
+
+echo "Create a platform primary signing key K2 80000001"
+%TPM_EXE_PATH%createprimary -hi p -si -kt nf -kt np -pol policies/policyccduplicate.bin -opu tmppub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code, duplicate"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Duplicate K2 under storage key"
+%TPM_EXE_PATH%duplicate -ho 80000001 -hp 80000000 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Import K2 under storage key"
+%TPM_EXE_PATH%import -hp 80000000 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the duplicated signing key K2 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key 8000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the duplicated key 80000002 "
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the session 03000000 "
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Import PEM RSA signing key under RSA and ECC storage key"
+echo ""
+
+echo "generate the signing key with openssl"
+openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048
+
+echo "load the ECC storage key"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr storeeccpriv.bin -ipu storeeccpub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+ for %%H in (%ITERATE_ALGS%) do (
+ for %%P in (80000000 80000001) do (
+
+ echo "Import the signing key under the parent key %%P %%H"
+ %TPM_EXE_PATH%importpem -hp %%P -pwdp sto -ipem tmpprivkey.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the TPM signing key"
+ %TPM_EXE_PATH%load -hp %%P -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign the message %%H %%~S"
+ %TPM_EXE_PATH%sign -hk 80000002 -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg %%H %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000002 -if policies/aaa -is tmpsig.bin -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+ )
+)
+
+echo ""
+echo "Import PEM EC signing key under RSA and ECC storage key"
+echo ""
+
+echo "generate the signing key with openssl"
+openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 -passout pass:rrrr -text > tmpecprivkey.pem
+
+for %%S in ("" "-se0 02000000 1") do (
+ for %%H in (%ITERATE_ALGS%) do (
+ for %%P in (80000000 80000001) do (
+
+ echo "Import the signing key under the parent key %%P %%H"
+ %TPM_EXE_PATH%importpem -hp %%P -pwdp sto -ipem tmpecprivkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the TPM signing key"
+ %TPM_EXE_PATH%load -hp %%P -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign the message %%H %%~S"
+ %TPM_EXE_PATH%sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg %%H %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1test
+ )
+
+ echo "Verify the signature %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+ )
+)
+
+echo "Flush the ECC storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Rewrap"
+echo ""
+
+REM duplicate object O1 to K1 (the outer wrapper, knows inner wrapper)
+REM rewrap O1 from K1 to K2 (does not know inner wrapper)
+REM import O1 to K2 (knows inner wrapper)
+
+REM 03000000 policy session for duplicate
+
+REM at TPM 1, duplicate object to K1 outer wrapper, AES wrapper
+
+echo "Create a storage key K2"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmpk2priv.bin -opu tmpk2pub.bin -pwdp sto -pwdk k2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the storage key K1 80000001 public key "
+%TPM_EXE_PATH%loadexternal -hi p -ipu storersa2048pub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key O1 with policy"
+%TPM_EXE_PATH%create -hp 80000000 -si -opr tmpsignpriv.bin -opu tmpsignpub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key O1 80000002 under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpsignpriv.bin -ipu tmpsignpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save the signing key O1 name"
+cp h80000002.bin tmpo1name.bin
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code, duplicate"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get random AES encryption key"
+%TPM_EXE_PATH%getrandom -by 16 -of tmprnd.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Duplicate O1 80000002 under K1 80000001 outer wrapper, using AES inner wrapper"
+%TPM_EXE_PATH%duplicate -ho 80000002 -pwdo sig -hp 80000001 -ik tmprnd.bin -od tmpdup.bin -oss tmpss.bin -salg aes -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush signing key O1 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush storage key K1 80000001 public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM at TPM 2
+
+echo "Load storage key K1 80000001 public and private key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load storage key K2 80000002 public key"
+%TPM_EXE_PATH%loadexternal -hi p -ipu tmpk2pub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Rewrap O1 from K1 80000001 to K2 80000002 "
+%TPM_EXE_PATH%rewrap -ho 80000001 -hn 80000002 -pwdo sto -id tmpdup.bin -in tmpo1name.bin -iss tmpss.bin -od tmpdup.bin -oss tmpss.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush old key K1 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush new key K2 80000002 public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM at TPM 3
+
+echo "Load storage key K2 80000001 public key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpk2priv.bin -ipu tmpk2pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Import rewraped O1 to K2"
+%TPM_EXE_PATH%import -hp 80000001 -pwdp k2 -ipu tmpsignpub.bin -id tmpdup.bin -iss tmpss.bin -salg aes -ik tmprnd.bin -opr tmpsignpriv3.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the imported signing key O1 80000002 under K2 80000001"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmpsignpriv3.bin -ipu tmpsignpub.bin -pwdp k2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign using duplicated K2"
+%TPM_EXE_PATH%sign -hk 80000002 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -if policies/aaa -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush storage key K2 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush signing key O1 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Duplicate Primary Sealed AES from Source to Target EK"
+echo ""
+
+REM # source creates AES key, sends to target
+
+REM # Real code would send the target EK X509 certificate. The target could
+REM # defer recreating the EK until later.
+
+REM # Target
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Target: Provision a target !SALG[%%i]! EK certificate"
+ %TPM_EXE_PATH%createekcert -alg !SALG[%%i]! -cakey cakey.pem -capwd rrrr > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Recreate the !SALG[%%i]! EK at 80000001"
+ %TPM_EXE_PATH%createek -alg !SALG[%%i]! -cp -noflush > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Convert the EK public key to PEM format for transmission to source"
+ %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmpekpub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Flush the EK"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+REM # Here, target would send the EK PEM public key to the source
+
+REM # The real source would
+REM #
+REM # 1 - walk the EK X509 certificate chain. I have to add that sample code to createEK or make a new utility.
+REM # 2 - use openssl to convert the X509 EK certificate the the PEM public key file
+REM #
+REM # for now, the source trusts the target EK PEM public key
+
+REM # Source
+
+ echo "Source: Create an AES 256 bit key"
+ %TPM_EXE_PATH%getrandom -by 32 -ns -of tmpaeskeysrc.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Create primary duplicable sealed AES key 80000001"
+ %TPM_EXE_PATH%createprimary -bl -kt nf -kt np -if tmpaeskeysrc.bin -pol policies/policyccduplicate.bin -opu tmpsdbpub.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Load the target !SALG[%%i]! EK public key as a storage key 80000002"
+ %TPM_EXE_PATH%loadexternal -!SALG[%%i]! -st -ipem tmpekpub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Start a policy session, duplicate needs a policy 03000000"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Policy command code, duplicate"
+ %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Read policy digest, for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Wrap the sealed AES key with the target EK public key"
+ %TPM_EXE_PATH%duplicate -ho 80000001 -hp 80000002 -od tmpsdbdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Flush the sealed AES key 80000001"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Source: Flush the EK public key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+REM # Transmit the sealed AEK key wrapped with the target EK back to the target
+REM # tmpsdbdup.bin private part wrapped in EK public key, via symmetric seed
+REM # tmpsdbpub.bin public part
+REM # tmpss.bin symmetric seed, encrypted with EK public key
+
+REM # Target
+
+REM # NOTE This assumes that the endorsement hierarchy password is Empty.
+REM # This may be a bad assumption if an attacker can get access and
+REM # change it.
+
+ echo "Target: Recreate the -!SALG[%%i]! EK at 80000001"
+ %TPM_EXE_PATH%createek -alg !SALG[%%i]! -cp -noflush > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Start a policy session, EK use needs a policy"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+ %TPM_EXE_PATH%policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Read policy digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Import the sealed AES key under the EK storage key"
+ %TPM_EXE_PATH%import -hp 80000001 -ipu tmpsdbpub.bin -id tmpsdbdup.bin -iss tmpss.bin -opr tmpsdbpriv.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Restart the policy session"
+ %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+ %TPM_EXE_PATH%policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Read policy digest for debug"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Load the sealed AES key under the EK storage key"
+ %TPM_EXE_PATH%load -hp 80000001 -ipu tmpsdbpub.bin -ipr tmpsdbpriv.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Target: Unseal the AES key"
+ %TPM_EXE_PATH%unseal -ha 80000002 -of tmpaeskeytgt.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+REM # A real target would not have access to tmpaeskeysrc.bin for the compare
+
+ echo "Target: Verify the unsealed result, same at source, for debug"
+ diff tmpaeskeytgt.bin tmpaeskeysrc.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the EK"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sealed AES key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the policy session"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+REM cleanup
+
+echo "Undefine the RSA EK certificate index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01c00002
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Undefine the ECC EK certificate index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01c0000a
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rm -f tmpo1name.bin
+rm -f tmpsignpriv.bin
+rm -f tmpsignpub.bin
+rm -f tmprnd.bin
+rm -f tmpdup.bin
+rm -f tmpss.bin
+rm -f tmpsignpriv3.bin
+rm -f tmpsig.bin
+rm -f tmpk2priv.bin
+rm -f tmpk2pub.bin
+rm -f tmposs.bin
+rm -f tmpprivkey.pem
+rm -f tmpecprivkey.pem
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpekpub.pem
+rm -f tmpaeskeysrc.bin
+rm -f tmpsdbpub.bin
+rm -f tmpsdbdup.bin
+rm -f tmpss.bin
+rm -f tmpsdbpriv.bin
+rm -f tmpaeskeytgt.bin
+
+exit /B 0
+
+REM flushcontext -ha 80000001
+REM flushcontext -ha 80000002
+REM flushcontext -ha 03000000
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 03000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.sh
new file mode 100755
index 000000000..d2343803a
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.sh
@@ -0,0 +1,626 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# 80000001 K1 storage key
+# 80000002 K2 signing key to be duplicated
+# 80000002 K2 duplicated
+# 03000000 policy session
+
+# policy
+# be f5 6b 8c 1c c8 4e 11 ed d7 17 52 8d 2c d9 93
+# 56 bd 2b bf 8f 01 52 09 c3 f8 4a ee ab a8 e8 a2
+
+# used for the name in rewrap
+
+if [ -z $TPM_DATA_DIR ]; then
+ TPM_DATA_DIR=.
+fi
+
+echo ""
+echo "Duplication"
+echo ""
+
+echo ""
+echo "Duplicate Child Key"
+echo ""
+
+# primary key 80000000
+# target storage key K1 80000001
+# originally under primary key
+# duplicate to K1
+# import to K1
+# signing key K2 80000002
+
+SALG=(rsa ecc)
+SKEY=(rsa2048 ecc)
+
+for ((i = 0 ; i < 2 ; i++))
+do
+ for ENC in "" "-salg aes -ik tmprnd.bin"
+ do
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ echo "Create a signing key K2 under the primary key, with policy"
+ ${PREFIX}create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+ checkSuccess $?
+
+ echo "Load the ${SALG[i]} storage key K1 80000001"
+ ${PREFIX}load -hp 80000000 -ipr store${SKEY[i]}priv.bin -ipu store${SKEY[i]}pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the signing key K2 80000002"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Sign a digest, $HALG"
+ ${PREFIX}sign -hk 80000002 -halg $HALG -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+ checkSuccess $?
+
+ echo "Verify the signature, $HALG"
+ ${PREFIX}verifysignature -hk 80000002 -halg $HALG -if policies/aaa -is tmpsig.bin > run.out
+ checkSuccess $?
+
+ echo "Start a policy session"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Policy command code, duplicate"
+ ${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+ checkSuccess $?
+
+ echo "Get policy digest"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Get random AES encryption key"
+ ${PREFIX}getrandom -by 16 -of tmprnd.bin > run.out
+ checkSuccess $?
+
+ echo "Duplicate K2 under ${SALG[i]} K1, ${ENC}"
+ ${PREFIX}duplicate -ho 80000002 -pwdo sig -hp 80000001 -od tmpdup.bin -oss tmpss.bin ${ENC} -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Flush the original K2 to free object slot for import"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Import K2 under ${SALG[i]} K1, ${ENC}"
+ ${PREFIX}import -hp 80000001 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin ${ENC} -opr tmppriv.bin > run.out
+ checkSuccess $?
+
+ echo "Sign under K2, $HALG - should fail"
+ ${PREFIX}sign -hk 80000002 -halg $HALG -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+ checkFailure $?
+
+ echo "Load the duplicated signing key K2"
+ ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Sign using duplicated K2, $HALG"
+ ${PREFIX}sign -hk 80000002 -halg $HALG -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+ checkSuccess $?
+
+ echo "Verify the signature, $HALG"
+ ${PREFIX}verifysignature -hk 80000002 -halg $HALG -if policies/aaa -is tmpsig.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the duplicated K2"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Flush the parent K1"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the session"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+ done
+ done
+done
+
+echo ""
+echo "Duplicate Primary Key"
+echo ""
+
+echo "Create a platform primary signing key K2 80000001"
+${PREFIX}createprimary -hi p -si -kt nf -kt np -pol policies/policyccduplicate.bin -opu tmppub.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code, duplicate"
+${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+checkSuccess $?
+
+echo "Duplicate K2 under storage key"
+${PREFIX}duplicate -ho 80000001 -hp 80000000 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Import K2 under storage key"
+${PREFIX}import -hp 80000000 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv.bin > run.out
+checkSuccess $?
+
+echo "Load the duplicated signing key K2 80000002"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Flush the primary key 8000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the duplicated key 80000002 "
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the session 03000000 "
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Import PEM RSA signing key under RSA and ECC storage key"
+echo ""
+
+echo "generate the signing key with openssl"
+openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+
+echo "load the ECC storage key"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccpriv.bin -ipu storeeccpub.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ for PARENT in 80000000 80000001
+ do
+
+ echo "Import the signing key under the parent key ${PARENT} ${HALG}"
+ ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpprivkey.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Load the TPM signing key"
+ ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ checkSuccess $?
+
+ echo "Sign the message ${HALG} ${SESS}"
+ ${PREFIX}sign -hk 80000002 -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG}"
+ ${PREFIX}verifysignature -hk 80000002 -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ done
+ done
+done
+
+echo ""
+echo "Import PEM EC signing key under RSA and ECC storage key"
+echo ""
+
+# mbedtls appears to only support the legacy PEM format
+# -----BEGIN EC PRIVATE KEY-----
+# and not the PKCS8 format
+# -----BEGIN ENCRYPTED PRIVATE KEY-----
+#
+
+echo "generate the signing key with openssl"
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+ openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 -passout pass:rrrr -text > tmpecprivkey.pem 2>&1
+
+elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
+# plaintext key pair, legacy plaintext -----BEGIN PRIVATE KEY-----
+ openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -text -out tmpecprivkeydec.pem > run.out 2>&1
+# encrypt key pair, legacy encrypted -----BEGIN EC PRIVATE KEY-----
+ openssl ec -aes128 -passout pass:rrrr -in tmpecprivkeydec.pem -out tmpecprivkey.pem > run.out 2>&1
+
+else
+ echo "Error: crypto library ${CRYPTOLIBRARY} not supported"
+ exit 255
+fi
+
+for SESS in "" "-se0 02000000 1"
+do
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ for PARENT in 80000000 80000001
+ do
+
+ echo "Import the signing key under the parent key ${PARENT} ${HALG}"
+ ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpecprivkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Load the TPM signing key"
+ ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ checkSuccess $?
+
+ echo "Sign the message ${HALG} ${SESS}"
+ ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the signature ${HALG}"
+ ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ done
+ done
+done
+
+echo "Flush the ECC storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Rewrap"
+echo ""
+
+# duplicate object O1 to K1 (the outer wrapper, knows inner wrapper)
+# rewrap O1 from K1 to K2 (does not know inner wrapper)
+# import O1 to K2 (knows inner wrapper)
+
+# 03000000 policy session for duplicate
+
+# at TPM 1, duplicate object to K1 outer wrapper, AES wrapper
+
+echo "Create a storage key K2"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmpk2priv.bin -opu tmpk2pub.bin -pwdp sto -pwdk k2 > run.out
+checkSuccess $?
+
+echo "Load the storage key K1 80000001 public key "
+${PREFIX}loadexternal -hi p -ipu storersa2048pub.bin > run.out
+checkSuccess $?
+
+echo "Create a signing key O1 with policy"
+${PREFIX}create -hp 80000000 -si -opr tmpsignpriv.bin -opu tmpsignpub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key O1 80000002 under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmpsignpriv.bin -ipu tmpsignpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Save the signing key O1 name"
+cp ${TPM_DATA_DIR}/h80000002.bin tmpo1name.bin
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code, duplicate"
+${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+checkSuccess $?
+
+echo "Get random AES encryption key"
+${PREFIX}getrandom -by 16 -of tmprnd.bin > run.out
+checkSuccess $?
+
+echo "Duplicate O1 80000002 under K1 80000001 outer wrapper, using AES inner wrapper"
+${PREFIX}duplicate -ho 80000002 -pwdo sig -hp 80000001 -ik tmprnd.bin -od tmpdup.bin -oss tmpss.bin -salg aes -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush signing key O1 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush storage key K1 80000001 public key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# at TPM 2
+
+echo "Load storage key K1 80000001 public and private key"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load storage key K2 80000002 public key"
+${PREFIX}loadexternal -hi p -ipu tmpk2pub.bin > run.out
+checkSuccess $?
+
+echo "Rewrap O1 from K1 80000001 to K2 80000002 "
+${PREFIX}rewrap -ho 80000001 -hn 80000002 -pwdo sto -id tmpdup.bin -in tmpo1name.bin -iss tmpss.bin -od tmpdup.bin -oss tmpss.bin > run.out
+checkSuccess $?
+
+echo "Flush old key K1 80000001"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush new key K2 80000002 public key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# at TPM 3
+
+echo "Load storage key K2 80000001 public key"
+${PREFIX}load -hp 80000000 -ipr tmpk2priv.bin -ipu tmpk2pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Import rewraped O1 to K2"
+${PREFIX}import -hp 80000001 -pwdp k2 -ipu tmpsignpub.bin -id tmpdup.bin -iss tmpss.bin -salg aes -ik tmprnd.bin -opr tmpsignpriv3.bin > run.out
+checkSuccess $?
+
+echo "Load the imported signing key O1 80000002 under K2 80000001"
+${PREFIX}load -hp 80000001 -ipr tmpsignpriv3.bin -ipu tmpsignpub.bin -pwdp k2 > run.out
+checkSuccess $?
+
+echo "Sign using duplicated K2"
+${PREFIX}sign -hk 80000002 -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush storage key K2 80000001"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush signing key O1 80000002"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Duplicate Primary Sealed AES from Source to Target EK"
+echo ""
+
+# source creates AES key, sends to target
+
+# Real code would send the target EK X509 certificate. The target could
+# defer recreating the EK until later.
+
+# Target
+
+# The mbedtls port does not support EC certificate creation yet */
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+ for ((i = 0 ; i < 2 ; i++))
+ do
+
+ echo "Target: Provision a target ${SALG[i]} EK certificate"
+ ${PREFIX}createekcert -alg ${SALG[i]} -cakey cakey.pem -capwd rrrr > run.out
+ checkSuccess $?
+
+ echo "Target: Recreate the ${SALG[i]} EK at 80000001"
+ ${PREFIX}createek -alg ${SALG[i]} -cp -noflush > run.out
+ checkSuccess $?
+
+ echo "Target: Convert the EK public key to PEM format for transmission to source"
+ ${PREFIX}readpublic -ho 80000001 -opem tmpekpub.pem > run.out
+ checkSuccess $?
+
+ echo "Target: Flush the EK"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+# Here, target would send the EK PEM public key to the source
+
+# The real source would
+#
+# 1 - walk the EK X509 certificate chain. I have to add that sample code to createEK or make a new utility.
+# 2 - use openssl to convert the X509 EK certificate the the PEM public key file
+#
+# for now, the source trusts the target EK PEM public key
+
+# Source
+
+ echo "Source: Create an AES 256 bit key"
+ ${PREFIX}getrandom -by 32 -ns -of tmpaeskeysrc.bin > run.out
+ checkSuccess $?
+
+ echo "Source: Create primary duplicable sealed AES key 80000001"
+ ${PREFIX}createprimary -bl -kt nf -kt np -if tmpaeskeysrc.bin -pol policies/policyccduplicate.bin -opu tmpsdbpub.bin > run.out
+ checkSuccess $?
+
+ echo "Source: Load the target ${SALG[i]} EK public key as a storage key 80000002"
+ ${PREFIX}loadexternal -${SALG[i]} -st -ipem tmpekpub.pem > run.out
+ checkSuccess $?
+
+ echo "Source: Start a policy session, duplicate needs a policy 03000000"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Source: Policy command code, duplicate"
+ ${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+ checkSuccess $?
+
+ echo "Source: Read policy digest, for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Source: Wrap the sealed AES key with the target EK public key"
+ ${PREFIX}duplicate -ho 80000001 -hp 80000002 -od tmpsdbdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+ checkSuccess $?
+
+ echo "Source: Flush the sealed AES key 80000001"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Source: Flush the EK public key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+# Transmit the sealed AEK key wrapped with the target EK back to the target
+# tmpsdbdup.bin private part wrapped in EK public key, via symmetric seed
+# tmpsdbpub.bin public part
+# tmpss.bin symmetric seed, encrypted with EK public key
+
+# Target
+
+# NOTE This assumes that the endorsement hierarchy password is Empty.
+# This may be a bad assumption if an attacker can get access and
+# change it.
+
+ echo "Target: Recreate the -${SALG[i]} EK at 80000001"
+ ${PREFIX}createek -alg ${SALG[i]} -cp -noflush > run.out
+ checkSuccess $?
+
+ echo "Target: Start a policy session, EK use needs a policy"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+ ${PREFIX}policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+ checkSuccess $?
+
+ echo "Target: Read policy digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Target: Import the sealed AES key under the EK storage key"
+ ${PREFIX}import -hp 80000001 -ipu tmpsdbpub.bin -id tmpsdbdup.bin -iss tmpss.bin -opr tmpsdbpriv.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Target: Restart the policy session"
+ ${PREFIX}policyrestart -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+ ${PREFIX}policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+ checkSuccess $?
+
+ echo "Target: Read policy digest for debug"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Target: Load the sealed AES key under the EK storage key"
+ ${PREFIX}load -hp 80000001 -ipu tmpsdbpub.bin -ipr tmpsdbpriv.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Target: Unseal the AES key"
+ ${PREFIX}unseal -ha 80000002 -of tmpaeskeytgt.bin > run.out
+ checkSuccess $?
+
+# A real target would not have access to tmpaeskeysrc.bin for the compare
+
+ echo "Target: Verify the unsealed result, same at source, for debug"
+ diff tmpaeskeytgt.bin tmpaeskeysrc.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the EK"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the sealed AES key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Flush the policy session"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+ done
+
+# cleanup
+
+echo "Undefine the RSA EK certificate index"
+${PREFIX}nvundefinespace -hi p -ha 01c00002
+checkSuccess $?
+
+echo "Undefine the ECC EK certificate index"
+${PREFIX}nvundefinespace -hi p -ha 01c0000a
+checkSuccess $?
+
+fi
+
+rm -f tmpo1name.bin
+rm -f tmpsignpriv.bin
+rm -f tmpsignpub.bin
+rm -f tmprnd.bin
+rm -f tmpdup.bin
+rm -f tmpss.bin
+rm -f tmpsignpriv3.bin
+rm -f tmpsig.bin
+rm -f tmpk2priv.bin
+rm -f tmpk2pub.bin
+rm -f tmposs.bin
+rm -f tmpprivkey.pem
+rm -f tmpecprivkey.pem
+rm -f tmpecprivkeydec.pem
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpekpub.pem
+rm -f tmpaeskeysrc.bin
+rm -f tmpsdbpub.bin
+rm -f tmpsdbdup.bin
+rm -f tmpss.bin
+rm -f tmpsdbpriv.bin
+rm -f tmpaeskeytgt.bin
+
+# ${PREFIX}flushcontext -ha 80000001
+# ${PREFIX}flushcontext -ha 80000002
+# ${PREFIX}flushcontext -ha 03000000
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 03000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.bat
new file mode 100644
index 000000000..5de54d60d
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.bat
@@ -0,0 +1,324 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2019. #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "ECC Ephemeral"
+echo ""
+
+echo ""
+echo "ECC Parameters and Ephemeral"
+echo ""
+
+for %%C in (bnp256 nistp256 nistp384) do (
+
+ echo "ECC Parameters for curve %%C"
+ %TPM_EXE_PATH%eccparameters -cv %%C > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ for %%A in (-si -sir) do (
+
+ echo "Create %%A for curve %%C"
+ %TPM_EXE_PATH%create -hp 80000000 -pwdp sto %%A -ecc %%C > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+
+ echo "EC Ephemeral for curve %%C"
+ %TPM_EXE_PATH%ecephemeral -ecc %%C > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo ""
+echo "ECC Commit"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%K in ("-dau" "-dar") do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Create a %%~K ECDAA signing key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -ecc bnp256 %%~K -nalg sha256 -halg sha256 -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk siga > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key 80000001 under the primary key 80000000"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000001
+
+ REM The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+ REM which means no P1, no s2 and no y2.
+ REM and output the result and get the efile.bin
+ REM feed back the point in efile.bin as the new p1 because it is on the curve.
+
+ REM There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+ REM example of normal command
+ REM %TPM_EXE_PATH%commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -pwdk siga > run.out
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point %%~S"
+ %TPM_EXE_PATH%commit -hk 80000001 -Ef efile.bin -pwdk siga %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM copy efile as new p1 - for hash operation
+ cp efile.bin p1.bin
+
+ REM We have a point on the curve - in efile.bin. Use E as P1 and feed it back in
+
+ REM All this does is simulate the commit that the FIDO alliance wants to
+ REM use in its TPM Join operation.
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point %%~S"
+ %TPM_EXE_PATH%commit -hk 80000001 -pt p1.bin -Ef efile.bin -cf counterfile.bin -pwdk siga %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+ echo "Hash the E, P1, and Q to create the ticket to use in signing"
+ %TPM_EXE_PATH%hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign the hash of the points made from commit"
+ %TPM_EXE_PATH%sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+)
+
+REM save old counterfile for off nominal error check
+cp counterfile.bin counterfileold.bin
+
+
+for %%K in ("-dau" "-dar") do (
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Create a %%~K ECDAA signing primary key"
+ %TPM_EXE_PATH%createprimary -ecc bnp256 %%~K -nalg sha256 -halg sha256 -kt f -kt p -opu tmprpub.bin -pwdk siga > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000001
+
+ REM The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+ REM which means no P1, no s2 and no y2.
+ REM and output the result and get the efile.bin
+ REM feed back the point in efile.bin as the new p1 because it is on the curve.
+
+ REM There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+ REM example of normal command
+ REM %TPM_EXE_PATH%commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -cf counterfile.bin -pwdk siga > run.out
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point %%~S"
+ %TPM_EXE_PATH%commit -hk 80000001 -Ef efile.bin -cf counterfile.bin -pwdk siga %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM copy efile as new p1 - for hash operation
+ cp efile.bin p1.bin
+
+ REM We have a point on the curve - in efile.bin. Use E as P1 and feed it back in
+
+ REM All this does is simulate the commit that the FIDO alliance wants to
+ REM use in its TPM Join operation.
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point %%~S"
+ %TPM_EXE_PATH%commit -hk 80000001 -pt efile.bin -Ef efile.bin -pwdk siga %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+ echo "Hash the E, P1, and Q to create the ticket to use in signing"
+ %TPM_EXE_PATH%hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Check error case bad counter"
+ %TPM_EXE_PATH%sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfileold.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Sign the hash of the points made from commit"
+ %TPM_EXE_PATH%sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "ECC zgen2phase"
+echo ""
+
+echo "ECC Parameters for curve nistp256"
+%TPM_EXE_PATH%eccparameters -cv nistp256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM This is just a script for a B "remote" side to create a static key
+REM pair and ephemeral for use in demonstrating (on the local side) a
+REM two-phase operation involving ecephemeral and zgen2phase
+
+echo "Create decryption key for curve nistp256"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -den -ecc nistp256 -opu QsBpub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "EC Ephemeral for curve nistp256"
+%TPM_EXE_PATH%ecephemeral -ecc nistp256 -oq QeBpt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM local side
+REM
+REM scp or cp the QsBpub.bin and QeBpt.bin from the B side over to the
+REM A side. This assumes QsBpub is a TPM2B_PUBLIC from a create command
+REM on B side. QeBpt is already in TPM2B_ECC_POINT form since it was
+REM created by ecephemeral on B side QsBpub.bin is presumed in a form
+REM produced by a create commamnd using another TPM
+
+echo "Create decryption key for curve nistp256"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -den -ecc nistp256 -opr QsApriv.bin -opu QsApub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the decryption key under the primary key, 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr QsApriv.bin -ipu QsApub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "EC Ephemeral for curve nistp256"
+%TPM_EXE_PATH%ecephemeral -ecc nistp256 -oq QeApt.bin -cf counter.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Convert public raw to TPM2B_ECC_POINT"
+%TPM_EXE_PATH%tpmpublic2eccpoint -ipu QsBpub.bin -pt QsBpt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Execute zgen2phase for curve nistp256"
+%TPM_EXE_PATH%zgen2phase -hk 80000001 -scheme ecdh -qsb QsBpt.bin -qeb QeBpt.bin -cf counter.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rm -rf efile.bin
+rm -rf tmprpub.bin
+rm -rf tmprpriv.bin
+rm -rf counterfile.bin
+rm -rf counterfileold.bin
+rm -rf p1.bin
+rm -rf hashinput.bin
+rm -rf outhash.bin
+rm -rf sig.bin
+rm -rf tfile.bin
+
+rm -rf QsBpub.bin
+rm -rf QeBpt.bin
+rm -rf QsApriv.bin
+rm -rf QsApub.bin
+rm -rf QeApt.bin
+rm -rf counter.bin
+rm -rf QsBpt.bin
+
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000000
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 02000000
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.sh
new file mode 100755
index 000000000..9ece33e29
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.sh
@@ -0,0 +1,279 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testecc.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "ECC Ephemeral"
+echo ""
+
+echo ""
+echo "ECC Parameters and Ephemeral"
+echo ""
+
+for CURVE in "bnp256" "nistp256" "nistp384"
+do
+
+ echo "ECC Parameters for curve ${CURVE}"
+ ${PREFIX}eccparameters -cv ${CURVE} > run.out
+ checkSuccess $?
+
+ for ATTR in "-si" "-sir"
+ do
+
+ echo "Create ${ATTR} for curve ${CURVE}"
+ ${PREFIX}create -hp 80000000 -pwdp sto ${ATTR} -ecc ${CURVE} > run.out
+ checkSuccess $?
+
+ done
+
+ echo "EC Ephemeral for curve ${CURVE}"
+ ${PREFIX}ecephemeral -ecc ${CURVE} > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "ECC Commit"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for KEYTYPE in "-dau" "-dar"
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Create a $KEYTYPE ECDAA signing key under the primary key"
+ ${PREFIX}create -hp 80000000 -ecc bnp256 $KEYTYPE -nalg sha256 -halg sha256 -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk siga > run.out
+ checkSuccess $?
+
+ echo "Load the signing key 80000001 under the primary key 80000000"
+ ${PREFIX}load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ #${PREFIX}getcapability -cap 1 -pr 80000001
+
+ # The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+ # which means no P1, no s2 and no y2.
+ # and output the result and get the efile.bin
+ # feed back the point in efile.bin as the new p1 because it is on the curve.
+
+ # There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+ # example of normal command
+ # ${PREFIX}commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -cf counterfile.bin -pwdk siga > run.out
+ # checkSuccess $?
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point ${SESS}"
+ ${PREFIX}commit -hk 80000001 -Ef efile.bin -pwdk siga ${SESS} > run.out
+ checkSuccess $?
+
+ # copy efile as new p1 - for hash operation
+ cp efile.bin p1.bin
+
+ # We have a point on the curve - in efile.bin. Use E as P1 and feed it back in
+
+ # All this does is simulate the commit that the FIDO alliance wants to
+ # use in its TPM Join operation.
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point ${SESS}"
+ ${PREFIX}commit -hk 80000001 -pt p1.bin -Ef efile.bin -cf counterfile.bin -pwdk siga ${SESS} > run.out
+ checkSuccess $?
+
+ cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+ echo "Hash the E, P1, and Q to create the ticket to use in signing"
+ ${PREFIX}hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+ checkSuccess $?
+
+ echo "Sign the hash of the points made from commit"
+ ${PREFIX}sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+done
+
+# save old counterfile for off nominal error check
+cp counterfile.bin counterfileold.bin
+
+for KEYTYPE in "-dau" "-dar"
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Create a $KEYTYPE ECDAA signing primary key"
+ ${PREFIX}createprimary -ecc bnp256 $KEYTYPE -nalg sha256 -halg sha256 -kt f -kt p -opu tmprpub.bin -pwdk siga > run.out
+ checkSuccess $?
+
+ #${PREFIX}getcapability -cap 1 -pr 80000001
+
+ # The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+ # which means no P1, no s2 and no y2.
+ # and output the result and get the efile.bin
+ # feed back the point in efile.bin as the new p1 because it is on the curve.
+
+ # There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+ # example of normal command
+ # ${PREFIX}commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -cf counterfile.bin -pwdk siga > run.out
+ # checkSuccess $?
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point ${SESS}"
+ ${PREFIX}commit -hk 80000001 -Ef efile.bin -pwdk siga ${SESS} > run.out
+ checkSuccess $?
+
+ # copy efile as new p1 - for hash operation
+ cp efile.bin p1.bin
+
+ # We have a point on the curve - in efile.bin. Use E as P1 and feed it back in
+
+ # All this does is simulate the commit that the FIDO alliance wants to
+ # use in its TPM Join operation.
+
+ echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point ${SESS}"
+ ${PREFIX}commit -hk 80000001 -pt p1.bin -Ef efile.bin -cf counterfile.bin -pwdk siga ${SESS} > run.out
+ checkSuccess $?
+
+ cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+ echo "Hash the E, P1, and Q to create the ticket to use in signing"
+ ${PREFIX}hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+ checkSuccess $?
+
+ echo "Check error case bad counter"
+ ${PREFIX}sign -hk 80000001 -pwdk siga -ecdaa -cf counterfileold.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+ checkFailure $?
+
+ echo "Sign the hash of the points made from commit"
+ ${PREFIX}sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "ECC zgen2phase"
+echo ""
+
+echo "ECC Parameters for curve nistp256"
+${PREFIX}eccparameters -cv nistp256 > run.out
+checkSuccess $?
+
+# This is just a script for a B "remote" side to create a static key
+# pair and ephemeral for use in demonstrating (on the local side) a
+# two-phase operation involving ecephemeral and zgen2phase
+
+echo "Create decryption key for curve nistp256"
+${PREFIX}create -hp 80000000 -pwdp sto -den -ecc nistp256 -opu QsBpub.bin > run.out
+checkSuccess $?
+
+echo "EC Ephemeral for curve nistp256"
+${PREFIX}ecephemeral -ecc nistp256 -oq QeBpt.bin > run.out
+checkSuccess $?
+
+# local side
+
+# scp or cp the QsBpub.bin and QeBpt.bin from the B side over to the
+# A side. This assumes QsBpub is a TPM2B_PUBLIC from a create command
+# on B side. QeBpt is already in TPM2B_ECC_POINT form since it was
+# created by ecephemeral on B side QsBpub.bin is presumed in a form
+# produced by a create commamnd using another TPM
+
+echo "Create decryption key for curve nistp256"
+${PREFIX}create -hp 80000000 -pwdp sto -den -ecc nistp256 -opr QsApriv.bin -opu QsApub.bin > run.out
+checkSuccess $?
+
+echo "Load the decryption key under the primary key, 80000001"
+${PREFIX}load -hp 80000000 -ipr QsApriv.bin -ipu QsApub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "EC Ephemeral for curve nistp256"
+${PREFIX}ecephemeral -ecc nistp256 -oq QeApt.bin -cf counter.bin > run.out
+checkSuccess $?
+
+echo "Convert public raw to TPM2B_ECC_POINT"
+${PREFIX}tpmpublic2eccpoint -ipu QsBpub.bin -pt QsBpt.bin > run.out
+checkSuccess $?
+
+echo "Execute zgen2phase for curve ${CURVE}"
+${PREFIX}zgen2phase -hk 80000001 -scheme ecdh -qsb QsBpt.bin -qeb QeBpt.bin -cf counter.bin > run.out
+checkSuccess $?
+
+echo "Flush the key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+rm -rf efile.bin
+rm -rf tmprpub.bin
+rm -rf tmprpriv.bin
+rm -rf counterfile.bin
+rm -rf counterfileold.bin
+rm -rf p1.bin
+rm -rf hashinput.bin
+rm -rf outhash.bin
+rm -rf sig.bin
+rm -rf tfile.bin
+
+rm -rf QsBpub.bin
+rm -rf QeBpt.bin
+rm -rf QsApriv.bin
+rm -rf QsApub.bin
+rm -rf QeApt.bin
+rm -rf counter.bin
+rm -rf QsBpt.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.bat
new file mode 100644
index 000000000..1e6b15021
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.bat
@@ -0,0 +1,483 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+set TWOAUTH0=01 01 01 01 21 21 41 41 61
+set TWOAUTH1=01 21 41 61 01 41 01 21 01
+
+set THREEAUTH0=01 01 01 01 01 21 41
+set THREEAUTH1=01 01 01 21 41 01 01
+set THREEAUTH2=21 41 61 41 21 41 21
+
+echo ""
+echo "Parameter Encryption"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%M in (xor aes) do (
+
+ for %%N in (xor aes) do (
+
+ for %%P in (xor aes) do (
+
+
+ echo "Start an HMAC auth session with %%M encryption"
+ %TPM_EXE_PATH%startauthsession -se h -sym %%M > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start an HMAC auth session with %%N encryption"
+ %TPM_EXE_PATH%startauthsession -se h -sym %%N > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start an HMAC auth session with %%P encryption"
+ %TPM_EXE_PATH%startauthsession -se h -sym %%P > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM one auth
+
+ for %%A in (21 41 61) do (
+
+ echo "Signing Key Self Certify, one auth %%A"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+ -se0 02000000 %%A > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+
+ REM two auth
+
+ set i=0
+ for %%a in (!TWOAUTH0!) do set /A i+=1 & set TWOAUTH0[!i!]=%%a
+ set i=0
+ for %%b in (!TWOAUTH1!) do set /A i+=1 & set TWOAUTH1[!i!]=%%b
+ set L=!i!
+
+ for /L %%i in (1,1,!L!) do (
+
+ echo "Signing Key Self Certify, two auth !TWOAUTH0[%%i]! !TWOAUTH1[%%i]!"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+ -se0 02000000 !TWOAUTH0[%%i]! -se1 02000001 !TWOAUTH1[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+
+ REM three auth, first 01
+
+ set i=0
+ for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+ set i=0
+ for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+ set i=0
+ for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+ set L=!i!
+
+ for /L %%i in (1,1,!L!) do (
+
+ echo "Signing Key Self Certify, three auth !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+ -se0 02000000 !THREEAUTH0[%%i]! -se1 02000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+
+ echo "Flush the sessions"
+ %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sessions"
+ %TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sessions"
+ %TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+ )
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key, policy command code certify"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policycccertify.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Salt encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Signing Key Self Certify, three auth, salted parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+ -se0 02000000 !THREEAUTH0[%%i]! -se1 02000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Bind encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Signing Key Self Certify, three auth, bind parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+ -se0 02000000 !THREEAUTH0[%%i]! -se1 02000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+
+REM # policycccertify.txt 0000016c00000148
+REM # policymaker -if policies/policycccertify.txt -of policies/policycccertify.bin -v -pr
+REM # 04 8e 9a 3a ce 08 58 3f 79 f3 44 ff 78 5b be a9
+REM # f0 7a c7 fa 33 25 b3 d4 9a 21 dd 51 94 c6 58 50
+
+echo ""
+echo "Salt encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Policy restart"
+ %TPM_EXE_PATH%policyrestart -ha 03000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code - certify"
+ %TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 148 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Self Certify, three auth, salted parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+ -se0 02000000 !THREEAUTH0[%%i]! -se1 03000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Bind encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Policy restart"
+ %TPM_EXE_PATH%policyrestart -ha 03000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code - certify"
+ %TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 148 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Self Certify, three auth, bind parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+ %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk xxx -qd policies/aaa -os sig.bin -oa tmp.bin ^
+ -se0 02000000 !THREEAUTH0[%%i]! -se1 03000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.sh
new file mode 100755
index 000000000..160d9f223
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.sh
@@ -0,0 +1,340 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+TWOAUTH0=(01 01 01 01 21 21 41 41 61)
+TWOAUTH1=(01 21 41 61 01 41 01 21 01)
+
+THREEAUTH0=(01 01 01 01 01 21 41)
+THREEAUTH1=(01 01 01 21 41 01 01)
+THREEAUTH2=(21 41 61 41 21 41 21)
+
+echo ""
+echo "Parameter Encryption - Basic"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+for MODE0 in xor aes
+do
+
+ for MODE1 in xor aes
+ do
+
+ for MODE2 in xor aes
+ do
+
+ echo "Start an HMAC auth session with $MODE0 encryption"
+ ${PREFIX}startauthsession -se h -sym $MODE0 > run.out
+ checkSuccess $?
+
+ echo "Start an HMAC auth session with $MODE1 encryption"
+ ${PREFIX}startauthsession -se h -sym $MODE1 > run.out
+ checkSuccess $?
+
+ echo "Start an HMAC auth session with $MODE2 encryption"
+ ${PREFIX}startauthsession -se h -sym $MODE2 > run.out
+ checkSuccess $?
+
+ # one auth
+
+ for AUTH0 in 21 41 61
+ do
+
+ echo "Signing Key Self Certify, one auth $AUTH0"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 $AUTH0 > run.out
+ checkSuccess $?
+
+ done
+
+ # two auth
+
+ for ((i = 0 ; i < 9; i++))
+ do
+
+ echo "Signing Key Self Certify, two auth ${TWOAUTH0[i]} ${TWOAUTH1[i]}"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${TWOAUTH0[i]} -se1 02000001 ${TWOAUTH1[i]} > run.out
+ checkSuccess $?
+
+ done
+
+ # three auth
+
+ for ((i = 0 ; i < 7; i++))
+ do
+
+ echo "Signing Key Self Certify, three auth ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 02000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+ checkSuccess $?
+
+ done
+
+ echo "Flush the sessions"
+ ${PREFIX}flushcontext -ha 02000000 > run.out
+ checkSuccess $?
+
+ echo "Flush the sessions"
+ ${PREFIX}flushcontext -ha 02000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the sessions"
+ ${PREFIX}flushcontext -ha 02000002 > run.out
+ checkSuccess $?
+ done
+ done
+done
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Create a signing key, policy command code certify"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policycccertify.bin > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+ echo "Signing Key Self Certify, three auth, salted parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 02000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+ echo "Signing Key Self Certify, three auth, bind parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 02000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+
+# policycccertify.txt 0000016c00000148
+# policymaker -if policies/policycccertify.txt -of policies/policycccertify.bin -v -pr
+# 04 8e 9a 3a ce 08 58 3f 79 f3 44 ff 78 5b be a9
+# f0 7a c7 fa 33 25 b3 d4 9a 21 dd 51 94 c6 58 50
+
+echo ""
+echo "Salt encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+ echo "Policy restart"
+ ${PREFIX}policyrestart -ha 03000001 > run.out
+ checkSuccess $?
+
+ echo "Policy command code - certify"
+ ${PREFIX}policycommandcode -ha 03000001 -cc 148 > run.out
+ checkSuccess $?
+
+ echo "Signing Key Self Certify, three auth, salted parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 03000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 03000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+ echo "Policy restart"
+ ${PREFIX}policyrestart -ha 03000001 > run.out
+ checkSuccess $?
+
+ echo "Policy command code - certify"
+ ${PREFIX}policycommandcode -ha 03000001 -cc 148 > run.out
+ checkSuccess $?
+
+ echo "Signing Key Self Certify, three auth, bind parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+ ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk xxx -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 03000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 03000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.bat
new file mode 100644
index 000000000..d81a61598
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.bat
@@ -0,0 +1,125 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testevict.bat 1278 2018-07-23 21:20:42Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Evict Control"
+echo ""
+
+echo "Create an unrestricted signing key"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Make the signing key persistent"
+%TPM_EXE_PATH%evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with the transient key"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with the persistent key"
+%TPM_EXE_PATH%sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the transient key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the persistent key - should fail"
+%TPM_EXE_PATH%flushcontext -ha 81800000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with the transient key- should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with the persistent key"
+%TPM_EXE_PATH%sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the persistent key"
+%TPM_EXE_PATH%evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with the persistent key - should fail"
+%TPM_EXE_PATH%sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with the transient key - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ echo TP1 failed
+ exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 81000000
+REM getcapability -cap 1 -pr 02000000
+REM getcapability -cap 1 -pr 01000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.sh
new file mode 100755
index 000000000..761eaa8c9
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testevict.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Evict Control"
+echo ""
+
+echo "Create an unrestricted signing key"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Make the signing key persistent"
+${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo "Sign a digest with the transient key"
+${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Sign a digest with the persistent key"
+${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Flush the transient key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the persistent key - should fail"
+${PREFIX}flushcontext -ha 81800000 > run.out
+checkFailure $?
+
+echo "Sign a digest with the transient key- should fail"
+${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with the persistent key"
+${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Flush the persistent key"
+${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo "Sign a digest with the persistent key - should fail"
+${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with the transient key - should fail"
+${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 81000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+# ${PREFIX}getcapability -cap 1 -pr 01000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.bat
new file mode 100644
index 000000000..d454cdab3
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.bat
@@ -0,0 +1,158 @@
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2019 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+setlocal enableDelayedExpansion
+
+# used for the name in policy authorize
+
+echo ""
+echo "Get Capability"
+echo ""
+
+echo "Get Capability TPM_CAP_ALGS"
+%TPM_EXE_PATH%getcapability -cap 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Get Capability TPM_CAP_HANDLES"
+echo ""
+
+echo "TPM_HT_PCR"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 00000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "TPM_HT_NV_INDEX"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "TPM_HT_LOADED_SESSION"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "TPM_HT_SAVED_SESSION"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "TPM_HT_PERMANENT"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 40000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "TPM_HT_TRANSIENT"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "TPM_HT_PERSISTENT"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 81000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_COMMANDS"
+%TPM_EXE_PATH%getcapability -cap 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_PP_COMMANDS"
+%TPM_EXE_PATH%getcapability -cap 3 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_AUDIT_COMMANDS"
+%TPM_EXE_PATH%getcapability -cap 4 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_PCRS"
+%TPM_EXE_PATH%getcapability -cap 5 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Get Capability TPM_CAP_TPM_PROPERTIES"
+echo ""
+
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 100"
+%TPM_EXE_PATH%getcapability -cap 6 -pr 100 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 200"
+%TPM_EXE_PATH%getcapability -cap 6 -pr 200 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_PCR_PROPERTIES "
+%TPM_EXE_PATH%getcapability -cap 7 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_ECC_CURVES"
+%TPM_EXE_PATH%getcapability -cap 8 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Capability TPM_CAP_AUTH_POLICIES"
+%TPM_EXE_PATH%getcapability -cap 9 -pr 40000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.sh
new file mode 100755
index 000000000..f8994d51f
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2019 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Get Capability"
+echo ""
+
+echo "Get Capability TPM_CAP_ALGS"
+${PREFIX}getcapability -cap 0 > run.out
+checkSuccess $?
+
+echo ""
+echo "Get Capability TPM_CAP_HANDLES"
+echo ""
+
+echo "TPM_HT_PCR"
+${PREFIX}getcapability -cap 1 -pr 00000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_NV_INDEX"
+${PREFIX}getcapability -cap 1 -pr 01000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_LOADED_SESSION"
+${PREFIX}getcapability -cap 1 -pr 02000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_SAVED_SESSION"
+${PREFIX}getcapability -cap 1 -pr 03000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_PERMANENT"
+${PREFIX}getcapability -cap 1 -pr 40000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_TRANSIENT"
+${PREFIX}getcapability -cap 1 -pr 80000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_PERSISTENT"
+${PREFIX}getcapability -cap 1 -pr 81000000 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_COMMANDS"
+${PREFIX}getcapability -cap 2 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_PP_COMMANDS"
+${PREFIX}getcapability -cap 3 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_AUDIT_COMMANDS"
+${PREFIX}getcapability -cap 4 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_PCRS"
+${PREFIX}getcapability -cap 5 > run.out
+checkSuccess $?
+
+echo ""
+echo "Get Capability TPM_CAP_TPM_PROPERTIES"
+echo ""
+
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 100"
+${PREFIX}getcapability -cap 6 -pr 100 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 200"
+${PREFIX}getcapability -cap 6 -pr 200 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_PCR_PROPERTIES "
+${PREFIX}getcapability -cap 7 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_ECC_CURVES"
+${PREFIX}getcapability -cap 8 > run.out
+checkSuccess $?
+
+echo "Get Capability TPM_CAP_AUTH_POLICIES"
+${PREFIX}getcapability -cap 9 -pr 40000000 > run.out
+checkSuccess $?
+
+
+
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.bat
new file mode 100644
index 000000000..fa3e65566
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.bat
@@ -0,0 +1,369 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testhierarchy.bat 507 2016-03-08 22:35:47Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Hierarchy Change Auth"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Generate a random authorization value"
+%TPM_EXE_PATH%getrandom -by 32 -nz -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Change platform hierarchy auth %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary storage key - should fail"
+ %TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary storage key"
+ %TPM_EXE_PATH%createprimary -hi p -pwdk 111 -pwdp ppp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the primary key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Change platform hierarchy auth back to null %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary storage key"
+ %TPM_EXE_PATH%createprimary -pwdk 111 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the primary key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Change platform hierarchy auth, new auth from file %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdni tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary storage key - should fail"
+ %TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary storage key, auth from file"
+ %TPM_EXE_PATH%createprimary -hi p -pwdk 111 -pwdpi tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the primary key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Change platform hierarchy auth back to null, auth from file %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdai tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary storage key"
+ %TPM_EXE_PATH%createprimary -pwdk 111 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the primary key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Hierarchy Change Auth with bind"
+echo ""
+
+echo "Change platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary storage key - should fail"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC auth session, bind to platform hierarchy"
+%TPM_EXE_PATH%startauthsession -se h -bi 4000000c -pwdb ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change platform hierarchy auth back to null"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary storage key"
+%TPM_EXE_PATH%createprimary -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Hierarchy Control"
+echo ""
+
+echo "Enable the owner hierarchy"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change the platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Enable the owner hierarchy - no platform hierarchy password, should fail"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy - bad password, should fail"
+%TPM_EXE_PATH%createprimary -hi o -pwdp xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Disable the owner hierarchy using platform hierarchy password"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o -pwda ppp -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy, disabled, should fail"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o -pwda ppp -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Remove the platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key in the owner hierarchy"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Clear"
+echo ""
+
+echo "Set storage hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi o -pwdn ooo > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary key - storage hierarchy"
+%TPM_EXE_PATH%createprimary -hi o -pwdp ooo > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the public part"
+%TPM_EXE_PATH%readpublic -ho 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "ClearControl disable"
+%TPM_EXE_PATH%clearcontrol -hi p -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear - should fail"
+%TPM_EXE_PATH%clear -hi p > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "ClearControl enable"
+%TPM_EXE_PATH%clearcontrol -hi p -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear"
+%TPM_EXE_PATH%clear -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the public part - should fail"
+%TPM_EXE_PATH%readpublic -ho 80000001 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a primary key - old owner password should fail"
+%TPM_EXE_PATH%createprimary -hi o -pwdp ooo > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a primary key"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM cleanup
+rm -f tmp.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.sh
new file mode 100755
index 000000000..a3b170662
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.sh
@@ -0,0 +1,244 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testhierarchy.sh 990 2017-04-19 13:31:24Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015, 2016 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Hierarchy Change Auth"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Generate a random authorization value"
+${PREFIX}getrandom -by 32 -nz -of tmp.bin > run.out
+checkSuccess $?
+
+AUTH=("" "-pwda ppp " "" "-pwdai tmp.bin ")
+NEWAUTH=("-pwdn ppp " "" "-pwdni tmp.bin " "")
+CPAUTH=("-pwdp ppp " "" "-pwdpi tmp.bin " "")
+
+for ((i = 0 ; i < 4 ; i+=2))
+do
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Change platform hierarchy auth ${AUTH[i]} ${NEWAUTH[i]} ${SESS}"
+ ${PREFIX}hierarchychangeauth -hi p ${AUTH[i]} ${NEWAUTH[i]} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Create a primary storage key - should fail"
+ ${PREFIX}createprimary -hi p -pwdk 111 > run.out
+ checkFailure $?
+
+ echo "Create a primary storage key ${CPAUTH[i]}"
+ ${PREFIX}createprimary -hi p -pwdk 111 ${CPAUTH[i]} > run.out
+ checkSuccess $?
+
+ echo "Flush the primary key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Change platform hierarchy auth back to null ${AUTH[i+1]} ${NEWAUTH[i+1]} ${SESS}"
+ ${PREFIX}hierarchychangeauth -hi p ${AUTH[i+1]} ${NEWAUTH[i+1]} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Create a primary storage key"
+ ${PREFIX}createprimary -pwdk 111 > run.out
+ checkSuccess $?
+
+ echo "Flush the primary key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Hierarchy Change Auth with bind"
+echo ""
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Create a primary storage key - should fail"
+${PREFIX}createprimary -hi p -pwdk 111 > run.out
+checkFailure $?
+
+echo "Create a primary storage key"
+${PREFIX}createprimary -hi p -pwdk 111 -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session, bind to platform hierarchy"
+${PREFIX}startauthsession -se h -bi 4000000c -pwdb ppp > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create a primary storage key"
+${PREFIX}createprimary -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Hierarchy Control"
+echo ""
+
+echo "Enable the owner hierarchy"
+${PREFIX}hierarchycontrol -hi p -he o > run.out
+checkSuccess $?
+
+echo "Change the platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Enable the owner hierarchy - no platform hierarchy password, should fail"
+${PREFIX}hierarchycontrol -hi p -he o > run.out
+checkFailure $?
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+${PREFIX}hierarchycontrol -hi p -he o -pwda ppp > run.out
+checkSuccess $?
+
+echo "Create a primary key in the owner hierarchy - bad password, should fail"
+${PREFIX}createprimary -hi o -pwdp xxx > run.out
+checkFailure $?
+
+echo "Create a primary key in the owner hierarchy"
+${PREFIX}createprimary -hi o > run.out
+checkSuccess $?
+
+echo "Disable the owner hierarchy using platform hierarchy password"
+${PREFIX}hierarchycontrol -hi p -he o -pwda ppp -state 0 > run.out
+checkSuccess $?
+
+echo "Create a primary key in the owner hierarchy, disabled, should fail"
+${PREFIX}createprimary -hi o > run.out
+checkFailure $?
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+${PREFIX}hierarchycontrol -hi p -he o -pwda ppp -state 1 > run.out
+checkSuccess $?
+
+echo "Create a primary key in the owner hierarchy"
+${PREFIX}createprimary -hi o > run.out
+checkSuccess $?
+
+echo "Remove the platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the primary key in the owner hierarchy"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Clear"
+echo ""
+
+echo "Set storage hierarchy auth"
+${PREFIX}hierarchychangeauth -hi o -pwdn ooo > run.out
+checkSuccess $?
+
+echo "Create a primary key - storage hierarchy"
+${PREFIX}createprimary -hi o -pwdp ooo > run.out
+checkSuccess $?
+
+echo "Read the public part"
+${PREFIX}readpublic -ho 80000001 > run.out
+checkSuccess $?
+
+echo "ClearControl disable"
+${PREFIX}clearcontrol -hi p -state 1 > run.out
+checkSuccess $?
+
+echo "Clear - should fail"
+${PREFIX}clear -hi p > run.out
+checkFailure $?
+
+echo "ClearControl enable"
+${PREFIX}clearcontrol -hi p -state 0 > run.out
+checkSuccess $?
+
+echo "Clear"
+${PREFIX}clear -hi p > run.out
+checkSuccess $?
+
+echo "Read the public part - should fail"
+${PREFIX}readpublic -ho 80000001 > run.out
+checkFailure $?
+
+echo "Create a primary key - old owner password should fail"
+${PREFIX}createprimary -hi o -pwdp ooo > run.out
+checkFailure $?
+
+echo "Create a primary key"
+${PREFIX}createprimary -hi o > run.out
+checkSuccess $?
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
+
+# cleanup
+rm -f tmp.bin
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.bat
new file mode 100644
index 000000000..3bbcc9bf7
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.bat
@@ -0,0 +1,331 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2018 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Keyed hash HMAC key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM session 02000000
+REM loaded HMAC key 80000001
+REM primary HMAC key 80000001
+REM sequence object 80000002
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Load the %%H keyed hash key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr khpriv%%H.bin -ipu khpub%%H.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H using the keyed hash key, message from file %%~S"
+ %TPM_EXE_PATH%hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khk -halg %%H %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H start using the keyed hash key %%~S"
+ %TPM_EXE_PATH%hmacstart -hk 80000001 -pwdk khk -pwda aaa %%~S -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H sequence update %%~S"
+ %TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if msg.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H sequence complete %%~S"
+ %TPM_EXE_PATH%sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the HMAC %%H using the two methods"
+ diff sig.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H using the keyed hash key, message from command line %%~S"
+ %TPM_EXE_PATH%hmac -hk 80000001 -ic 1234567890123456 -os sig.bin -pwdk khk -halg %%H %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the HMAC %%H using the two methods"
+ diff sig.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the %%H HMAC key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create primary HMAC key - %%H"
+ %TPM_EXE_PATH%createprimary -kh -halg %%H -pwdk khp > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H using the keyed hash primary key %%~S"
+ %TPM_EXE_PATH%hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khp -halg %%H %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H start using the keyed hash primary key %%~S"
+ %TPM_EXE_PATH%hmacstart -hk 80000001 -pwdk khp -pwda aaa %%~S -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H sequence update %%~S"
+ %TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if msg.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "HMAC %%H sequence complete %%~S"
+ %TPM_EXE_PATH%sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the HMAC %%H using the two methods"
+ diff sig.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the %%H primary HMAC key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+)
+
+echo ""
+echo "Hash"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Hash %%H in one call, data from file"
+ %TPM_EXE_PATH%hash -hi p -halg %%H -if policies/aaa -oh tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the hash %%H"
+ diff tmp.bin policies/%%Haaa.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Hash %%H in one cal, data on command linel"
+ %TPM_EXE_PATH%hash -hi p -halg %%H -ic aaa -oh tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the hash %%H"
+ diff tmp.bin policies/%%Haaa.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Hash %%H sequence start"
+ %TPM_EXE_PATH%hashsequencestart -halg %%H -pwda aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Hash %%H sequence update %%~S"
+ %TPM_EXE_PATH%sequenceupdate -hs 80000001 -pwds aaa -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Hash %%H sequence complete %%~S"
+ %TPM_EXE_PATH%sequencecomplete -hi p -hs 80000001 -pwds aaa -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the %%H hash"
+ diff tmp.bin policies/%%Haaa.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+
+echo ""
+echo "Sign with ticket"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048rpriv.bin -ipu signrsa2048rpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Hash and create ticket"
+%TPM_EXE_PATH%hash -hi p -halg sha256 -if msg.bin -oh sig.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Hash and create null ticket, msg with TPM_GENERATED"
+%TPM_EXE_PATH%hash -hi p -halg sha256 -if policies/msgtpmgen.bin -oh sig.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Hash sequence start"
+%TPM_EXE_PATH%hashsequencestart -halg sha256 -pwda aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Hash sequence update "
+%TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if msg.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Hash sequence complete"
+%TPM_EXE_PATH%sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Hash sequence start"
+%TPM_EXE_PATH%hashsequencestart -halg sha256 -pwda aaa -halg sha256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Hash sequence update, msg with TPM_GENERATED"
+%TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if policies/msgtpmgen.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Hash sequence complete"
+%TPM_EXE_PATH%sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.sh
new file mode 100755
index 000000000..6d1f1cc0f
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.sh
@@ -0,0 +1,254 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Keyed hash HMAC key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+# session 02000000
+# loaded HMAC key 80000001
+# primary HMAC key 80000001
+# sequence object 80000002
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Load the ${HALG} keyed hash key under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr khpriv${HALG}.bin -ipu khpub${HALG}.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} using the keyed hash key, message from file ${SESS}"
+ ${PREFIX}hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khk -halg ${HALG} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} start using the keyed hash key ${SESS}"
+ ${PREFIX}hmacstart -hk 80000001 -pwdk khk -pwda aaa ${SESS} -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} sequence update ${SESS}"
+ ${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if msg.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} sequence complete ${SESS}"
+ ${PREFIX}sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the HMAC ${HALG} using the two methods"
+ diff sig.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} using the keyed hash key, message from command line ${SESS}"
+ ${PREFIX}hmac -hk 80000001 -ic 1234567890123456 -os sig.bin -pwdk khk -halg ${HALG} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the HMAC ${HALG} using the two methods"
+ diff sig.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the ${HALG} HMAC key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create primary HMAC key - $HALG"
+ ${PREFIX}createprimary -kh -halg ${HALG} -pwdk khp > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} using the keyed hash primary key ${SESS}"
+ ${PREFIX}hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khp -halg ${HALG} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} start using the keyed hash primary key ${SESS}"
+ ${PREFIX}hmacstart -hk 80000001 -pwdk khp -pwda aaa ${SESS} -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} sequence update ${SESS}"
+ ${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if msg.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "HMAC ${HALG} sequence complete ${SESS}"
+ ${PREFIX}sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the HMAC ${HALG} using the two methods"
+ diff sig.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the ${HALG} primary HMAC key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo ""
+echo "Hash"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Hash ${HALG} in one call, data from file"
+ ${PREFIX}hash -hi p -halg ${HALG} -if policies/aaa -oh tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the hash ${HALG}"
+ diff tmp.bin policies/${HALG}aaa.bin > run.out
+ checkSuccess $?
+
+ echo "Hash ${HALG} in one call, data on command line"
+ ${PREFIX}hash -hi p -halg ${HALG} -ic aaa -oh tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the hash ${HALG}"
+ diff tmp.bin policies/${HALG}aaa.bin > run.out
+ checkSuccess $?
+
+ echo "Hash ${HALG} sequence start"
+ ${PREFIX}hashsequencestart -halg ${HALG} -pwda aaa > run.out
+ checkSuccess $?
+
+ echo "Hash ${HALG} sequence update ${SESS}"
+ ${PREFIX}sequenceupdate -hs 80000001 -pwds aaa -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Hash ${HALG} sequence complete ${SESS}"
+ ${PREFIX}sequencecomplete -hi p -hs 80000001 -pwds aaa -of tmp.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the ${HALG} hash"
+ diff tmp.bin policies/${HALG}aaa.bin > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+
+echo ""
+echo "Sign with ticket"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048rpriv.bin -ipu signrsa2048rpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Hash and create ticket"
+${PREFIX}hash -hi p -halg sha256 -if msg.bin -oh sig.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with a restricted signing key and ticket"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Hash and create null ticket, msg with TPM_GENERATED"
+${PREFIX}hash -hi p -halg sha256 -if policies/msgtpmgen.bin -oh sig.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Hash sequence start"
+${PREFIX}hashsequencestart -halg sha256 -pwda aaa > run.out
+checkSuccess $?
+
+echo "Hash sequence update "
+${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if msg.bin > run.out
+checkSuccess $?
+
+echo "Hash sequence complete"
+${PREFIX}sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with a restricted signing key and ticket"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Hash sequence start"
+${PREFIX}hashsequencestart -halg sha256 -pwda aaa -halg sha256 > run.out
+checkSuccess $?
+
+echo "Hash sequence update, msg with TPM_GENERATED"
+${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if policies/msgtpmgen.bin > run.out
+checkSuccess $?
+
+echo "Hash sequence complete"
+${PREFIX}sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+rm -f tmp.bin
+rm -f tmp1.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.bat
new file mode 100644
index 000000000..01bcc9c60
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.bat
@@ -0,0 +1,111 @@
+REM #############################################################################
+REM #
+REM TPM2 regression test #
+REM Written by Ken Goldman #
+REM IBM Thomas J. Watson Research Center #
+REM $Id: testhmacsession.bat 1278 2018-07-23 21:20:42Z kgoldman $ #
+REM #
+REM (c) Copyright IBM Corporation 2015, 2017 #
+REM #
+REM All rights reserved. #
+REM #
+REM Redistribution and use in source and binary forms, with or without #
+REM modification, are permitted provided that the following conditions are #
+REM met: #
+REM #
+REM Redistributions of source code must retain the above copyright notice, #
+REM this list of conditions and the following disclaimer. #
+REM #
+REM Redistributions in binary form must reproduce the above copyright #
+REM notice, this list of conditions and the following disclaimer in the #
+REM documentation and/or other materials provided with the distribution. #
+REM #
+REM Neither the names of the IBM Corporation nor the names of its #
+REM contributors may be used to endorse or promote products derived from #
+REM this software without specific prior written permission. #
+REM #
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "HMAC Session"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a storage key under the primary key - continue true"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a storage key under the primary key - continue false"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a storage key under the primary key - should fail"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo ""
+echo "User with Auth Clear"
+echo ""
+
+echo "Create a signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - should fail with HMAC session"
+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa -se0 02000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the session, not flushed on failure"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0 \ No newline at end of file
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.sh
new file mode 100755
index 000000000..377158909
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testhmacsession.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "HMAC Session"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key - continue true"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key - continue false"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out
+checkFailure $?
+
+echo ""
+echo "User with Auth Clear"
+echo ""
+
+echo "Create a signing key under the primary key"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Sign a digest - should fail with HMAC session"
+${PREFIX}sign -hk 80000001 -if policies/aaa -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Flush the session, not flushed on failure"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.bat
new file mode 100644
index 000000000..f272214db
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.bat
@@ -0,0 +1,963 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testnv.bat 1301 2018-08-15 21:46:19Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2018 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "NV"
+echo ""
+
+echo ""
+echo "NV Ordinary Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+set NALG=%ITERATE_ALGS%
+set BADNALG=%BAD_ITERATE_ALGS%
+
+set i=0
+for %%N in (!NALG!) do set /A i+=1 & set NALG[!i!]=%%N
+set i=0
+for %%B in (!BADNALG!) do set /A i+=1 & set BADNALG[!i!]=%%B
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "NV Define Space !NALG[%%i]!"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -nalg !NALG[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public, unwritten Name bad Name algorithm !BADNALG[%%i]! - should fail"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg !BADNALG[%%i]! > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV read - should fail before write %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 3 -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the read data"
+ diff policies/aaa tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read, invalid offset - should fail %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 -off 1 -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV read, invalid size - should fail %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 17 -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space again should fail"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV Define Space out of range - should fail"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 02000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV Set Bits Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "NV Define Space"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty b > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read - should fail before write %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Set bits 0, 16, 32, 48 %%~S"
+ %TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn -bit 0 -bit 16 -bit 32 -bit 48 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the set bits %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the read data"
+ diff policies/bits48321601.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV Counter Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "NV Define Space"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty c > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public, unwritten Name"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the count - should fail before write %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Increment the count %%~S"
+ %TPM_EXE_PATH%nvincrement -ha 01000000 -pwdn nnn %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the count %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+REM FIXME need some way to verify the count
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV Extend Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ set SZ=20 32 48 64
+ set HALG=%ITERATE_ALGS%
+
+ set i=0
+ for %%a in (!SZ!) do set /A i+=1 & set SZ[!i!]=%%a
+ set i=0
+ for %%b in (!HALG!) do set /A i+=1 & set HALG[!i!]=%%b
+ set L=!i!
+
+ for /L %%i in (1,1,!L!) do (
+
+ echo "NV Define Space !HALG[%%i]!"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty e -nalg !HALG[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public !HALG[%%i]!"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg !HALG[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read, unwritten Name - should fail before write %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 32 -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV extend %%~S"
+ %TPM_EXE_PATH%nvextend -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read size !SZ[%%i]!} %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz !SZ[%%i]! -of tmp.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the read data !HALG[%%i]!"
+ diff policies/!HALG[%%i]!extaaa.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+REM getcapability -cap 1 -pr 01000000
+
+echo ""
+echo "NV Owner auth"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Set owner auth %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi o -pwdn ooo %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Define an NV index with owner auth %%~S"
+ %TPM_EXE_PATH%nvdefinespace -hi o -hia o -ha 01000000 -pwdp ooo %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read public, get Name, not written"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write with NV password %%~S - should fail"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn %%~S> run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV write with owner password %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -hia o -pwdn ooo %%~S> run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read with NV password %%~S - should fail"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV read with owner password %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -hia o -pwdn ooo %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine authorizing index %%~S"
+ %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 -pwdp ooo %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Clear owner auth %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi o -pwda ooo %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+REM getcapability -cap 1 -pr 01000000
+
+echo ""
+echo "NV Platform auth"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Set platform auth %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp %%~S> run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Define an NV index with platform auth %%~S"
+ %TPM_EXE_PATH%nvdefinespace -hi p -hia p -ha 01000000 -pwdp ppp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read public, get Name, not written"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write with NV password %%~S - should fail"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV write with platform password %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -pwdn ppp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read with NV password %%~S - should fail"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV write with platform password %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -hia p -pwdn ppp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine authorizing index %%~S"
+ %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 -pwdp ppp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Clear platform auth %%~S"
+ %TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Write Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "NV Define Space with write define"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at wd > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public, unwritten Name"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Write lock %%~S"
+ %TPM_EXE_PATH%nvwritelock -ha 01000000 -pwdn nnn %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S - should fail"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Read Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "NV Define Space with read stclear"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public, unwritten Name"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read lock %%~S"
+ %TPM_EXE_PATH%nvreadlock -ha 01000000 -pwdn nnn %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S - should fail"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Global Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "NV Define Space 01000000 with global lock"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at gl > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Define Space 01000001 with global lock"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at gl > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write 01000000 %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write 01000001 %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV global lock"
+ %TPM_EXE_PATH%nvglobalwritelock -hia p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public, 01000000, locked"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public, 01000001, locked"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write 01000000 %%~S - should fail"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV write 01000001 %%~S - should fail"
+ %TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV read 01000000 %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read 01000001 %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000001 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space 01000000"
+ %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space 01000001"
+ %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV Change Authorization"
+echo ""
+
+REM policy is policycommandcode + policyauthvalue
+REM aa 83 a5 98 d9 3a 56 c9 ca 6f ea 7c 3f fc 4e 10
+REM 63 57 ff 6d 93 e1 1a 9b 4a c2 b6 aa e1 2b a0 de
+
+echo "NV Define Space with POLICY_DELETE and no policy - should fail"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 +at pold > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+ echo "NV Define Space 0100000"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public, unwritten Name"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code"
+ %TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 0000013b > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy authvalue"
+ %TPM_EXE_PATH%policyauthvalue -ha 03000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Change authorization"
+ %TPM_EXE_PATH%nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S, old auth - should fail"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S, old auth - should fail"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 3 %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "NV write %%~S"
+ %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn xxx -if policies/aaa %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV read %%~S"
+ %TPM_EXE_PATH%nvread -ha 01000000 -pwdn xxx -sz 3 %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the auth session"
+ %TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV Change Authorization with bind"
+echo ""
+
+echo "NV Define Space 0100000"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC session, bind to NV index"
+%TPM_EXE_PATH%startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code"
+%TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 0000013b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Change authorization"
+%TPM_EXE_PATH%nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV Undefine space special"
+echo ""
+
+REM policy is policy command code + policy password
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%P in (policyauthvalue policypassword) do (
+
+ echo "NV Define Space 0100000"
+ %TPM_EXE_PATH%nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 +at pold -pol policies/policyccundefinespacespecial-auth.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Undefine space special - should fail"
+ %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -pwdn nnn > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Undefine space special - should fail"
+ %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code, NV undefine space special"
+ %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 11f > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Undefine space special - should fail"
+ %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Policy %%P"
+ %TPM_EXE_PATH%%%P -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Undefine space special"
+ %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+REM getcapability -cap 1 -pr 01000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.sh
new file mode 100755
index 000000000..b941f2eba
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.sh
@@ -0,0 +1,707 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testnv.sh 1301 2018-08-15 21:46:19Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "NV"
+echo ""
+
+echo ""
+echo "NV Ordinary Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+NALG=(${ITERATE_ALGS})
+BADNALG=(${BAD_ITERATE_ALGS})
+
+for ((i = 0 ; i < 4; i++))
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "NV Define Space ${NALG[$i]}"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -nalg ${NALG[$i]} > run.out
+ checkSuccess $?
+
+ echo "NV Read Public, unwritten Name bad Name algorithm ${BADNALG[$i]} - should fail"
+ ${PREFIX}nvreadpublic -ha 01000000 -nalg ${BADNALG[$i]} > run.out
+ checkFailure $?
+
+ echo "NV read - should fail before write ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV write ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 3 -of tmp.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the read data"
+ diff policies/aaa tmp.bin > run.out
+ checkSuccess $?
+
+ echo "NV read, invalid offset - should fail ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 -off 1 -of tmp.bin ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV read, invalid size - should fail ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 17 -of tmp.bin ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space again should fail"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkFailure $?
+
+echo "NV Define Space out of range - should fail"
+${PREFIX}nvdefinespace -hi o -ha 02000000 -pwdn nnn -sz 16 > run.out
+checkFailure $?
+
+echo ""
+echo "NV Set Bits Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "NV Define Space"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty b > run.out
+ checkSuccess $?
+
+ echo "NV read - should fail before write ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkFailure $?
+
+ echo "Set bits 0, 16, 32, 48 ${SESS}"
+ ${PREFIX}nvsetbits -ha 01000000 -pwdn nnn -bit 0 -bit 16 -bit 32 -bit 48 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Read the set bits ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the read data"
+ diff policies/bits48321601.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV Counter Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "NV Define Space"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty c > run.out
+ checkSuccess $?
+
+ echo "NV Read Public, unwritten Name"
+ ${PREFIX}nvreadpublic -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "Read the count - should fail before write ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin ${SESS} > run.out
+ checkFailure $?
+
+ echo "Increment the count ${SESS}"
+ ${PREFIX}nvincrement -ha 01000000 -pwdn nnn ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Read the count ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin ${SESS} > run.out
+ checkSuccess $?
+
+# FIXME need some way to verify the count
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# The test data was created using policymaker with a text file 616161
+# (three a's). pcrexted cannot be used because it zero extends the
+# input to the hash size
+
+echo ""
+echo "NV Extend Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ SZ=(20 32 48 64)
+ HALG=(${ITERATE_ALGS})
+
+ for ((i = 0 ; i < 4; i++))
+ do
+
+ echo "NV Define Space ${HALG[$i]}"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty e -nalg ${HALG[$i]} > run.out
+ checkSuccess $?
+
+ echo "NV Read Public ${HALG[$i]}"
+ ${PREFIX}nvreadpublic -ha 01000000 -nalg ${HALG[$i]} > run.out
+ checkSuccess $?
+
+ echo "NV read, unwritten Name - should fail before write ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 32 -of tmp.bin ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV extend ${SESS}"
+ ${PREFIX}nvextend -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read size ${SZ[$i]} ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz ${SZ[$i]} -of tmp.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the read data ${HALG[$i]}"
+ diff policies/${HALG[$i]}extaaa.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
+# getcapability -cap 1 -pr 01000000
+
+echo ""
+echo "NV Owner auth"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "Set owner auth ${SESS}"
+ ${PREFIX}hierarchychangeauth -hi o -pwdn ooo ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Define an NV index with owner auth ${SESS}"
+ ${PREFIX}nvdefinespace -hi o -hia o -ha 01000000 -pwdp ooo ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV Read public, get Name, not written"
+ ${PREFIX}nvreadpublic -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "NV write with NV password ${SESS} - should fail"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn ${SESS}> run.out
+ checkFailure $?
+
+ echo "NV write with owner password ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -hia o -pwdn ooo ${SESS}> run.out
+ checkSuccess $?
+
+ echo "NV read with NV password ${SESS} - should fail"
+ ${PREFIX}nvread -ha 01000000 ${SESS} -pwdn nnn > run.out
+ checkFailure $?
+
+ echo "NV read with owner password ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -hia o -pwdn ooo ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV Undefine authorizing index ${SESS}"
+ ${PREFIX}nvundefinespace -hi o -ha 01000000 -pwdp ooo ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Clear owner auth ${SESS}"
+ ${PREFIX}hierarchychangeauth -hi o -pwda ooo ${SESS} > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
+# getcapability -cap 1 -pr 01000000
+
+echo ""
+echo "NV Platform auth"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "Set platform auth ${SESS}"
+ ${PREFIX}hierarchychangeauth -hi p -pwdn ppp ${SESS}> run.out
+ checkSuccess $?
+
+ echo "Define an NV index with platform auth ${SESS}"
+ ${PREFIX}nvdefinespace -hi p -hia p -ha 01000000 -pwdp ppp ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV Read public, get Name, not written"
+ ${PREFIX}nvreadpublic -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "NV write with NV password ${SESS} - should fail"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV write with platform password ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -hia p -pwdn ppp ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read with NV password ${SESS} - should fail"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV write with platform password ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -hia p -pwdn ppp ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV Undefine authorizing index ${SESS}"
+ ${PREFIX}nvundefinespace -hi p -ha 01000000 -pwdp ppp ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Clear platform auth ${SESS}"
+ ${PREFIX}hierarchychangeauth -hi p -pwda ppp ${SESS} > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Write Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "NV Define Space with write define"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at wd > run.out
+ checkSuccess $?
+
+ echo "NV Read Public, unwritten Name"
+ ${PREFIX}nvreadpublic -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "NV write ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Write lock ${SESS}"
+ ${PREFIX}nvwritelock -ha 01000000 -pwdn nnn ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV write ${SESS} - should fail"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV read ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Read Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "NV Define Space with read stclear"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst > run.out
+ checkSuccess $?
+
+ echo "NV Read Public, unwritten Name"
+ ${PREFIX}nvreadpublic -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "NV write ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Read lock ${SESS}"
+ ${PREFIX}nvreadlock -ha 01000000 -pwdn nnn ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV write ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read ${SESS} - should fail"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Global Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "NV Define Space 01000000 with global lock"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at gl > run.out
+ checkSuccess $?
+
+ echo "NV Define Space 01000001 with global lock"
+ ${PREFIX}nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at gl > run.out
+ checkSuccess $?
+
+ echo "NV write 01000000 ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV write 01000001 ${SESS}"
+ ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV global lock"
+ ${PREFIX}nvglobalwritelock -hia p > run.out
+ checkSuccess $?
+
+ echo "NV Read Public, 01000000, locked"
+ ${PREFIX}nvreadpublic -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "NV Read Public, 01000001, locked"
+ ${PREFIX}nvreadpublic -ha 01000001 > run.out
+ checkSuccess $?
+
+ echo "NV write 01000000 ${SESS} - should fail"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV write 01000001 ${SESS} - should fail"
+ ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV read 01000000 ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read 01000001 ${SESS}"
+ ${PREFIX}nvread -ha 01000001 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV Undefine Space 01000000"
+ ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "NV Undefine Space 01000001"
+ ${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# policy is policycommandcode + policyauthvalue
+# aa 83 a5 98 d9 3a 56 c9 ca 6f ea 7c 3f fc 4e 10
+# 63 57 ff 6d 93 e1 1a 9b 4a c2 b6 aa e1 2b a0 de
+
+echo "NV Define Space with POLICY_DELETE and no policy - should fail"
+${PREFIX}nvdefinespace -hi o -ha 01000000 +at pold > run.out
+checkFailure $?
+
+echo ""
+echo "NV Change Authorization"
+echo ""
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+ echo "NV Define Space 0100000"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+ checkSuccess $?
+
+ echo "NV Read Public, unwritten Name"
+ ${PREFIX}nvreadpublic -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "NV write ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Start a policy session"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Policy command code"
+ ${PREFIX}policycommandcode -ha 03000001 -cc 0000013b > run.out
+ checkSuccess $?
+
+ echo "Policy authvalue"
+ ${PREFIX}policyauthvalue -ha 03000001 > run.out
+ checkSuccess $?
+
+ echo "NV Change authorization"
+ ${PREFIX}nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out
+ checkSuccess $?
+
+ echo "NV write ${SESS}, old auth - should fail"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV read ${SESS}, old auth - should fail"
+ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 3 ${SESS} > run.out
+ checkFailure $?
+
+ echo "NV write ${SESS}"
+ ${PREFIX}nvwrite -ha 01000000 -pwdn xxx -if policies/aaa ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV read ${SESS}"
+ ${PREFIX}nvread -ha 01000000 -pwdn xxx -sz 3 ${SESS} > run.out
+ checkSuccess $?
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+ checkSuccess $?
+
+ echo "Flush the auth session"
+ ${PREFIX}flushcontext -ha 03000001 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV Change Authorization with bind"
+echo ""
+
+echo "NV Define Space 0100000"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session, bind to NV index"
+${PREFIX}startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code"
+${PREFIX}policycommandcode -ha 03000001 -cc 0000013b > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000001 > run.out
+checkSuccess $?
+
+echo "NV Change authorization"
+${PREFIX}nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 03000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV Undefine space special"
+echo ""
+
+# policy is policy command code + policy password
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+for POL in "policyauthvalue" "policypassword"
+do
+
+ echo "NV Define Space 0100000"
+ ${PREFIX}nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 +at pold -pol policies/policyccundefinespacespecial-auth.bin > run.out
+ checkSuccess $?
+
+ echo "Undefine space special - should fail"
+ ${PREFIX}nvundefinespacespecial -ha 01000000 -pwdn nnn > run.out
+ checkFailure $?
+
+ echo "Undefine space special - should fail"
+ ${PREFIX}nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+ checkFailure $?
+
+ echo "Policy command code, NV undefine space special"
+ ${PREFIX}policycommandcode -ha 03000000 -cc 11f > run.out
+ checkSuccess $?
+
+ echo "Undefine space special - should fail"
+ ${PREFIX}nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+ checkFailure $?
+
+ echo "Policy ${POL}"
+ ${PREFIX}${POL} -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Undefine space special"
+ ${PREFIX}nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+# ${PREFIX}getcapability -cap 1 -pr 01000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.bat
new file mode 100644
index 000000000..a113434c4
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.bat
@@ -0,0 +1,1029 @@
+REM #################################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2016 - 2019 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #################################################################################
+
+setlocal enableDelayedExpansion
+
+REM # PIN Pass index name is
+REM
+REM # 00 0b da 1c bd 54 bb 81 54 6c 1c 76 30 dd d4 09
+REM # 50 3a 0d 6d 03 05 16 1b 15 88 d6 6b c8 fa 17 da
+REM # ad 81
+REM
+REM # Policy Secret using PIN Pass index is
+REM
+REM # 56 e4 c7 26 d7 d7 dd 3c bd 4c ae 11 c0 1b 2e 83
+REM # 3c 37 33 3c fb c3 b9 c3 5f 05 ab 53 23 0c df 7d
+REM
+REM # PIN Fail index name is
+REM
+REM # 00 0b 86 11 40 4a e8 0c 0a 84 e5 b8 97 05 98 f0
+REM # b5 60 2d 14 21 19 bf 44 9d e5 f9 61 84 bc 4c 01
+REM # c4 be
+REM
+REM # Policy Secret using PIN Fail index is
+REM
+REM # 9d 56 8f da 52 27 30 dc be a8 ad 59 bc a5 0c 1c
+REM # 16 02 95 03 a0 0b d3 d8 20 a8 b2 d8 5b c5 12 df
+REM
+REM
+REM # 01000000 is PIN pass or PIN fail index
+REM # 01000001 is ordinary index with PIN pass policy
+REM # 01000002 is ordinary index with PIN fail policy
+
+
+echo ""
+echo "NV PIN Index"
+echo ""
+
+echo "NV Define Space, 01000001, ordinary index, with policysecret for pin pass index 01000000"
+%TPM_EXE_PATH%nvdefinespace -ha 01000001 -hi o -pwdn ppi -ty o -hia p -sz 1 -pol policies/policysecretnvpp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write to set written bit"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -hia p -ic 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Define Space, 01000002, ordinary index, with policysecret for pin fail index 01000000"
+%TPM_EXE_PATH%nvdefinespace -ha 01000002 -hi o -pwdn pfi -ty o -hia p -sz 1 -pol policies/policysecretnvpf.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write to set written bit"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -hia p -ic 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index"
+echo ""
+
+echo "Set phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Define Space, 01000000, pin pass, read/write stclear, policy secret using platform auth"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, not written - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform read does not affect count"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform read does not affect count, should succeed"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy write, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy read should not increment pin count"
+%TPM_EXE_PATH%nvread -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Index read should increment pin count"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Index read, no uses - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform read, no uses"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index in Policy Secret"
+echo ""
+
+echo "Policy Secret with PWAP session, bad password - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password does not consume pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, should consume pin couunt"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Get Digest, 50 b9 63 d6 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read ordinary index using PIN pass policy secret"
+%TPM_EXE_PATH%nvread -ha 01000001 -sz 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, 1 use, 1 / 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 1 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 0 uses, 0 / 0"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 1 use. 1 / 1, already used"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 0 uses. 2 / 1, already used"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 2 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write lock, 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, locked - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Reboot"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read lock, 01000000"
+%TPM_EXE_PATH%nvreadlock -ha 01000000 -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform read, locked - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, read locked"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Set phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Cleanup NV PIN Pass"
+echo ""
+
+echo "NV Undefine Space, 01000000 "
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the policy session, 03000000 "
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index"
+echo ""
+
+echo "NV Define Space, 01000000, pin fail, read/write stclear, policy secret using platform auth"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, not written - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform read"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform read with bad password - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -pwdn xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy write, 01000000, platform auth"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy read, 01000000"
+%TPM_EXE_PATH%nvread -ha 01000000 -sz 8 -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, 0/ 1 failure"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Index read, 01000000, correct password"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Index read, 01000000, bad password - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nn -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Index read, 01000000, correct password - should fail because tries used"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, 0 / 1 failure"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Index read, 01000000"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index in Policy Secret"
+echo ""
+
+echo "Platform write, 2 failures, 0 / 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform write, 1 failure use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 0 failures, 1 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 fail, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write lock, 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, locked - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Reboot"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform write, 01000000, unlocked, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read lock 01000000"
+%TPM_EXE_PATH%nvreadlock -ha 01000000 -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform read, locked - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, read locked"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Set phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "NV Undefine Space 01000000"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space 01000001"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space 01000002"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Recreate the primary key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "NV PIN define space"
+echo ""
+
+echo "NV Define Space, 01000000, no write auth - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppw > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV Define Space, 01000000, no read auth - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppr -at ar> run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV Define Space, 01000000, PIN Pass, auth write - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p +at aw > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV Define Space, 01000000, PIN Fail, auth write - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p +at aw > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV Define Space, 01000000, PIN Fail, noDA clear - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p -at da > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+rem #
+rem # Additional test for pinCount update when NV auth is not used. This
+rem # tests for a bug fix
+rem #
+
+rem #
+rem # policy calculation
+rem #
+
+echo "Create the policy digest that will be used for the NvIndex write term"
+%TPM_EXE_PATH%startauthsession -se t > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Write"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 137 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get the policycommandcode write term"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppw.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Restart the trial policy session"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get the policycommandcode read term"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Restart the trial policy session"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Trial Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get the policyor result"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmpor.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the trial policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rem #
+rem # Test PIN fail
+rem #
+
+rem # Write the PIN fail index
+
+echo "Creating the NvIndex as PIN Fail, remove authwrite, authread, add ownerread"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -ty f -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start policy sesion"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Write"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 137 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Writing count 0, limit 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rem # test the PIN fail index
+
+echo "Using with PolicySecret, first failure case, increments count"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the index, should be 1 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -id 1 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Using with PolicySecret, second failure case"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Read the index, owner auth, should be 2 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia o -id 2 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rem # cleanup
+
+echo "Undefine the PIN fail index"
+%TPM_EXE_PATH%nvundefinespace -ha 01000000 -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rem #
+rem # Test PIN pass
+rem #
+
+rem # Write the PIN pass index
+
+echo "Creating the NvIndex as PIN Pass, remove authwrite, authread, add ownerread"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -ty p -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Write"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 137 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Writing count 0, limit 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rem # test the PIN pass index
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the index, should be 0 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the index, owner auth, should be 0 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia o -id 0 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Using with PolicySecret, success, increments count"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde pass > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Restart the policy session"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the index, should be 1 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -id 1 2 -se0 03000000 00 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the index, owner auth, should be 1 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia o -id 1 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rem # cleanup
+
+echo "Undefine the PIN fail index"
+%TPM_EXE_PATH%nvundefinespace -ha 01000000 -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rm -r tmppw.bin
+rm -r tmppr.bin
+rm -r tmpor.bin
+
+rem # %TPM_EXE_PATH%getcapability -cap 1 -pr 80000000
+rem # %TPM_EXE_PATH%getcapability -cap 1 -pr 02000000
+rem # %TPM_EXE_PATH%getcapability -cap 1 -pr 03000000
+rem # %TPM_EXE_PATH%getcapability -cap 1 -pr 01000000
+
+exit /B 0
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.sh
new file mode 100755
index 000000000..89d14a7de
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.sh
@@ -0,0 +1,739 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2016 - 2019 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# PIN Pass index name is
+
+# 00 0b da 1c bd 54 bb 81 54 6c 1c 76 30 dd d4 09
+# 50 3a 0d 6d 03 05 16 1b 15 88 d6 6b c8 fa 17 da
+# ad 81
+
+# Policy Secret using PIN Pass index is
+
+# 56 e4 c7 26 d7 d7 dd 3c bd 4c ae 11 c0 1b 2e 83
+# 3c 37 33 3c fb c3 b9 c3 5f 05 ab 53 23 0c df 7d
+
+# PIN Fail index name is
+
+# 00 0b 86 11 40 4a e8 0c 0a 84 e5 b8 97 05 98 f0
+# b5 60 2d 14 21 19 bf 44 9d e5 f9 61 84 bc 4c 01
+# c4 be
+
+# Policy Secret using PIN Fail index is
+
+# 9d 56 8f da 52 27 30 dc be a8 ad 59 bc a5 0c 1c
+# 16 02 95 03 a0 0b d3 d8 20 a8 b2 d8 5b c5 12 df
+
+# 01000000 is PIN pass or PIN fail index
+# 01000001 is ordinary index with PIN pass policy
+# 01000002 is ordinary index with PIN fail policy
+
+
+echo ""
+echo "NV PIN Index"
+echo ""
+
+echo "NV Define Space, 01000001, ordinary index, with policysecret for pin pass index 01000000"
+${PREFIX}nvdefinespace -ha 01000001 -hi o -pwdn ppi -ty o -hia p -sz 1 -pol policies/policysecretnvpp.bin > run.out
+checkSuccess $?
+
+echo "Platform write to set written bit"
+${PREFIX}nvwrite -ha 01000001 -hia p -ic 0 > run.out
+checkSuccess $?
+
+echo "NV Define Space, 01000002, ordinary index, with policysecret for pin fail index 01000000"
+${PREFIX}nvdefinespace -ha 01000002 -hi o -pwdn pfi -ty o -hia p -sz 1 -pol policies/policysecretnvpf.bin > run.out
+checkSuccess $?
+
+echo "Platform write to set written bit"
+${PREFIX}nvwrite -ha 01000002 -hia p -ic 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index"
+echo ""
+
+echo "Set phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n > run.out
+checkSuccess $?
+
+echo "NV Define Space, 01000000, pin pass, read/write stclear, policy secret using platform auth"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, not written - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read does not affect count"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read does not affect count, should succeed"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy write, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy read should not increment pin count"
+${PREFIX}nvread -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Platform write, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read should increment pin count"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -id 1 1 > run.out
+checkSuccess $?
+
+echo "Index read, no uses - should fail"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkFailure $?
+
+echo "Platform read, no uses"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 1 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index in Policy Secret"
+echo ""
+
+echo "Policy Secret with PWAP session, bad password - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, bad password does not consume pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, should consume pin couunt"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Policy Get Digest, 50 b9 63 d6 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Read ordinary index using PIN pass policy secret"
+${PREFIX}nvread -ha 01000001 -sz 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, 1 use, 1 / 2"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 1 2 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Platform write, 0 uses, 0 / 0"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 0 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 use. 1 / 1, already used"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 0 uses. 2 / 1, already used"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 2 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo ""
+echo "NV PIN Pass Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Write lock, 01000000"
+${PREFIX}nvwritelock -ha 01000000 -hia p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 01000000, locked - should fail"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkFailure $?
+
+echo "Reboot"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Read lock, 01000000"
+${PREFIX}nvreadlock -ha 01000000 -hia p > run.out
+checkSuccess $?
+
+echo "Platform read, locked - should fail"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, read locked"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Clear phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 0 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Set phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Cleanup NV PIN Pass"
+echo ""
+
+echo "NV Undefine Space, 01000000 "
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the policy session, 03000000 "
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index"
+echo ""
+
+echo "NV Define Space, 01000000, pin fail, read/write stclear, policy secret using platform auth"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, not written - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read with bad password - should fail"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -pwdn xxx > run.out
+checkFailure $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy write, 01000000, platform auth"
+${PREFIX}nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy read, 01000000"
+${PREFIX}nvread -ha 01000000 -sz 8 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, 0 / 1 failure"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read, 01000000, correct password"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read, 01000000, bad password - should fail"
+${PREFIX}nvread -ha 01000000 -pwdn nn -sz 8 > run.out
+checkFailure $?
+
+echo "Index read, 01000000, correct password - fail because tries used"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkFailure $?
+
+echo "Platform write, 01000000, 0 / 1 failure"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read, 01000000"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index in Policy Secret"
+echo ""
+
+echo "Platform write, 2 failures, 0 / 2"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 2 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, good password"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, good password - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 failure use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Platform write, 0 failures, 1 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo ""
+echo "NV PIN Fail Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 fail, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Write lock, 01000000"
+${PREFIX}nvwritelock -ha 01000000 -hia p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, locked - should fail"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkFailure $?
+
+echo "Reboot"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, unlocked, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Read lock 01000000"
+${PREFIX}nvreadlock -ha 01000000 -hia p > run.out
+checkSuccess $?
+
+echo "Platform read, locked - should fail"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, read locked"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Clear phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 0 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Set phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "NV Undefine Space 01000000"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000001"
+${PREFIX}nvundefinespace -hi o -ha 01000001 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000002"
+${PREFIX}nvundefinespace -hi o -ha 01000002 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out > run.out
+checkSuccess $?
+
+# Recreate the primary key
+initprimary
+checkSuccess $?
+
+echo ""
+echo "NV PIN define space"
+echo ""
+
+echo "NV Define Space, 01000000, no write auth - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppw > run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, no read auth - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppr -at ar> run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, PIN Pass, auth write - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p +at aw > run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, PIN Fail, auth write - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p +at aw > run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, PIN Fail, noDA clear - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p -at da > run.out
+checkFailure $?
+
+#
+# Additional test for pinCount update when NV auth is not used. This
+# tests for a bug fix
+#
+
+#
+# policy calculation
+#
+
+echo "Create the policy digest that will be used for the NvIndex write term"
+${PREFIX}startauthsession -se t > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Write"
+${PREFIX}policycommandcode -ha 03000000 -cc 137 > run.out
+checkSuccess $?
+
+echo "Get the policycommandcode write term"
+${PREFIX}policygetdigest -ha 03000000 -of tmppw.bin > run.out
+checkSuccess $?
+
+echo "Restart the trial policy session"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Get the policycommandcode read term"
+${PREFIX}policygetdigest -ha 03000000 -of tmppr.bin > run.out
+checkSuccess $?
+
+echo "Restart the trial policy session"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Trial Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Get the policyor result"
+${PREFIX}policygetdigest -ha 03000000 -of tmpor.bin > run.out
+checkSuccess $?
+
+echo "Flush the trial policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+#
+# Test PIN fail
+#
+
+# Write the PIN fail index
+
+echo "Creating the NvIndex as PIN Fail, remove authwrite, authread, add ownerread"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -ty f -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+checkSuccess $?
+
+echo "Start policy sesion"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Write"
+${PREFIX}policycommandcode -ha 03000000 -cc 137 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Writing count 0, limit 2"
+${PREFIX}nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+# test the PIN fail index
+
+echo "Using with PolicySecret, first failure case, increments count"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+checkFailure $?
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Read the index, should be 1 2"
+${PREFIX}nvread -ha 01000000 -id 1 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+echo "Using with PolicySecret, second failure case"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+checkFailure $?
+
+echo "Read the index, owner auth, should be 2 2"
+${PREFIX}nvread -ha 01000000 -hia o -id 2 2 > run.out
+checkSuccess $?
+
+# cleanup
+
+echo "Undefine the PIN fail index"
+${PREFIX}nvundefinespace -ha 01000000 -hi o > run.out
+checkSuccess $?
+
+#
+# Test PIN pass
+#
+
+# Write the PIN pass index
+
+echo "Creating the NvIndex as PIN Pass, remove authwrite, authread, add ownerread"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -ty p -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Write"
+${PREFIX}policycommandcode -ha 03000000 -cc 137 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Writing count 0, limit 2"
+${PREFIX}nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+# test the PIN pass index
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Read the index, should be 0 2"
+${PREFIX}nvread -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+echo "Read the index, owner auth, should be 0 2"
+${PREFIX}nvread -ha 01000000 -hia o -id 0 2 > run.out
+checkSuccess $?
+
+echo "Using with PolicySecret, success, increments count"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde pass > run.out
+checkSuccess $?
+
+echo "Restart the policy session"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Read the index, should be 1 2"
+${PREFIX}nvread -ha 01000000 -id 1 2 -se0 03000000 00 > run.out
+checkSuccess $?
+
+echo "Read the index, owner auth, should be 1 2"
+${PREFIX}nvread -ha 01000000 -hia o -id 1 2 > run.out
+checkSuccess $?
+
+# cleanup
+
+echo "Undefine the PIN fail index"
+${PREFIX}nvundefinespace -ha 01000000 -hi o > run.out
+checkSuccess $?
+
+rm -r tmppw.bin
+rm -r tmppr.bin
+rm -r tmpor.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+# ${PREFIX}getcapability -cap 1 -pr 03000000
+# ${PREFIX}getcapability -cap 1 -pr 01000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.bat
new file mode 100644
index 000000000..e840fc2db
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.bat
@@ -0,0 +1,348 @@
+REM #############################################################################
+REM #
+REM TPM2 regression test #
+REM Written by Ken Goldman #
+REM IBM Thomas J. Watson Research Center #
+REM #
+REM (c) Copyright IBM Corporation 2015 - 2019 #
+REM #
+REM All rights reserved. #
+REM #
+REM Redistribution and use in source and binary forms, with or without #
+REM modification, are permitted provided that the following conditions are #
+REM met: #
+REM #
+REM Redistributions of source code must retain the above copyright notice, #
+REM this list of conditions and the following disclaimer. #
+REM #
+REM Redistributions in binary form must reproduce the above copyright #
+REM notice, this list of conditions and the following disclaimer in the #
+REM documentation and/or other materials provided with the distribution. #
+REM #
+REM Neither the names of the IBM Corporation nor the names of its #
+REM contributors may be used to endorse or promote products derived from #
+REM this software without specific prior written permission. #
+REM #
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+REM #
+REM # for pcrextend
+REM #
+REM
+REM # extend of aaa + 0 pad to digest length using pcrextend, use resettable PCR 16
+REM
+REM # sha1extaaa0.bin
+REM # 1d 47 f6 8a ce d5 15 f7 79 73 71 b5 54 e3 2d 47
+REM # 98 1a a0 a0
+REM
+REM # sha256extaaa0.bin
+REM # c2 11 97 64 d1 16 13 bf 07 b7 e2 04 c3 5f 93 73
+REM # 2b 4a e3 36 b4 35 4e bc 16 e8 d0 c3 96 3e be bb
+REM
+REM # sha384extaaa0.bin
+REM # 29 29 63 e3 1c 34 c2 72 bd ea 27 15 40 94 af 92
+REM # 50 ad 97 d9 e7 44 6b 83 6d 3a 73 7c 90 ca 47 df
+REM # 2c 39 90 21 ce dd 00 85 3e f0 84 97 c5 a4 23 84
+REM
+REM # sha512extaaa0.bin
+REM # 7f e1 e4 cf 01 52 93 13 6b f1 30 18 30 39 b6 a6
+REM # 46 ea 00 8b 75 af d0 f8 46 6a 9b fe 53 1a f8 ad
+REM # a8 67 a6 58 28 cf ce 48 60 77 52 9e 54 f1 83 0a
+REM # a4 9a b7 80 56 2b ae a4 9c 67 a8 73 34 ff e7 78
+REM
+REM #
+REM # for pcrevent
+REM #
+REM
+REM # first hash using hash -ic aaa -ns
+REM # then extend using policymaker
+REM
+REM # sha1 of aaa
+REM # 7e240de74fb1ed08fa08d38063f6a6a91462a815
+REM # extend
+REM # ab 53 c7 ec 3f fe fe 21 9e 9d 89 da f1 8e 16 55
+REM # 3e 23 8e a6
+REM
+REM # sha256 of aaa
+REM # 9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0
+REM # extend
+REM # df 81 1e 9d 19 a0 d3 3d e6 7b b1 c7 26 a6 20 5c
+REM # d0 a2 eb 0f 61 b7 c9 ee 91 66 eb cf dc 17 db ab
+REM
+REM # sha384 of aaa
+REM # 8e07e5bdd64aa37536c1f257a6b44963cc327b7d7dcb2cb47a22073d33414462bfa184487cf372ce0a19dfc83f8336d8
+REM # extend of that
+REM # 61 bc 70 39 e2 94 87 c2 17 b0 b1 46 10 5d 64 e6
+REM # ad 32 a6 d5 c2 5b 45 01 a7 4b bc a7 7f cc 24 25
+REM # 36 ca 1a 40 f9 36 44 f0 d8 b0 98 ea a6 50 97 4d
+REM
+REM # sha512 of aaa
+REM # d6f644b19812e97b5d871658d6d3400ecd4787faeb9b8990c1e7608288664be77257104a58d033bcf1a0e0945ff06468ebe53e2dff36e248424c7273117dac09
+REM # extend of that (using policymaker)
+REM # cb 7f be b3 1c 29 61 24 4c 9c 47 80 84 0d b4 3a
+REM # 76 3f ba 96 ef c1 d9 52 f4 e3 e0 2c 06 8a 31 8a
+REM # e5 3f a0 a7 a1 74 e8 23 e3 07 1a cd c6 52 6f b6
+REM # 77 6d 07 0f 36 47 27 4d a6 29 db c9 10 a7 6c 2a
+REM
+REM # all these variables are related
+REM
+REM # bank algorithm test pattern is
+
+set BANKS=^
+ "sha1" ^
+ "sha256" ^
+ "sha384" ^
+ "sha512" ^
+ "sha1 sha256" ^
+ "sha1 sha384" ^
+ "sha1 sha512" ^
+ "sha256 sha384" ^
+ "sha256 sha512" ^
+ "sha384 sha512" ^
+ "sha1 sha256 sha384" ^
+ "sha1 sha256 sha512" ^
+ "sha1 sha384 sha512" ^
+ "sha256 sha384 sha512" ^
+ "sha1 sha256 sha384 sha512"
+
+REM # bank extend algorithm test pattern is
+
+set EXTEND=^
+ "-halg sha1" ^
+ "-halg sha256" ^
+ "-halg sha384" ^
+ "-halg sha512" ^
+ "-halg sha1 -halg sha256" ^
+ "-halg sha1 -halg sha384" ^
+ "-halg sha1 -halg sha512" ^
+ "-halg sha256 -halg sha384" ^
+ "-halg sha256 -halg sha512" ^
+ "-halg sha384 -halg sha512" ^
+ "-halg sha1 -halg sha256 -halg sha384" ^
+ "-halg sha1 -halg sha256 -halg sha512" ^
+ "-halg sha1 -halg sha384 -halg sha512" ^
+ "-halg sha256 -halg sha384 -halg sha512" ^
+ "-halg sha1 -halg sha256 -halg sha384 -halg sha512"
+
+REM # bank event file test pattern is
+
+set EVENT=^
+ "-of1 tmpsha1.bin" ^
+ "-of2 tmpsha256.bin" ^
+ "-of3 tmpsha384.bin" ^
+ "-of5 tmpsha512.bin" ^
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin" ^
+ "-of1 tmpsha1.bin -of3 tmpsha384.bin" ^
+ "-of1 tmpsha1.bin -of5 tmpsha512.bin" ^
+ "-of2 tmpsha256.bin -of3 tmpsha384.bin" ^
+ "-of2 tmpsha256.bin -of5 tmpsha512.bin" ^
+ "-of3 tmpsha384.bin -of5 tmpsha512.bin" ^
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin -of3 tmpsha384.bin" ^
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin -of5 tmpsha512.bin" ^
+ "-of1 tmpsha1.bin -of3 tmpsha384.bin -of5 tmpsha512.bin" ^
+ "-of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin" ^
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin"
+)
+
+REM # assuming starts with starts with sha1 sha256 sha384 sha512
+
+set ALLOC=^
+ "-sha256 -sha384 -sha512" ^
+ "-sha1 +sha256" ^
+ "-sha256 +sha384" ^
+ "-sha384 +sha512" ^
+ "+sha1 +sha256 -sha512" ^
+ "-sha256 +sha384" ^
+ "-sha384 +sha512" ^
+ "-sha1 +sha256 +sha384 -sha512" ^
+ "-sha384 +sha512" ^
+ "-sha256 +sha384" ^
+ "+sha1 +sha256 -sha512" ^
+ "-sha384 +sha512" ^
+ "-sha256 +sha384" ^
+ "-sha1 +sha256" ^
+ "+sha1"
+)
+
+REM i is iterator over PCR bank allocation patterns
+set i=0
+for %%a in (!BANKS!) do set /A i+=1 & set BANKS[!i!]=%%~a
+set i=0
+for %%a in (!EXTEND!) do set /A i+=1 & set EXTEND[!i!]=%%~a
+set i=0
+for %%a in (!EVENT!) do set /A i+=1 & set EVENT[!i!]=%%~a
+set i=0
+for %%a in (!ALLOC!) do set /A i+=1 & set ALLOC[!i!]=%%~a
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ echo ""
+ echo "pcrallocate !BANKS[%%i]!"
+ echo ""
+ %TPM_EXE_PATH%pcrallocate !ALLOC[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "powerup"
+ %TPM_EXE_PATH%powerup > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "startup"
+ %TPM_EXE_PATH%startup > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "display PCR banks"
+ %TPM_EXE_PATH%getcapability -cap 5 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo ""
+ echo "PCR Extend"
+ echo ""
+
+ echo "PCR Reset"
+ %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR Extend !EXTEND[%%i]!"
+ %TPM_EXE_PATH%pcrextend -ha 16 !EXTEND[%%i]! -if policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ for %%H in (!BANKS[%%i]!) do (
+
+ echo "PCR Read %%H"
+ %TPM_EXE_PATH%pcrread -ha 16 -halg %%H -of tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the read data %%H"
+ diff policies/%%Hextaaa0.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+
+ echo ""
+ echo "PCR Event"
+ echo ""
+
+ echo "PCR Reset"
+ %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR Event !EVENT[%%i]!"
+ %TPM_EXE_PATH%pcrevent -ha 16 -if policies/aaa !EVENT[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ for %%H in (!BANKS[%%i]!) do (
+
+ echo "Verify Digest %%H"
+ diff policies/%%Haaa.bin tmp%%H.bin > run.out > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR Read %%H"
+ %TPM_EXE_PATH%pcrread -ha 16 -halg %%H -of tmp%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify Digest %%H"
+ diff policies/%%Hexthaaa.bin tmp%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+
+ echo ""
+ echo "Event Sequence Complete"
+ echo ""
+
+ echo "PCR Reset"
+ %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Event sequence start, alg null"
+ %TPM_EXE_PATH%hashsequencestart -halg null -pwda aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Event Sequence Complete"
+ %TPM_EXE_PATH%eventsequencecomplete -hs 80000000 -pwds aaa -ha 16 -if policies/aaa !EVENT[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ for %%H in (!BANKS[%%i]!) do (
+
+ echo "Verify Digest %%H"
+ diff policies/%%Haaa.bin tmp%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR Read %%H"
+ %TPM_EXE_PATH%pcrread -ha 16 -halg %%H -of tmp%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify Digest %%H"
+ diff policies/%%Hexthaaa.bin tmp%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+
+)
+
+echo "PCR Reset"
+%TPM_EXE_PATH%pcrreset -ha 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # recreate the primary key that was flushed on the powerup
+
+echo "Create a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin -tk pritk.bin -ch prich.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.sh
new file mode 100755
index 000000000..ef8fa2c20
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.sh
@@ -0,0 +1,300 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2019 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+#
+# for pcrextend
+#
+
+# extend of aaa + 0 pad to digest length using pcrextend, use resettable PCR 16
+
+# sha1extaaa0.bin
+# 1d 47 f6 8a ce d5 15 f7 79 73 71 b5 54 e3 2d 47
+# 98 1a a0 a0
+
+# sha256extaaa0.bin
+# c2 11 97 64 d1 16 13 bf 07 b7 e2 04 c3 5f 93 73
+# 2b 4a e3 36 b4 35 4e bc 16 e8 d0 c3 96 3e be bb
+
+# sha384extaaa0.bin
+# 29 29 63 e3 1c 34 c2 72 bd ea 27 15 40 94 af 92
+# 50 ad 97 d9 e7 44 6b 83 6d 3a 73 7c 90 ca 47 df
+# 2c 39 90 21 ce dd 00 85 3e f0 84 97 c5 a4 23 84
+
+# sha512extaaa0.bin
+# 7f e1 e4 cf 01 52 93 13 6b f1 30 18 30 39 b6 a6
+# 46 ea 00 8b 75 af d0 f8 46 6a 9b fe 53 1a f8 ad
+# a8 67 a6 58 28 cf ce 48 60 77 52 9e 54 f1 83 0a
+# a4 9a b7 80 56 2b ae a4 9c 67 a8 73 34 ff e7 78
+
+#
+# for pcrevent
+#
+
+# first hash using hash -ic aaa -ns
+# then extend using policymaker
+
+# sha1 of aaa
+# 7e240de74fb1ed08fa08d38063f6a6a91462a815
+# extend
+# ab 53 c7 ec 3f fe fe 21 9e 9d 89 da f1 8e 16 55
+# 3e 23 8e a6
+
+# sha256 of aaa
+# 9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0
+# extend
+# df 81 1e 9d 19 a0 d3 3d e6 7b b1 c7 26 a6 20 5c
+# d0 a2 eb 0f 61 b7 c9 ee 91 66 eb cf dc 17 db ab
+
+# sha384 of aaa
+# 8e07e5bdd64aa37536c1f257a6b44963cc327b7d7dcb2cb47a22073d33414462bfa184487cf372ce0a19dfc83f8336d8
+# extend of that
+# 61 bc 70 39 e2 94 87 c2 17 b0 b1 46 10 5d 64 e6
+# ad 32 a6 d5 c2 5b 45 01 a7 4b bc a7 7f cc 24 25
+# 36 ca 1a 40 f9 36 44 f0 d8 b0 98 ea a6 50 97 4d
+
+# sha512 of aaa
+# d6f644b19812e97b5d871658d6d3400ecd4787faeb9b8990c1e7608288664be77257104a58d033bcf1a0e0945ff06468ebe53e2dff36e248424c7273117dac09
+# extend of that (using policymaker)
+# cb 7f be b3 1c 29 61 24 4c 9c 47 80 84 0d b4 3a
+# 76 3f ba 96 ef c1 d9 52 f4 e3 e0 2c 06 8a 31 8a
+# e5 3f a0 a7 a1 74 e8 23 e3 07 1a cd c6 52 6f b6
+# 77 6d 07 0f 36 47 27 4d a6 29 db c9 10 a7 6c 2a
+
+# all these variables are related
+
+# bank algorithm test pattern is
+
+BANKS=( \
+ "sha1" \
+ "sha256" \
+ "sha384" \
+ "sha512" \
+ "sha1 sha256" \
+ "sha1 sha384" \
+ "sha1 sha512" \
+ "sha256 sha384" \
+ "sha256 sha512" \
+ "sha384 sha512" \
+ "sha1 sha256 sha384" \
+ "sha1 sha256 sha512" \
+ "sha1 sha384 sha512" \
+ "sha256 sha384 sha512" \
+ "sha1 sha256 sha384 sha512"
+)
+
+# bank extend algorithm test pattern is
+
+EXTEND=( \
+ "-halg sha1" \
+ "-halg sha256" \
+ "-halg sha384" \
+ "-halg sha512" \
+ "-halg sha1 -halg sha256" \
+ "-halg sha1 -halg sha384" \
+ "-halg sha1 -halg sha512" \
+ "-halg sha256 -halg sha384" \
+ "-halg sha256 -halg sha512" \
+ "-halg sha384 -halg sha512" \
+ "-halg sha1 -halg sha256 -halg sha384"
+ "-halg sha1 -halg sha256 -halg sha512" \
+ "-halg sha1 -halg sha384 -halg sha512" \
+ "-halg sha256 -halg sha384 -halg sha512" \
+ "-halg sha1 -halg sha256 -halg sha384 -halg sha512" \
+)
+
+# bank event file test pattern is
+
+EVENT=( \
+ "-of1 tmpsha1.bin" \
+ "-of2 tmpsha256.bin" \
+ "-of3 tmpsha384.bin" \
+ "-of5 tmpsha512.bin" \
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin" \
+ "-of1 tmpsha1.bin -of3 tmpsha384.bin" \
+ "-of1 tmpsha1.bin -of5 tmpsha512.bin" \
+ "-of2 tmpsha256.bin -of3 tmpsha384.bin" \
+ "-of2 tmpsha256.bin -of5 tmpsha512.bin" \
+ "-of3 tmpsha384.bin -of5 tmpsha512.bin" \
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin -of3 tmpsha384.bin" \
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin -of5 tmpsha512.bin" \
+ "-of1 tmpsha1.bin -of3 tmpsha384.bin -of5 tmpsha512.bin" \
+ "-of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin" \
+ "-of1 tmpsha1.bin -of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin"
+)
+
+# assuming starts with starts with sha1 sha256 sha384 sha512
+
+ALLOC=( \
+ "-sha256 -sha384 -sha512" \
+ "-sha1 +sha256" \
+ "-sha256 +sha384" \
+ "-sha384 +sha512" \
+ "+sha1 +sha256 -sha512" \
+ "-sha256 +sha384" \
+ "-sha384 +sha512" \
+ "-sha1 +sha256 +sha384 -sha512" \
+ "-sha384 +sha512" \
+ "-sha256 +sha384" \
+ "+sha1 +sha256 -sha512" \
+ "-sha384 +sha512" \
+ "-sha256 +sha384" \
+ "-sha1 +sha256" \
+ "+sha1"
+)
+
+# i is iterator over PCR bank allocation patterns
+for ((i = 0 ; i < 15 ; i++))
+do
+ echo ""
+ echo "pcrallocate ${BANKS[i]}"
+ echo ""
+ ${PREFIX}pcrallocate ${ALLOC[i]} > run.out
+ checkSuccess $?
+
+ echo "powerup"
+ ${PREFIX}powerup > run.out
+ checkSuccess $?
+
+ echo "startup"
+ ${PREFIX}startup > run.out
+ checkSuccess $?
+
+ echo "display PCR banks"
+ ${PREFIX}getcapability -cap 5 > run.out
+ checkSuccess $?
+
+ echo ""
+ echo "PCR Extend"
+ echo ""
+
+ echo "PCR Reset banks ${BANKS[i]}"
+ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+
+ echo "PCR Extend ${EXTEND[i]}"
+ ${PREFIX}pcrextend -ha 16 ${EXTEND[i]} -if policies/aaa > run.out
+ checkSuccess $?
+
+ for HALG in ${BANKS[i]}
+ do
+
+ echo "PCR Read ${HALG}"
+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -of tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the read data ${HALG}"
+ diff policies/${HALG}extaaa0.bin tmp.bin > run.out
+ checkSuccess $?
+
+ done
+
+ echo ""
+ echo "PCR Event"
+ echo ""
+
+ echo "PCR Reset"
+ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+
+ echo "PCR Event ${EVENT[i]}"
+ ${PREFIX}pcrevent -ha 16 -if policies/aaa ${EVENT[i]} > run.out
+ checkSuccess $?
+
+ for HALG in ${BANKS[i]}
+ do
+
+ echo "Verify Digest ${HALG}"
+ diff policies/${HALG}aaa.bin tmp${HALG}.bin > run.out
+ checkSuccess $?
+
+ echo "PCR Read ${HALG}"
+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -of tmp${HALG}.bin > run.out
+ checkSuccess $?
+
+ echo "Verify Digest ${HALG}"
+ diff policies/${HALG}exthaaa.bin tmp${HALG}.bin > run.out
+ checkSuccess $?
+
+ done
+
+ echo ""
+ echo "Event Sequence Complete"
+ echo ""
+
+ echo "PCR Reset"
+ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+
+ echo "Event sequence start, alg null"
+ ${PREFIX}hashsequencestart -halg null -pwda aaa > run.out
+ checkSuccess $?
+
+ echo "Event Sequence Complete"
+ ${PREFIX}eventsequencecomplete -hs 80000000 -pwds aaa -ha 16 -if policies/aaa ${EVENT[i]} > run.out
+ checkSuccess $?
+
+ for HALG in ${BANKS[i]}
+ do
+
+ echo "Verify Digest ${HALG}"
+ diff policies/${HALG}aaa.bin tmp${HALG}.bin > run.out
+ checkSuccess $?
+
+ echo "PCR Read ${HALG}"
+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -of tmp${HALG}.bin > run.out
+ checkSuccess $?
+
+ echo "Verify Digest ${HALG}"
+ diff policies/${HALG}exthaaa.bin tmp${HALG}.bin > run.out
+ checkSuccess $?
+
+ done
+
+done
+
+echo "PCR Reset"
+${PREFIX}pcrreset -ha 16 > run.out
+checkSuccess $?
+
+# recreate the primary key that was flushed on the powerup
+
+initprimary
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat
new file mode 100644
index 000000000..8ec32e26f
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat
@@ -0,0 +1,2715 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+REM # used for the name in policy ticket
+
+REM if [ -z $TPM_DATA_DIR ]; then
+REM TPM_DATA_DIR=.
+REM fi
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Policy Command Code"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM sign with correct policy command code
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy and wrong password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, should fail, session used "
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+REM quote with bad policy or bad command
+
+REM echo "Start a policy session"
+REM ./startauthsession -se p > run.out
+REM IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Quote - PWAP"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Quote - policy, should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # echo "Flush the session"
+REM # ./flushcontext -ha 03000000 > run.out
+REM # IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+
+REM # echo "Start a policy session"
+REM # ./startauthsession -se p > run.out
+REM # IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+echo "Policy command code - quote"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 158 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Quote - policy, should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+
+REM # echo "Flush the session"
+REM # ./flushcontext -ha 03000000 > run.out
+REM # IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Command Code and Policy Password / Authvalue"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # policypassword
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy password"
+%TPM_EXE_PATH%policypassword -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, no password should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # policyauthvalue
+
+REM # echo "Start a policy session"
+REM # startauthsession -se p > run.out
+REM # IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, no password should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Password and Policy Authvalue flags"
+echo ""
+
+for %%C in (policypassword policyauthvalue) do (
+
+
+ echo "Create a signing key under the primary key - policy command code - sign, auth"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code - sign"
+ %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy %%C"
+ %TPM_EXE_PATH%%%C -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy, password"
+ %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a signing key under the primary key - policy command code - sign"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code - sign"
+ %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy and wrong password"
+ %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush policy session"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "Policy Signed"
+echo ""
+
+REM # create rsaprivkey.pem
+REM # > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+REM # extract the public key
+REM # > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem
+REM # sign a test message msg.bin
+REM # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+REM #
+REM # create the policy:
+REM # use loadexternal -ns to get the name
+REM
+REM # sha1
+REM # 00044234c24fc1b9de6693a62453417d2734d7538f6f
+REM # sha256
+REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # sha384
+REM # 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+REM # sha512
+REM # 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+REM
+REM # 00000160 plus the above name as text, add a blank line for empty policyRef
+REM # to create policies/policysigned$HALG.txt
+REM #
+REM # 0000016000044234c24fc1b9de6693a62453417d2734d7538f6f
+REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # 00000160000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+REM # 00000160000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+REM #
+REM # use sha256 policies, policymaker default (policy session digest
+REM # algorithm is separate from Name and signature hash algorithm)
+REM #
+REM # > policymaker -if policies/policysigned$HALG.txt -of policies/policysigned$HALG.bin -pr
+REM #
+REM # sha1
+REM # 9d 81 7a 4e e0 76 eb b5 cf ee c1 82 05 cc 4c 01
+REM # b3 a0 5e 59 a9 b9 65 a1 59 af 1e cd 3d bf 54 fb
+REM # sha256
+REM # de bf 9d fa 3c 98 08 0b f1 7d d1 d0 7b 54 fd e1
+REM # 07 93 7f e5 40 50 9e 70 96 aa 73 27 53 b3 83 31
+REM # sha384
+REM # 45 c5 da 90 76 92 3a 70 03 6f df 56 ea e7 df db
+REM # 41 e2 01 75 24 49 54 94 66 93 6b c4 fc 88 ab 5c
+REM # sha512
+REM # cd 34 96 08 39 ea 40 88 5e fa 7f 37 8b a7 21 f1
+REM # 78 6d 52 bb 93 47 9c 73 45 88 3c dc 1f 09 06 6f
+REM #
+REM # 80000000 primary key
+REM # 80000001 verification public key
+REM # 80000002 signing key with policy
+REM # 03000000 policy session
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Load external just the public part of PEM at 80000001 - %%H"
+ %TPM_EXE_PATH%loadexternal -halg %%H -nalg %%H -ipem policies/rsapubkey.pem -ns > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a test message with openssl - %%H"
+ openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+ echo "Verify the signature with 80000001 - %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if msg.bin -is pssig.bin -raw > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a signing key under the primary key - policy signed - %%H"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysigned%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key under the primary key at 80000002"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy, should fail"
+ %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Policy signed - sign with PEM key - %%H"
+ %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get policy digest"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppol.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy signed"
+ %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy restart, set back to zero"
+ %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign just expiration (uint32_t 4 zeros) with openssl - %%H"
+ openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/zero4.bin
+
+ echo "Policy signed, signature generated externally - %%H"
+ %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg %%H -is pssig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy signed"
+ %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session - save nonceTPM"
+ %TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy signed with nonceTPM and expiration, create a ticket - %%H"
+ %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy signed"
+ %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy ticket"
+ %TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -na h80000001.bin -tk tkt.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest - policy ticket"
+ %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the verification public key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+REM # getcapability -cap 1 -pr 80000000
+REM # getcapability -cap 1 -pr 02000000
+REM # getcapability -cap 1 -pr 03000000
+
+REM # exit 0
+
+echo ""
+echo "Policy Secret"
+echo ""
+
+REM # 4000000c platform
+REM # 80000000 primary key
+REM # 80000001 signing key with policy
+REM # 03000000 policy session
+REM # 02000001 hmac session
+
+echo "Change platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key under the primary key - policy secret using platform auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session, create a ticket"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret using primary key, create a ticket"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy ticket"
+%TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -hi p -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy ticket"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with HMAC session"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -se0 02000001 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change platform hierarchy auth back to null"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Secret with NV Auth"
+echo ""
+
+REM Name is
+REM 00 0b e0 65 10 81 c2 fc da 30 69 93 da 43 d1 de
+REM 5b 24 be 42 6e 2d 61 90 7b 42 83 54 69 13 6c 97
+REM 68 1f
+REM
+REM Policy is
+REM c6 93 f9 b0 ef 1a b7 1e ca ae 00 af 1f 0b f4 88
+REM 37 9e ab 16 c1 f8 0d 9f f9 6d 90 41 4e 2f c6 b3
+
+echo "NV Define Space 0100000"
+%TPM_EXE_PATH%nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key under the primary key - policy secret NV auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretnv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn -in noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space 0100000"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Secret with Object"
+echo ""
+
+REM # Use a externally generated object so that the Name is known and thus
+REM # the policy can be precalculated
+
+REM # Name
+REM # 00 0b 64 ac 92 1a 03 5c 72 b3 aa 55 ba 7d b8 b5
+REM # 99 f1 72 6f 52 ec 2f 68 20 42 fc 0e 0d 29 fa e8
+REM # 17 99
+
+REM # 000001151 plus the above name as text, add a blank line for empty policyRef
+REM # to create policies/policysecretsha256.txt
+REM # 00000151000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
+REM # 4b 7f ca c2 b7 c3 ac a2 7c 5c da 9c 71 e6 75 28
+REM # 63 d2 87 d2 33 ec 49 0e 7a be 88 f1 ef 94 5d 5c
+
+echo "Load the RSA openssl key pair in the NULL hierarchy 80000001"
+%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key under the primary key - policy secret of object 80000001"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -uwa -pol policies/policysecretsha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - password auth - should fail"
+%TPM_EXE_PATH%sign -hk 80000002 -if policies/aaa -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the policysecret key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the RSA openssl key pair in the NULL hierarchy, userWithAuth false 80000001"
+%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr -uwa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session - should fail"
+%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the policysecret key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Authorize"
+echo ""
+
+REM # 80000000 primary
+REM # 80000001 verification public key, openssl
+REM # 80000002 signing key
+REM # 03000000 policy session
+
+REM # Name for 80000001 0004 4234 c24f c1b9 de66 93a6 2453 417d 2734 d753 8f6f
+REM #
+REM # policyauthorizesha256.txt
+REM # 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM #
+REM # (need blank line for policyRef)
+REM #
+REM # > policymaker -if policies/policyauthorizesha256.txt -of policies/policyauthorizesha256.bin -pr
+REM #
+REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+
+echo "Create a signing key with policy authorize"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load external just the public part of PEM authorizing key"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be zero"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be policy to approve, aHash input"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Openssl generate aHash"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policyapproved.bin
+
+echo "Verify the signature to generate ticket"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policyapproved.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policyapproved.bin -skn h80000001.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be policy authorize"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the verification public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # getcapability -cap 1 -pr 80000000
+REM # getcapability -cap 1 -pr 02000000
+REM # getcapability -cap 1 -pr 03000000
+
+REM # exit 0
+
+echo ""
+echo "Set Primary Policy"
+echo ""
+
+echo "Platform policy empty"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform policy empty, bad password"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Set platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform policy empty, bad password"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Platform policy empty"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Platform policy to policy secret platform auth"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp -halg sha256 -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change platform hierarchy auth to null with policy secret"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy PCR no select"
+echo ""
+
+REM # create AND term for policy PCR
+REM # > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709
+REM
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
+REM
+REM # 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66
+REM # b6 fa 2c 23
+
+echo "Create a signing key with policy PCR no select"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -halg sha1 -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy PCR, update with the correct digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be 6d 38 49 38 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign, should succeed"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy PCR, update with the correct digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "PCR extend PCR 0, updates pcr counter"
+%TPM_EXE_PATH%pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # policypcr0.txt has 20 * 00
+
+REM # create AND term for policy PCR
+REM # > policymakerpcr -halg sha1 -bm 10000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
+
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
+
+echo ""
+echo "Policy PCR"
+echo ""
+
+echo "Create a signing key with policy PCR PCR 16 zero"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Reset PCR 16 back to zero"
+%TPM_EXE_PATH%pcrreset -ha 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read PCR 16, should be 00 00 00 00 ..."
+%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign, policy not satisfied - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy PCR, update with the correct digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be 85 33 11 83"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign, should succeed"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "PCR extend PCR 16"
+%TPM_EXE_PATH%pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read PCR 0, should be 1d 47 f6 8a ..."
+%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy PCR, update with the wrong digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be 66 dd e5 e3"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # 01000000 authorizing ndex
+REM # 01000001 authorized index
+REM # 03000000 policy session
+REM #
+REM # 4 byte NV index
+REM # policynv.txt
+REM # policy CC_PolicyNV || args || Name
+REM #
+REM # policynvargs.txt (binary)
+REM # args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==)
+REM # hash -hi n -halg sha1 -if policies/policynvargs.txt -v
+REM # openssl dgst -sha1 policies/policynvargs.txt
+REM # 2c513f149e737ec4063fc1d37aee9beabc4b4bbf
+REM #
+REM # NV authorizing index
+REM #
+REM # after defining index and NV write to set written, use
+REM # nvreadpublic -ha 01000000 -nalg sha1
+REM # to get name
+REM # 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
+REM #
+REM # append Name to policynvnv.txt
+REM #
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
+REM # bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc
+REM #
+REM # file zero8.bin has 8 bytes of hex zero
+
+echo ""
+echo "Policy NV, NV index authorizing"
+echo ""
+
+echo "Define a setbits index, authorizing index"
+%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read public, get Name, not written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV setbits to set written"
+%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read public, get Name, written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read, should be zero"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Define an ordinary index, authorized index, policyNV"
+%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read public, get Name, not written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000001 -nalg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write to set written"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write, policy not satisfied - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy get digest, should be 0"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy NV to satisfy the policy"
+%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest, should be bc 9b 4c 4f ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write, policy satisfied"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Set bit in authorizing NV index"
+%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn -bit 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read, should be 1"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy NV to satisfy the policy - should fail"
+%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy get digest, should be 00 00 00 00 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine authorizing index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine authorized index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy NV Written"
+echo ""
+
+echo "Define an ordinary index, authorized index, policyNV"
+%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read public, get Name, not written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write, policy not satisfied - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy NV Written no, does not satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write, policy not satisfied - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy NV Written yes, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write, policy satisfied but written clear - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write using password, set written"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy NV Written yes, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write, policy satisfied"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy NV Written no"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy NV Written yes - should fail"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine authorizing index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Signed externally signed cpHash"
+echo ""
+
+REM # NV Index 01000000 has policy OR
+REM
+REM # Policy A - provisioning: policy written false + policysigned
+REM # demo: authorizer signs NV write all zero
+REM
+REM # Policy B - application: policy written true + policysigned
+REM # demo: authorizer signs NV write abcdefgh
+
+echo "Load external just the public part of PEM at 80000001"
+%TPM_EXE_PATH%loadexternal -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get the Name of the signing key at 80000001"
+%TPM_EXE_PATH%readpublic -ho 80000001 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM
+REM # construct policy A
+REM
+REM # policies/policywrittenclrsigned.txt
+REM # 0000018f00
+REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # Add the extra blank line here for policyRef
+REM
+REM # policymaker -if policies/policywrittenclrsigned.txt -of policies/policywrittenclrsigned.bin -pr -ns -v
+REM # intermediate policy digest length 32
+REM # 3c 32 63 23 67 0e 28 ad 37 bd 57 f6 3b 4c c3 4d
+REM # 26 ab 20 5e f2 2f 27 5c 58 d4 7f ab 24 85 46 6e
+REM # intermediate policy digest length 32
+REM # 6b 0d 2d 2b 55 4d 68 ec bc 6c d5 b8 c0 96 c1 70
+REM # 57 5a 95 25 37 56 38 7e 83 d7 76 d9 5b 1b 8e f3
+REM # intermediate policy digest length 32
+REM # 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87
+REM # 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2
+REM # policy digest length 32
+REM # 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87
+REM # 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2
+REM # policy digest:
+REM # 480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f2
+REM
+REM # construct policy B
+REM
+REM # policies/policywrittensetsigned.txt
+REM # 0000018f01
+REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # Add the extra blank line here for policyRef
+REM
+REM # policymaker -if policies/policywrittensetsigned.txt -of policies/policywrittensetsigned.bin -pr -ns -v
+REM # intermediate policy digest length 32
+REM # f7 88 7d 15 8a e8 d3 8b e0 ac 53 19 f3 7a 9e 07
+REM # 61 8b f5 48 85 45 3c 7a 54 dd b0 c6 a6 19 3b eb
+REM # intermediate policy digest length 32
+REM # 7d c2 8f b0 dd 4f ee 97 78 2b 55 43 b1 dc 6b 1e
+REM # e2 bc 79 05 d4 a1 f6 8d e2 97 69 5f a9 aa 78 5f
+REM # intermediate policy digest length 32
+REM # 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82
+REM # 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46
+REM # policy digest length 32
+REM # 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82
+REM # 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46
+REM # policy digest:
+REM # 0943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+REM
+REM # construct the Policy OR of A and B
+REM
+REM # policyorwrittensigned.txt - command code plus two policy digests
+REM # 00000171480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f20943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+REM # policymaker -if policies/policyorwrittensigned.txt -of policies/policyorwrittensigned.bin -pr
+REM # policy digest length 32
+REM # 06 00 ae 34 7a 30 b0 67 36 d3 32 85 a0 cc ad 46
+REM # 54 1e 62 71 f5 d0 85 10 a7 ff 0e 90 30 54 d6 c9
+
+echo "Define index 01000000 with the policy OR"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi o -sz 8 -pwdn "" -pol policies/policyorwrittensigned.bin -at aw > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get the Name of the NV index not written, should be 00 0b ... bb 0b"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # 000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy A - not written"
+echo ""
+
+REM # construct cpHash for Policy A - not written, writing zeros
+REM
+REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of 0's at offset 0000
+REM # For index auth, authHandle Name and index Name are the same
+REM # policies/nvwritecphasha.txt
+REM # 00000137000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000800000000000000000000
+REM # policymaker -nz -if policies/nvwritecphasha.txt -of policies/nvwritecphasha.bin -pr -ns
+REM # policy digest length 32
+REM # cf 98 1e ee 68 04 3b dd ee 0c ab bc 75 b3 63 be
+REM # 3c f9 ee 22 2a 78 b8 26 3f 06 7b b3 55 2c a6 11
+REM # policy digest:
+REM # cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+REM
+REM # construct aHash for Policy A
+REM
+REM # expiration + cpHashA
+REM # policies/nvwriteahasha.txt
+REM # 00000000cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+REM # just convert to binary, because openssl does the hash before signing
+REM # xxd -r -p policies/nvwriteahasha.txt policies/nvwriteahasha.bin
+
+echo "Policy NV Written no, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Should be policy A first intermediate value 3c 32 63 23 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign aHash with openssl 8813 6530 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahasha.bin
+echo ""
+
+echo "Policy signed, signature generated externally"
+%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphasha.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Should be policy A final value 48 0b 78 2e ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Should be policy OR final value 06 00 ae 34 "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write to set written"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -if policies/zero8.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy B - written"
+echo ""
+
+echo "Get the new (written) Name of the NV index not written, should be 00 0b f5 75"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # 000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8
+REM
+REM # construct cpHash for Policy B
+REM
+REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of abcdefgh at offset 00000
+REM # For index auth, authHandle Name and index Name are the same
+REM # policies/nvwritecphashb.txt
+REM # 00000137000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000861626364656667680000
+REM # policymaker -nz -if policies/nvwritecphashb.txt -of policies/nvwritecphashb.bin -pr -ns
+REM # policy digest length 32
+REM # df 58 08 f9 ab cb 23 7f 8c d7 c9 09 1c 86 12 2d
+REM # 88 6f 02 d4 6e db 53 c8 da 39 bf a2 d6 cf 07 63
+REM # policy digest:
+REM # df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+REM
+REM # construct aHash for Policy B
+REM
+REM # expiration + cpHashA
+REM # policies/nvwriteahashb.txt
+REM # 00000000df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+REM # just convert to binary, because openssl does the hash before signing
+REM # xxd -r -p policies/nvwriteahashb.txt policies/nvwriteahashb.bin
+
+echo "Policy NV Written yes, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Should be policy A first intermediate value f7 88 7d 15 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign aHash with openssl 3700 0a91 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahashb.bin > run.out
+echo ""
+
+echo "Policy signed, signature generated externally"
+%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphashb.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Should be policy B final value 09 43 ba 3c ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Should be policy OR final value 06 00 ae 34 "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write new data"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic abcdefgh -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Flush the policy session 03000000"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signature verification key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Undefine the NV Index 01000000"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # test using clockrateadjust
+REM # policycphashhash.txt is (hex) 00000130 4000000c 000
+REM # hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v
+REM # openssl dgst -sha1 policycphashhash.txt
+REM # cpHash is
+REM # b5f919bbc01f0ebad02010169a67a8c158ec12f3
+REM # append to policycphash.txt 00000163 + cpHash
+REM # policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr
+REM # 06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f
+
+echo ""
+echo "Policy cpHash"
+echo ""
+
+echo "Set the platform policy to policy cpHash"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clockrate adjust using wrong password - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy cpHash, satisfy policy"
+%TPM_EXE_PATH%policycphash -ha 03000000 -cp policies/policycphashhash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest, should be 06 e4 6c f9"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clockrate adjust, policy satisfied but bad command params - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Clockrate adjust, policy satisfied"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear the platform policy"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Duplication Select with includeObject FALSE"
+echo ""
+
+REM # These tests uses a new parent and object to be duplicated generated
+REM # externally. This makes the Names repeatable and permits the
+REM # policy to be pre-calculated and static.
+REM
+REM # command code 00000188
+REM # newParentName
+REM # 000b 1a5d f667 7533 4527 37bc 79a5 5ab6
+REM # d9fa 9174 5c03 3dfe 3f82 cdf0 903b a9d6
+REM # 55f1
+REM # includeObject 00
+REM # policymaker -if policies/policydupsel-no.txt -of policies/policydupsel-no.bin -pr -v
+REM # 5f 55 ba 2b 69 0f b0 38 ac 15 ff 2a 86 ef 65 66
+REM # be a8 23 68 43 97 4c 3f a7 36 37 72 56 ec bc 45
+REM
+REM # 80000000 SK storage primary key
+REM # 80000001 NP new parent, the target of the duplication
+REM # 80000002 SI signing key, duplicate from SK to NP
+REM # 03000000 policy session
+
+echo "Import the new parent storage key NP under the primary key"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -st -pwdk rrrr -opu tmpstpub.bin -opr tmpstpriv.bin -halg sha256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the new parent TPM storage key NP at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpstpub.bin -ipr tmpstpriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Import a signing key SI under the primary key 80000000, with policy duplication select"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policydupsel-no.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001"
+%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be 5f 55 ba 2b ...."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the duplicated SI at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Duplication Select with includeObject TRUE"
+echo ""
+
+REM # command code 00000188
+REM # SI objectName
+REM # 000b 6319 28da 1624 3135 3a59 c03a 2ca7
+REM # dbb7 0989 1440 4236 3c7f a838 39d9 da6c
+REM # 437a
+REM # HP newParentName
+REM # 000b
+REM # 1a5d f667 7533 4527 37bc 79a5 5ab6 d9fa
+REM # 9174 5c03 3dfe 3f82 cdf0 903b a9d6 55f1
+REM # includeObject 01
+REM
+REM # policymaker -if policies/policydupsel-yes.txt -of policies/policydupsel-yes.bin -pr -v
+REM # 14 64 06 4c 80 cb e3 4f f5 03 82 15 38 62 43 17
+REM # 93 94 8f f1 e8 8a c6 23 4d d1 b0 c5 4c 05 f7 3b
+REM
+REM # 80000000 SK storage primary key
+REM # 80000001 NP new parent, the target of the duplication
+REM # 80000002 SI signing key, duplicate from SK to NP
+REM # 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key SI with objectName 000b 6319 28da at 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001 with includeObject"
+%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin -io > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest,should be policy to approve, aHash input 14 64 06 4c same as policies/policydupsel-yes.bin"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the original SI at 80000002 to free object slot for loadexternal "
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policydupsel-yes.bin
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature against 80000002 to generate ticket"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policydupsel-yes.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policydupsel-yes.bin -skn h80000002.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the PEM authorizing verification key at 80000002 to free object slot for import"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the original signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001 000b 1a5d f667"
+%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the duplicated SI at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Name Hash"
+echo ""
+
+REM # signing key SI Name
+REM # 000b
+REM # 6319 28da 1624 3135 3a59 c03a 2ca7 dbb7
+REM # 0989 1440 4236 3c7f a838 39d9 da6c 437a
+REM
+REM # compute nameHash
+REM
+REM # nameHash - just a hash, not an extend
+REM # policymaker -if policies/pnhnamehash.txt -of policies/pnhnamehash.bin -nz -pr -v -ns
+REM # 18 e0 0c 62 77 18 d9 fc 81 22 3d 8a 56 33 7e eb
+REM # 0e 7d 98 28 bd 7b c7 29 1d 3c 27 3f 7a c4 04 f1
+REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+REM
+REM # compute policy (based on
+REM
+REM # 00000170 TPM_CC_PolicyNameHash
+REM # signing key SI Name
+REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+REM
+REM # policymaker -if policies/policynamehash.txt -of policies/policynamehash.bin -pr -v
+REM # 96 30 f9 00 c3 4c 66 09 c1 c5 92 41 78 c1 b2 3d
+REM # 9f d4 93 f4 f9 c2 98 c8 30 4a e3 0f 97 a2 fd 49
+REM
+REM # 80000000 SK storage primary key
+REM # 80000001 SI signing key
+REM # 80000002 Authorizing public key
+REM # 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key SI at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest using the password"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy name hash, object SI 80000001"
+%TPM_EXE_PATH%policynamehash -ha 03000000 -nh policies/pnhnamehash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be policy to approve, 96 30 f9 00"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policynamehash.bin
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature against 80000002 to generate ticket"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policynamehash.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policynamehash.bin -skn h80000002.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be eb a3 f9 8c ...."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest using the policy"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the authorizing key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # test using clockrateadjust and platform policy
+
+REM # operand A time is 64 bits at offset 0, operation GT (2)
+REM # 0000016d 0000 0000 0000 0000 | 0000 | 0002
+REM #
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policycountertimer.txt -of policies/policycountertimer.bin -pr -v
+REM # e6 84 81 27 55 c0 39 d3 68 63 21 c8 93 50 25 dd
+REM # aa 26 42 9a
+
+echo ""
+echo "Policy Counter Timer"
+echo ""
+
+echo "Set the platform policy to policy "
+%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clockrate adjust using wrong password - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy counter timer, zero operandB, op EQ satisfy policy - should fail"
+%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy counter timer, zero operandB, op GT satisfy policy"
+%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest, should be e6 84 81 27"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clockrate adjust, policy satisfied"
+%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Clear the platform policy"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # policyccsign.txt 0000016c 0000015d (policy command code | sign)
+REM # policyccquote.txt 0000016c 00000158 (policy command code | quote)
+REM #
+REM # > policymaker -if policies/policyccsign.txt -of policies/policyccsign.bin -pr -v
+REM # cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811
+REM #
+REM # > policymaker -if policies/policyccquote.txt -of policies/policyccquote.bin -pr -v
+REM # a039cad5fe68870688f8233c3e3ee3cf27aac9e2efe3486aeb4e304c0e90cd27
+REM #
+REM # policyor.txt is CC_PolicyOR || digests
+REM # 00000171 | cc69 ... | a039 ...
+REM # > policymaker -if policies/policyor.txt -of policies/policyor.bin -pr -v
+REM # 6b fe c2 3a be 57 b0 2a ce 39 dd 13 bb 60 fa 39
+REM # 4d ac 7b 38 96 56 57 84 b3 73 fc 61 92 94 29 db
+
+echo ""
+echo "PolicyOR"
+echo ""
+
+echo "Create an unrestricted signing key, policy command code sign or quote"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyor.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Quote - should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Get time - should fail, policy not set"
+%TPM_EXE_PATH%gettime -hk 80000001 -qd policies/aaa -se1 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy OR - should fail"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest, should be cc 69 18 b2"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest, should be 6b fe c2 3a"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign with policy OR"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Quote - should fail, wrong command code"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Command code - quote, digest a0 39 ca d5"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 00000158 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR, digest 6b fe c2 3a"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Quote with policy OR"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Command code - gettime 7a 3e bd aa"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000014c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy OR, gettime not an AND term - should fail"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # There are times that a policy creator has TPM, PEM, or DER format
+REM # information, but does not have access to a TPM. The publicname
+REM # utility accepts these inputs and outputs the name in the 'no spaces'
+REM # format suitable for pasting into a policy.
+
+echo ""
+echo "publicname RSA"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create an rsa %%H key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -rsa 2048 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the rsa %%H key 80000001"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Compute the TPM2B_PUBLIC Name"
+ %TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the TPM2B_PUBLIC result"
+ diff tmp.bin h80000001.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Convert the rsa public key to PEM format"
+ %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the rsa %%H key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "loadexternal the rsa PEM public key"
+ %TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -rsa -nalg %%H -halg %%H -scheme rsassa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Compute the PEM Name"
+ %TPM_EXE_PATH%publicname -ipem tmppub.pem -rsa -si -nalg %%H -halg %%H -on tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the PEM result"
+ diff tmp.bin h80000001.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Convert the TPM PEM key to DER"
+ openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin
+ echo "INFO:"
+
+ echo "Compute the DER Name"
+ %TPM_EXE_PATH%publicname -ider tmppub.der -rsa -si -nalg %%H -halg %%H -on tmp.bin -v > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the DER result"
+ diff tmp.bin h80000001.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the rsa %%H key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "publicname ECC"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create an ecc nistp256 %%H key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the ecc %%H key 80000001"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Compute the TPM2B_PUBLIC Name"
+ %TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the TPM2B_PUBLIC result"
+ diff tmp.bin h80000001.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Convert the ecc public key to PEM format"
+ %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the ecc %%H key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "loadexternal the ecc PEM public key"
+ %TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -ecc -nalg %%H -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Compute the PEM Name"
+ %TPM_EXE_PATH%publicname -ipem tmppub.pem -ecc -si -nalg %%H -halg %%H -on tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the PEM result"
+ diff tmp.bin h80000001.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Convert the TPM PEM key to DER"
+ openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin -pubout
+ echo "INFO:"
+
+ echo "Compute the DER Name"
+ %TPM_EXE_PATH%publicname -ider tmppub.der -ecc -si -nalg %%H -halg %%H -on tmp.bin -v > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the DER result"
+ diff tmp.bin h80000001.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the ecc %%H key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "publicname NV"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "NV Define Space %%H"
+ %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -sz 16 -nalg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Read Public"
+ %TPM_EXE_PATH%nvreadpublic -ha 01000000 -opu tmppub.bin -on tmpname.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Compute the NV Index Name"
+ %TPM_EXE_PATH%publicname -invpu tmppub.bin -on tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the NV Index result"
+ diff tmp.bin tmpname.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "NV Undefine Space"
+ %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+rm pssig.bin
+rm run.out
+rm sig.bin
+rm tkt.bin
+rm tmp.bin
+rm tmpdup.bin
+rm tmphkey.bin
+rm tmpname.bin
+rm tmppol.bin
+rm tmppriv.bin
+rm tmppub.bin
+rm tmppub.der
+rm tmppub.pem
+rm tmpsig.bin
+rm tmpsipriv.bin
+rm tmpsipriv1.bin
+rm tmpsipub.bin
+rm tmpss.bin
+rm tmpstpriv.bin
+rm tmpstpub.bin
+
+exit /B 0
+
+REM # getcapability -cap 1 -pr 80000000
+REM # getcapability -cap 1 -pr 01000000
+REM # getcapability -cap 1 -pr 02000000
+REM # getcapability -cap 1 -pr 03000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.sh
new file mode 100755
index 000000000..ba7a7ab6f
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.sh
@@ -0,0 +1,2031 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# used for the name in policy ticket
+
+if [ -z $TPM_DATA_DIR ]; then
+ TPM_DATA_DIR=.
+fi
+
+
+echo ""
+echo "Policy Command Code"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+# sign with correct policy command code
+# cc69 18b2 2627 3b08 f5bd 406d 7f10 cf16
+# 0f0a 7d13 dfd8 3b77 70cc bcd1 aa80 d811
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be cc69 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy and wrong password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail, session used "
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+# quote with bad policy or bad command
+
+# echo "Start a policy session"
+# ${PREFIX}startauthsession -se p > run.out
+# checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Quote - PWAP"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Quote - policy, should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+# echo "Flush the session"
+# ${PREFIX}flushcontext -ha 03000000 > run.out
+# checkSuccess $?
+
+# echo "Start a policy session"
+# ${PREFIX}startauthsession -se p > run.out
+# checkSuccess $?
+
+echo "Policy command code - quote"
+${PREFIX}policycommandcode -ha 03000000 -cc 158 > run.out
+checkSuccess $?
+
+echo "Quote - policy, should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+# echo "Flush the session"
+# ${PREFIX}flushcontext -ha 03000000 > run.out
+# checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Command Code and Policy Password / Authvalue"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+# policypassword
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy password"
+${PREFIX}policypassword -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, no password should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Sign a digest - policy, password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+checkSuccess $?
+
+# policyauthvalue
+
+# echo "Start a policy session"
+# ${PREFIX}startauthsession -se p > run.out
+# checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, no password should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Sign a digest - policy, password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 -pwdk sig > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Password and Policy Authvalue flags"
+echo ""
+
+for COMMAND in policypassword policyauthvalue
+
+do
+
+ echo "Create a signing key under the primary key - policy command code - sign, auth"
+ ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+ checkSuccess $?
+
+ echo "Load the signing key under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Start a policy session"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Policy command code - sign"
+ ${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+ checkSuccess $?
+
+ echo "Policy ${COMMAND}"
+ ${PREFIX}${COMMAND} -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy, password"
+ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+ checkSuccess $?
+
+ echo "Flush signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a signing key under the primary key - policy command code - sign"
+ ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+ checkSuccess $?
+
+ echo "Load the signing key under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Policy command code - sign"
+ ${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy and wrong password"
+ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+ checkSuccess $?
+
+ echo "Flush signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush policy session"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Policy Signed"
+echo ""
+
+# create rsaprivkey.pem
+# > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+# extract the public key
+# > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem
+# sign a test message msg.bin
+# > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+#
+# create the policy:
+# use loadexternal -ns to get the name
+
+# sha1
+# 00044234c24fc1b9de6693a62453417d2734d7538f6f
+# sha256
+# 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# sha384
+# 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+# sha512
+# 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+
+# 00000160 plus the above name as text, add a blank line for empty policyRef
+# to create policies/policysigned$HALG.txt
+#
+# 0000016000044234c24fc1b9de6693a62453417d2734d7538f6f
+# 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# 00000160000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+# 00000160000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+#
+# use sha256 policies, policymaker default (policy session digest
+# algorithm is separate from Name and signature hash algorithm)
+#
+# > policymaker -if policies/policysigned$HALG.txt -of policies/policysigned$HALG.bin -pr
+#
+# sha1
+# 9d 81 7a 4e e0 76 eb b5 cf ee c1 82 05 cc 4c 01
+# b3 a0 5e 59 a9 b9 65 a1 59 af 1e cd 3d bf 54 fb
+# sha256
+# de bf 9d fa 3c 98 08 0b f1 7d d1 d0 7b 54 fd e1
+# 07 93 7f e5 40 50 9e 70 96 aa 73 27 53 b3 83 31
+# sha384
+# 45 c5 da 90 76 92 3a 70 03 6f df 56 ea e7 df db
+# 41 e2 01 75 24 49 54 94 66 93 6b c4 fc 88 ab 5c
+# sha512
+# cd 34 96 08 39 ea 40 88 5e fa 7f 37 8b a7 21 f1
+# 78 6d 52 bb 93 47 9c 73 45 88 3c dc 1f 09 06 6f
+#
+# 80000000 primary key
+# 80000001 verification public key
+# 80000002 signing key with policy
+# 03000000 policy session
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Load external just the public part of PEM at 80000001 - $HALG"
+ ${PREFIX}loadexternal -halg $HALG -nalg $HALG -ipem policies/rsapubkey.pem -ns > run.out
+ checkSuccess $?
+
+ echo "Sign a test message with openssl - $HALG"
+ openssl dgst -$HALG -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
+
+ echo "Verify the signature with 80000001 - $HALG"
+ ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if msg.bin -is pssig.bin -raw > run.out
+ checkSuccess $?
+
+ echo "Create a signing key under the primary key - policy signed - $HALG"
+ ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysigned$HALG.bin > run.out
+ checkSuccess $?
+
+ echo "Load the signing key under the primary key, at 80000002"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Start a policy session"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy, should fail"
+ ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ checkFailure $?
+
+ echo "Policy signed, sign with PEM key - $HALG"
+ ${PREFIX}policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg $HALG -pwdk rrrr > run.out
+ checkSuccess $?
+
+ echo "Get policy digest"
+ ${PREFIX}policygetdigest -ha 03000000 -of tmppol.bin > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy signed"
+ ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Policy restart, set back to zero"
+ ${PREFIX}policyrestart -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Sign just expiration (uint32_t 4 zeros) with openssl - $HALG"
+ openssl dgst -$HALG -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/zero4.bin > run.out 2>&1
+
+ echo "Policy signed, signature generated externally - $HALG"
+ ${PREFIX}policysigned -hk 80000001 -ha 03000000 -halg $HALG -is pssig.bin > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy signed"
+ ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ checkSuccess $?
+
+ echo "Start a policy session - save nonceTPM"
+ ${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+ checkSuccess $?
+
+ echo "Policy signed with nonceTPM and expiration, create a ticket - $HALG"
+ ${PREFIX}policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg $HALG -pwdk rrrr -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy signed"
+ ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ checkSuccess $?
+
+ echo "Start a policy session"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Policy ticket"
+ ${PREFIX}policyticket -ha 03000000 -to to.bin -na ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+ checkSuccess $?
+
+ echo "Sign a digest - policy ticket"
+ ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ checkSuccess $?
+
+ echo "Flush the verification public key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+done
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
+# getcapability -cap 1 -pr 03000000
+
+# exit 0
+
+echo ""
+echo "Policy Secret with Platform Auth"
+echo ""
+
+# 4000000c platform
+# 80000000 primary key
+# 80000001 signing key with policy
+# 03000000 policy session
+# 02000001 hmac session
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Create a signing key under the primary key - policy secret using platform auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, create a ticket"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Policy Secret using primary key, create a ticket"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy ticket"
+${PREFIX}policyticket -ha 03000000 -to to.bin -hi p -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy ticket"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Policy Secret with HMAC session"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp -se0 02000001 0 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Secret with NV Auth"
+echo ""
+
+# Name is
+# 00 0b e0 65 10 81 c2 fc da 30 69 93 da 43 d1 de
+# 5b 24 be 42 6e 2d 61 90 7b 42 83 54 69 13 6c 97
+# 68 1f
+
+# Policy is
+# c6 93 f9 b0 ef 1a b7 1e ca ae 00 af 1f 0b f4 88
+# 37 9e ab 16 c1 f8 0d 9f f9 6d 90 41 4e 2f c6 b3
+
+echo "NV Define Space 0100000"
+${PREFIX}nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Create a signing key under the primary key - policy secret NV auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretnv.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn -in noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 0100000"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+
+echo ""
+echo "Policy Secret with Object"
+echo ""
+
+# Use a externally generated object so that the Name is known and thus
+# the policy can be precalculated
+
+# Name
+# 00 0b 64 ac 92 1a 03 5c 72 b3 aa 55 ba 7d b8 b5
+# 99 f1 72 6f 52 ec 2f 68 20 42 fc 0e 0d 29 fa e8
+# 17 99
+
+# 000001151 plus the above name as text, add a blank line for empty policyRef
+# to create policies/policysecretsha256.txt
+# 00000151000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
+# 4b 7f ca c2 b7 c3 ac a2 7c 5c da 9c 71 e6 75 28
+# 63 d2 87 d2 33 ec 49 0e 7a be 88 f1 ef 94 5d 5c
+
+echo "Load the RSA openssl key pair in the NULL hierarchy 80000001"
+${PREFIX}loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Create a signing key under the primary key - policy secret of object 80000001"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -uwa -pol policies/policysecretsha256.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key 80000002"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest - password auth - should fail"
+${PREFIX}sign -hk 80000002 -if policies/aaa -pwdk sig > run.out
+checkFailure $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000002 -if msg.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the policysecret key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Load the RSA openssl key pair in the NULL hierarchy, userWithAuth false 80000001"
+${PREFIX}loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr -uwa > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session - should fail"
+${PREFIX}policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+checkFailure $?
+
+echo "Flush the policysecret key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Authorize"
+echo ""
+
+# 80000000 primary
+# 80000001 verification public key, openssl
+# 80000002 signing key
+# 03000000 policy session
+
+# Name for 80000001 0004 4234 c24f c1b9 de66 93a6 2453 417d 2734 d753 8f6f
+#
+# policyauthorizesha256.txt
+# 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+#
+# (need blank line for policyRef)
+#
+# > policymaker -if policies/policyauthorizesha256.txt -of policies/policyauthorizesha256.bin -pr
+#
+# eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+# ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+
+echo "Create a signing key with policy authorize"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Load external just the public part of PEM authorizing key 80000001"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key 80000002 "
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be zero"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policy to approve, aHash input, same as policies/policyccsign.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policyccsign.bin > run.out 2>&1
+
+echo "Verify the signature to generate ticket 80000001"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/policyccsign.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policyccsign.bin -skn ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policy authorize"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the verification public key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+# getcapability -cap 1 -pr 80000000
+# getcapability -cap 1 -pr 02000000
+# getcapability -cap 1 -pr 03000000
+
+# exit 0
+
+echo ""
+echo "Set Primary Policy"
+echo ""
+
+echo "Platform policy empty"
+${PREFIX}setprimarypolicy -hi p > run.out
+checkSuccess $?
+
+echo "Platform policy empty, bad password"
+${PREFIX}setprimarypolicy -hi p -pwda ppp > run.out
+checkFailure $?
+
+echo "Set platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Platform policy empty, bad password"
+${PREFIX}setprimarypolicy -hi p > run.out
+checkFailure $?
+
+echo "Platform policy empty"
+${PREFIX}setprimarypolicy -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Platform policy to policy secret platform auth"
+${PREFIX}setprimarypolicy -hi p -pwda ppp -halg sha256 -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth to null with policy secret"
+${PREFIX}hierarchychangeauth -hi p -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy PCR no select"
+echo ""
+
+# create AND term for policy PCR
+# > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt
+# 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709
+
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
+
+# 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66
+# b6 fa 2c 23
+
+echo "Create a signing key with policy PCR no select"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -halg sha1 -se p > run.out
+checkSuccess $?
+
+echo "Policy PCR, update with the correct digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 6d 38 49 38 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign, should succeed"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy PCR, update with the correct digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+checkSuccess $?
+
+echo "PCR extend PCR 0, updates pcr counter"
+${PREFIX}pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Sign, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy PCR 16"
+echo ""
+
+# policypcr0.txt has 20 * 00
+
+# create AND term for policy PCR
+# > policymakerpcr -halg sha1 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
+# 0000017f000000010004030000016768033e216468247bd031a0a2d9876d79818f8f
+
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
+
+# 85 33 11 83 19 03 12 f5 e8 3c 60 43 34 6f 9f 37
+# 21 04 76 8e
+
+echo "Create a signing key with policy PCR PCR 16 zero"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Reset PCR 16 back to zero"
+${PREFIX}pcrreset -ha 16 > run.out
+checkSuccess $?
+
+echo "Read PCR 16, should be 00 00 00 00 ..."
+${PREFIX}pcrread -ha 16 -halg sha1 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Sign, policy not satisfied - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Policy PCR, update with the correct digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 85 33 11 83 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign, should succeed"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "PCR extend PCR 16"
+${PREFIX}pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Read PCR 0, should be 1d 47 f6 8a ..."
+${PREFIX}pcrread -ha 16 -halg sha1 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy PCR, update with the wrong digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 66 dd e5 e3"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# 01000000 authorizing index
+# 01000001 authorized index
+# 03000000 policy session
+#
+# 4 byte NV index
+# policynv.txt
+# policy CC_PolicyNV || args || Name
+#
+# policynvargs.txt (binary)
+# args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==)
+# hash -hi n -halg sha1 -if policies/policynvargs.txt -v
+# openssl dgst -sha1 policies/policynvargs.txt
+# 2c513f149e737ec4063fc1d37aee9beabc4b4bbf
+#
+# NV authorizing index
+#
+# after defining index and NV write to set written, use
+# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha1
+# to get name
+# 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
+#
+# append Name to policynvnv.txt
+#
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
+# bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc
+#
+# file zero8.bin has 8 bytes of hex zero
+
+echo ""
+echo "Policy NV, NV index authorizing"
+echo ""
+
+echo "Define a setbits index, authorizing index"
+${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out
+checkSuccess $?
+
+echo "NV Read public, get Name, not written"
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+checkSuccess $?
+
+echo "NV setbits to set written"
+${PREFIX}nvsetbits -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "NV Read public, get Name, written"
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+checkSuccess $?
+
+echo "NV Read, should be zero"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkSuccess $?
+
+echo "Define an ordinary index, authorized index, policyNV"
+${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
+checkSuccess $?
+
+echo "NV Read public, get Name, not written"
+${PREFIX}nvreadpublic -ha 01000001 -nalg sha1 > run.out
+checkSuccess $?
+
+echo "NV write to set written"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "NV write, policy not satisfied - should fail"
+${PREFIX}nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy get digest, should be 0"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy NV to satisfy the policy"
+${PREFIX}policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be bc 9b 4c 4f ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV write, policy satisfied"
+${PREFIX}nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Set bit in authorizing NV index"
+${PREFIX}nvsetbits -ha 01000000 -pwdn nnn -bit 0 > run.out
+checkSuccess $?
+
+echo "NV Read, should be 1"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkSuccess $?
+
+echo "Policy NV to satisfy the policy - should fail"
+${PREFIX}policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+checkFailure $?
+
+echo "Policy get digest, should be 00 00 00 00 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine authorizing index"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine authorized index"
+${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy NV Written"
+echo ""
+
+echo "Define an ordinary index, authorized index, policyNV"
+${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out
+checkSuccess $?
+
+echo "NV Read public, get Name, not written"
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "NV write, policy not satisfied - should fail"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy NV Written no, does not satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws n > run.out
+checkSuccess $?
+
+echo "NV write, policy not satisfied - should fail"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy NV Written yes, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkSuccess $?
+
+echo "NV write, policy satisfied but written clear - should fail"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV write using password, set written"
+${PREFIX}nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy NV Written yes, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkSuccess $?
+
+echo "NV write, policy satisfied"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy NV Written no"
+${PREFIX}policynvwritten -hs 03000000 -ws n > run.out
+checkSuccess $?
+
+echo "Policy NV Written yes - should fail"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine authorizing index"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Signed externally signed cpHash"
+echo ""
+
+# NV Index 01000000 has policy OR
+
+# Policy A - provisioning: policy written false + policysigned
+# demo: authorizer signs NV write all zero
+
+# Policy B - application: policy written true + policysigned
+# demo: authorizer signs NV write abcdefgh
+
+echo "Load external just the public part of PEM at 80000001"
+${PREFIX}loadexternal -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Get the Name of the signing key at 80000001"
+${PREFIX}readpublic -ho 80000001 -ns > run.out
+checkSuccess $?
+# 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
+# construct policy A
+
+# policies/policywrittenclrsigned.txt
+# 0000018f00
+# 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# Add the extra blank line here for policyRef
+
+# policymaker -if policies/policywrittenclrsigned.txt -of policies/policywrittenclrsigned.bin -pr -ns -v
+# intermediate policy digest length 32
+# 3c 32 63 23 67 0e 28 ad 37 bd 57 f6 3b 4c c3 4d
+# 26 ab 20 5e f2 2f 27 5c 58 d4 7f ab 24 85 46 6e
+# intermediate policy digest length 32
+# 6b 0d 2d 2b 55 4d 68 ec bc 6c d5 b8 c0 96 c1 70
+# 57 5a 95 25 37 56 38 7e 83 d7 76 d9 5b 1b 8e f3
+# intermediate policy digest length 32
+# 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87
+# 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2
+# policy digest length 32
+# 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87
+# 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2
+# policy digest:
+# 480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f2
+
+# construct policy B
+
+# policies/policywrittensetsigned.txt
+# 0000018f01
+# 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# Add the extra blank line here for policyRef
+
+# policymaker -if policies/policywrittensetsigned.txt -of policies/policywrittensetsigned.bin -pr -ns -v
+# intermediate policy digest length 32
+# f7 88 7d 15 8a e8 d3 8b e0 ac 53 19 f3 7a 9e 07
+# 61 8b f5 48 85 45 3c 7a 54 dd b0 c6 a6 19 3b eb
+# intermediate policy digest length 32
+# 7d c2 8f b0 dd 4f ee 97 78 2b 55 43 b1 dc 6b 1e
+# e2 bc 79 05 d4 a1 f6 8d e2 97 69 5f a9 aa 78 5f
+# intermediate policy digest length 32
+# 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82
+# 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46
+# policy digest length 32
+# 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82
+# 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46
+# policy digest:
+# 0943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+
+# construct the Policy OR of A and B
+
+# policyorwrittensigned.txt - command code plus two policy digests
+# 00000171480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f20943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+# policymaker -if policies/policyorwrittensigned.txt -of policies/policyorwrittensigned.bin -pr
+# policy digest length 32
+# 06 00 ae 34 7a 30 b0 67 36 d3 32 85 a0 cc ad 46
+# 54 1e 62 71 f5 d0 85 10 a7 ff 0e 90 30 54 d6 c9
+
+echo "Define index 01000000 with the policy OR"
+${PREFIX}nvdefinespace -ha 01000000 -hi o -sz 8 -pwdn "" -pol policies/policyorwrittensigned.bin -at aw > run.out
+checkSuccess $?
+
+echo "Get the Name of the NV index not written, should be 00 0b ... bb 0b"
+${PREFIX}nvreadpublic -ha 01000000 -ns > run.out
+checkSuccess $?
+
+# 000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy A - not written"
+echo ""
+
+# construct cpHash for Policy A - not written, writing zeros
+
+# (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of 0's at offset 0000
+# For index auth, authHandle Name and index Name are the same
+# policies/nvwritecphasha.txt
+# 00000137000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000800000000000000000000
+# policymaker -nz -if policies/nvwritecphasha.txt -of policies/nvwritecphasha.bin -pr -ns
+# policy digest length 32
+# cf 98 1e ee 68 04 3b dd ee 0c ab bc 75 b3 63 be
+# 3c f9 ee 22 2a 78 b8 26 3f 06 7b b3 55 2c a6 11
+# policy digest:
+# cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+
+# construct aHash for Policy A
+
+# expiration + cpHashA
+# policies/nvwriteahasha.txt
+# 00000000cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+# just convert to binary, because openssl does the hash before signing
+# xxd -r -p policies/nvwriteahasha.txt policies/nvwriteahasha.bin
+
+echo "Policy NV Written no, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws n > run.out
+checkSuccess $?
+
+echo "Should be policy A first intermediate value 3c 32 63 23 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign aHash with openssl 8813 6530 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahasha.bin > run.out 2>&1
+echo ""
+
+echo "Policy signed, signature generated externally"
+${PREFIX}policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphasha.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Should be policy A final value 48 0b 78 2e ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+checkSuccess $?
+
+echo "Should be policy OR final value 06 00 ae 34 "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV write to set written"
+${PREFIX}nvwrite -ha 01000000 -if policies/zero8.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy B - written"
+echo ""
+
+echo "Get the new (written) Name of the NV index not written, should be 00 0b f5 75"
+${PREFIX}nvreadpublic -ha 01000000 -ns > run.out
+checkSuccess $?
+
+# 000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8
+
+# construct cpHash for Policy B
+
+# (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of abcdefgh at offset 00000
+# For index auth, authHandle Name and index Name are the same
+# policies/nvwritecphashb.txt
+# 00000137000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000861626364656667680000
+# policymaker -nz -if policies/nvwritecphashb.txt -of policies/nvwritecphashb.bin -pr -ns
+# policy digest length 32
+# df 58 08 f9 ab cb 23 7f 8c d7 c9 09 1c 86 12 2d
+# 88 6f 02 d4 6e db 53 c8 da 39 bf a2 d6 cf 07 63
+# policy digest:
+# df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+
+# construct aHash for Policy B
+
+# expiration + cpHashA
+# policies/nvwriteahashb.txt
+# 00000000df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+# just convert to binary, because openssl does the hash before signing
+# xxd -r -p policies/nvwriteahashb.txt policies/nvwriteahashb.bin
+
+echo "Policy NV Written yes, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkSuccess $?
+
+echo "Should be policy A first intermediate value f7 88 7d 15 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign aHash with openssl 3700 0a91 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahashb.bin > run.out 2>&1
+echo ""
+
+echo "Policy signed, signature generated externally"
+${PREFIX}policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphashb.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Should be policy B final value 09 43 ba 3c ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+checkSuccess $?
+
+echo "Should be policy OR final value 06 00 ae 34 "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV write new data"
+${PREFIX}nvwrite -ha 01000000 -ic abcdefgh -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Flush the policy session 03000000"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the signature verification key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Undefine the NV Index 01000000"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+# test using clockrateadjust
+# policycphashhash.txt is (hex) 00000130 4000000c 000
+# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v
+# openssl dgst -sha1 policycphashhash.txt
+# cpHash is
+# b5f919bbc01f0ebad02010169a67a8c158ec12f3
+# append to policycphash.txt 00000163 + cpHash
+# policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr
+# 06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f
+
+echo ""
+echo "Policy cpHash"
+echo ""
+
+echo "Set the platform policy to policy cpHash"
+${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust using wrong password - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+checkFailure $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy cpHash, satisfy policy"
+${PREFIX}policycphash -ha 03000000 -cp policies/policycphashhash.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be 06 e4 6c f9"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust, policy satisfied but bad command params - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 1 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Clockrate adjust, policy satisfied"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Clear the platform policy"
+${PREFIX}setprimarypolicy -hi p > run.out
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Duplication Select with includeObject FALSE"
+echo ""
+
+# These tests uses a new parent and object to be duplicated generated
+# externally. This makes the Names repeatable and permits the
+# policy to be pre-calculated and static.
+
+# command code 00000188
+# newParentName
+# 000b 1a5d f667 7533 4527 37bc 79a5 5ab6
+# d9fa 9174 5c03 3dfe 3f82 cdf0 903b a9d6
+# 55f1
+# includeObject 00
+# policymaker -if policies/policydupsel-no.txt -of policies/policydupsel-no.bin -pr -v
+# 5f 55 ba 2b 69 0f b0 38 ac 15 ff 2a 86 ef 65 66
+# be a8 23 68 43 97 4c 3f a7 36 37 72 56 ec bc 45
+
+# 80000000 SK storage primary key
+# 80000001 NP new parent, the target of the duplication
+# 80000002 SI signing key, duplicate from SK to NP
+# 03000000 policy session
+
+echo "Import the new parent storage key NP under the primary key"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -st -pwdk rrrr -opu tmpstpub.bin -opr tmpstpriv.bin -halg sha256 > run.out
+checkSuccess $?
+
+echo "Load the new parent TPM storage key NP at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpstpub.bin -ipr tmpstpriv.bin > run.out
+checkSuccess $?
+
+echo "Import a signing key SI under the primary key 80000000, with policy duplication select"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policydupsel-no.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001"
+${PREFIX}policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be 5f 55 ba 2b ...."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001"
+${PREFIX}duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+${PREFIX}import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000002"
+${PREFIX}load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush the duplicated SI at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Duplication Select with includeObject TRUE"
+echo ""
+
+# command code 00000188
+# SI objectName
+# 000b 6319 28da 1624 3135 3a59 c03a 2ca7
+# dbb7 0989 1440 4236 3c7f a838 39d9 da6c
+# 437a
+# HP newParentName
+# 000b
+# 1a5d f667 7533 4527 37bc 79a5 5ab6 d9fa
+# 9174 5c03 3dfe 3f82 cdf0 903b a9d6 55f1
+# includeObject 01
+#
+# policymaker -if policies/policydupsel-yes.txt -of policies/policydupsel-yes.bin -pr -v
+# 14 64 06 4c 80 cb e3 4f f5 03 82 15 38 62 43 17
+# 93 94 8f f1 e8 8a c6 23 4d d1 b0 c5 4c 05 f7 3b
+
+# 80000000 SK storage primary key
+# 80000001 NP new parent, the target of the duplication
+# 80000002 SI signing key, duplicate from SK to NP
+# 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI with objectName 000b 6319 28da at 80000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001 with includeObject"
+${PREFIX}policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin -io > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policy to approve, aHash input 14 64 06 4c same as policies/policydupsel-yes.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the original SI at 80000002 to free object slot for loadexternal "
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policydupsel-yes.bin > run.out 2>&1
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Verify the signature against 80000002 to generate ticket"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/policydupsel-yes.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policydupsel-yes.bin -skn ${TPM_DATA_DIR}/h80000002.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the PEM authorizing verification key at 80000002 to free object slot for import"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Load the original signing key SI at 80000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001 000b 1a5d f667"
+${PREFIX}duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+${PREFIX}import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000002"
+${PREFIX}load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush the duplicated SI at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the new parent TPM storage key NP 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Name Hash"
+echo ""
+
+# signing key SI Name
+# 000b
+# 6319 28da 1624 3135 3a59 c03a 2ca7 dbb7
+# 0989 1440 4236 3c7f a838 39d9 da6c 437a
+
+# compute nameHash
+
+# nameHash - just a hash, not an extend
+# policymaker -if policies/pnhnamehash.txt -of policies/pnhnamehash.bin -nz -pr -v -ns
+# 18 e0 0c 62 77 18 d9 fc 81 22 3d 8a 56 33 7e eb
+# 0e 7d 98 28 bd 7b c7 29 1d 3c 27 3f 7a c4 04 f1
+# 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+
+# compute policy (based on
+
+# 00000170 TPM_CC_PolicyNameHash
+# signing key SI Name
+# 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+
+# policymaker -if policies/policynamehash.txt -of policies/policynamehash.bin -pr -v
+# 96 30 f9 00 c3 4c 66 09 c1 c5 92 41 78 c1 b2 3d
+# 9f d4 93 f4 f9 c2 98 c8 30 4a e3 0f 97 a2 fd 49
+
+# 80000000 SK storage primary key
+# 80000001 SI signing key
+# 80000002 Authorizing public key
+# 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest using the password"
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy name hash, object SI 80000001"
+${PREFIX}policynamehash -ha 03000000 -nh policies/pnhnamehash.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest,should be policy to approve, 96 30 f9 00"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policynamehash.bin > run.out 2>&1
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Verify the signature against 80000002 to generate ticket"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/policynamehash.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policynamehash.bin -skn ${TPM_DATA_DIR}/h80000002.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be eb a3 f9 8c ...."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest using the policy"
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the authorizing key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+# test using clockrateadjust and platform policy
+
+# operand A time is 64 bits at offset 0, operation GT (2)
+# 0000016d 0000 0000 0000 0000 | 0000 | 0002
+#
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policycountertimer.txt -of policies/policycountertimer.bin -pr -v
+# e6 84 81 27 55 c0 39 d3 68 63 21 c8 93 50 25 dd
+# aa 26 42 9a
+
+echo ""
+echo "Policy Counter Timer"
+echo ""
+
+echo "Set the platform policy to policy "
+${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust using wrong password - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+checkFailure $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+${PREFIX}clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy counter timer, zero operandB, op EQ satisfy policy - should fail"
+${PREFIX}policycountertimer -ha 03000000 -if policies/zero8.bin -op 0 > run.out
+checkFailure $?
+
+echo "Policy counter timer, zero operandB, op GT satisfy policy"
+${PREFIX}policycountertimer -ha 03000000 -if policies/zero8.bin -op 2 > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be e6 84 81 27"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust, policy satisfied"
+${PREFIX}clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Clear the platform policy"
+${PREFIX}setprimarypolicy -hi p > run.out
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+
+# policyccsign.txt 0000016c 0000015d (policy command code | sign)
+# policyccquote.txt 0000016c 00000158 (policy command code | quote)
+#
+# > policymaker -if policies/policyccsign.txt -of policies/policyccsign.bin -pr -v
+# cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811
+#
+# > policymaker -if policies/policyccquote.txt -of policies/policyccquote.bin -pr -v
+# a039cad5fe68870688f8233c3e3ee3cf27aac9e2efe3486aeb4e304c0e90cd27
+#
+# policyor.txt is CC_PolicyOR || digests
+# 00000171 | cc69 ... | a039 ...
+# > policymaker -if policies/policyor.txt -of policies/policyor.bin -pr -v
+# 6b fe c2 3a be 57 b0 2a ce 39 dd 13 bb 60 fa 39
+# 4d ac 7b 38 96 56 57 84 b3 73 fc 61 92 94 29 db
+
+echo ""
+echo "PolicyOR"
+echo ""
+
+echo "Create an unrestricted signing key, policy command code sign or quote"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyor.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy get digest"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Quote - should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Get time - should fail, policy not set"
+${PREFIX}gettime -hk 80000001 -qd policies/aaa -se1 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy OR - should fail"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkFailure $?
+
+echo "Policy Command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000015d > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be cc 69 18 b2"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be 6b fe c2 3a"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign with policy OR"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000015d > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkSuccess $?
+
+echo "Quote - should fail, wrong command code"
+${PREFIX}quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy Command code - quote, digest a0 39 ca d5"
+${PREFIX}policycommandcode -ha 03000000 -cc 00000158 > run.out
+checkSuccess $?
+
+echo "Policy OR, digest 6b fe c2 3a"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkSuccess $?
+
+echo "Quote with policy OR"
+${PREFIX}quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Command code - gettime 7a 3e bd aa"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000014c > run.out
+checkSuccess $?
+
+echo "Policy OR, gettime not an AND term - should fail"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# There are times that a policy creator has TPM, PEM, or DER format
+# information, but does not have access to a TPM. The publicname
+# utility accepts these inputs and outputs the name in the 'no spaces'
+# format suitable for pasting into a policy.
+
+echo ""
+echo "publicname RSA"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Create an rsa ${HALG} key under the primary key"
+ ${PREFIX}create -hp 80000000 -rsa 2048 -nalg ${HALG} -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the rsa ${HALG} key 80000001"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Compute the TPM2B_PUBLIC Name"
+ ${PREFIX}publicname -ipu tmppub.bin -on tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the TPM2B_PUBLIC result"
+ diff tmp.bin h80000001.bin > run.out
+ checkSuccess $?
+
+ echo "Convert the rsa public key to PEM format"
+ ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Flush the rsa ${HALG} key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "loadexternal the rsa PEM public key"
+ ${PREFIX}loadexternal -ipem tmppub.pem -si -rsa -nalg ${HALG} -halg ${HALG} -scheme rsassa > run.out
+ checkSuccess $?
+
+ echo "Compute the PEM Name"
+ ${PREFIX}publicname -ipem tmppub.pem -rsa -si -nalg ${HALG} -halg ${HALG} -on tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the PEM result"
+ diff tmp.bin h80000001.bin > run.out
+ checkSuccess $?
+
+ echo "Convert the TPM PEM key to DER"
+ openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin > run.out 2>&1
+ echo "INFO:"
+
+ echo "Compute the DER Name"
+ ${PREFIX}publicname -ider tmppub.der -rsa -si -nalg ${HALG} -halg ${HALG} -on tmp.bin -v > run.out
+ checkSuccess $?
+
+ echo "Verify the DER result"
+ diff tmp.bin h80000001.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the rsa ${HALG} key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "publicname ECC"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Create an ecc nistp256 ${HALG} key under the primary key"
+ ${PREFIX}create -hp 80000000 -ecc nistp256 -nalg ${HALG} -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the ecc ${HALG} key 80000001"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Compute the TPM2B_PUBLIC Name"
+ ${PREFIX}publicname -ipu tmppub.bin -on tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the TPM2B_PUBLIC result"
+ diff tmp.bin h80000001.bin > run.out
+ checkSuccess $?
+
+ echo "Convert the ecc public key to PEM format"
+ ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Flush the ecc ${HALG} key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "loadexternal the ecc PEM public key"
+ ${PREFIX}loadexternal -ipem tmppub.pem -si -ecc -nalg ${HALG} -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Compute the PEM Name"
+ ${PREFIX}publicname -ipem tmppub.pem -ecc -si -nalg ${HALG} -halg ${HALG} -on tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the PEM result"
+ diff tmp.bin h80000001.bin > run.out
+ checkSuccess $?
+
+ echo "Convert the TPM PEM key to DER"
+ openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin -pubout > run.out 2>&1
+ echo "INFO:"
+
+ echo "Compute the DER Name"
+ ${PREFIX}publicname -ider tmppub.der -ecc -si -nalg ${HALG} -halg ${HALG} -on tmp.bin -v > run.out
+ checkSuccess $?
+
+ echo "Verify the DER result"
+ diff tmp.bin h80000001.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the ecc ${HALG} key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "publicname NV"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "NV Define Space ${HALG}"
+ ${PREFIX}nvdefinespace -hi o -ha 01000000 -sz 16 -nalg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "NV Read Public"
+ ${PREFIX}nvreadpublic -ha 01000000 -opu tmppub.bin -on tmpname.bin > run.out
+ checkSuccess $?
+
+ echo "Compute the NV Index Name"
+ ${PREFIX}publicname -invpu tmppub.bin -on tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the NV Index result"
+ diff tmp.bin tmpname.bin > run.out
+ checkSuccess $?
+
+ echo "NV Undefine Space"
+ ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+ checkSuccess $?
+
+done
+
+# cleanup
+
+rm -f pssig.bin
+rm -f run.out
+rm -f sig.bin
+rm -f tkt.bin
+rm -f tmp.bin
+rm -f tmpdup.bin
+rm -f tmphkey.bin
+rm -f tmpname.bin
+rm -f tmppol.bin
+rm -f tmppriv.bin
+rm -f tmppriv.bin
+rm -f tmppub.bin
+rm -f tmppub.der
+rm -f tmppub.pem
+rm -f tmpsig.bin
+rm -f tmpsipriv.bin
+rm -f tmpsipriv1.bin
+rm -f tmpsipub.bin
+rm -f tmpss.bin
+rm -f tmpstpriv.bin
+rm -f tmpstpub.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 01000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+# ${PREFIX}getcapability -cap 1 -pr 03000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.bat
new file mode 100644
index 000000000..08a45d7b7
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.bat
@@ -0,0 +1,600 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # $Id: testpolicy138.sh 793 2016-11-10 21:27:40Z kgoldman $ #
+REM # #
+REM # (c) Copyright IBM Corporation 2016 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+REM
+REM # Policy command code - sign
+REM
+REM # cc69 18b2 2627 3b08 f5bd 406d 7f10 cf16
+REM # 0f0a 7d13 dfd8 3b77 70cc bcd1 aa80 d811
+REM
+REM # NV index name after written
+REM
+REM # 000b
+REM # 5e8e bdf0 4581 9419 070c 7d57 77bf eb61
+REM # ffac 4996 ea4b 6fba de6d a42b 632d 4918
+REM
+REM # Policy Authorize NV with above Name
+REM
+REM # 66 1f a1 02 db cd c2 f6 a0 61 7b 33 a0 ee 6d 95
+REM # ab f6 2c 76 b4 98 b2 91 10 0d 30 91 19 f4 11 fa
+REM
+REM # Policy in NV index 01000000
+REM # signing key 80000001
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Policy Authorize NV"
+echo ""
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key, policyauthnv"
+%TPM_EXE_PATH%create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizenv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -sz 50 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV not written, policyauthorizenv - should fail"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Write algorithm ID into NV index 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -off 0 -if policies/sha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write policy command code sign into NV index 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -off 2 -if policies/policyccsign.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be cc 69 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Authorize NV against 01000000"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be 66 1f ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - policy and wrong password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Authorize NV against 01000000"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Quote - policy, should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code - quote"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 158 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Authorize NV against 01000000 - should fail"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the policy session 03000000"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key 80000001 "
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Template"
+echo ""
+
+REM # create template hash
+REM
+REM # run createprimary -si -v, extract template
+REM
+REM # policies/policytemplate.txt
+REM
+REM # 00 01 00 0b 00 04 04 72 00 00 00 10 00 10 08 00
+REM # 00 00 00 00 00 00
+REM
+REM # policymaker -if policies/policytemplate.txt -pr -of policies/policytemplate.bin -nz
+REM # -nz says do not extend, just hash the hexascii line
+REM # yields a template hash for policytemplate
+REM
+REM # ef 64 da 91 18 fc ac 82 f4 36 1b 28 84 28 53 d8
+REM # aa f8 7d fc e1 45 e9 25 cf fe 58 68 aa 2d 22 b6
+REM
+REM # prepend the command code 00000190 to ef 64 ... and construct the actual object policy
+REM # policymaker -if policies/policytemplatehash.txt -pr -of policies/policytemplatehash.bin
+REM
+REM # fb 94 b1 43 e5 2b 07 95 b7 ec 44 37 79 99 d6 47
+REM # 70 1c ae 4b 14 24 af 5a b8 7e 46 f2 58 af eb de
+
+echo ""
+echo "Policy Template with TPM2_Create"
+echo ""
+
+echo "Create a primary storage key policy template, 80000001"
+%TPM_EXE_PATH%createprimary -hi p -pol policies/policytemplatehash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Template"
+%TPM_EXE_PATH%policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be fb 94 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create signing key under primary key"
+%TPM_EXE_PATH%create -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Template with TPM2_CreateLoaded"
+echo ""
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Template"
+%TPM_EXE_PATH%policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be fb 94 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create loaded signing key under primary key"
+%TPM_EXE_PATH%createloaded -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the created key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Policy Template with TPM2_CreatePrimary"
+echo ""
+
+echo "Set primary policy for platform hierarchy"
+%TPM_EXE_PATH%setprimarypolicy -hi p -halg sha256 -pol policies/policytemplatehash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Template"
+%TPM_EXE_PATH%policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be fb 94 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create loaded primary signing key policy template, 80000001"
+%TPM_EXE_PATH%createprimary -si -hi p -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM #
+REM # Use case of the PCR brittleness solution using PolicyAuthorize, but
+REM # where the authorizing public key is not hard coded in the sealed
+REM # blob policy. Rather, it's in an NV Index, so that the authorizing
+REM # key can be changed. Here, the authorization to change is platform
+REM # auth. The NV index is locked until reboot as a second level of
+REM # protection.
+REM #
+
+REM # Policy design
+
+REM # PolicyAuthorizeNV and Name of NV index AND Unseal
+REM # where the NV index holds PolicyAuthorize with the Name of the authorizing signing key
+REM # where PolicyAuthorize will authorize command Unseal AND PCR values
+
+REM # construct Policies
+
+REM # Provision the NV Index data first. The NV Index Name is needed for the policy
+REM # PolicyAuthorize with the Name of the authorizing signing key.
+
+REM # The authorizing signing key Name can be obtained using the TPM from
+REM # loadexternal below. It can also be calculated off line using this
+REM # utility
+
+REM # > publicname -ipem policies/rsapubkey.pem -halg sha256 -nalg sha256 -v -ns
+
+REM # policyauthorize and CA public key
+REM # policies/policyauthorizesha256.txt
+REM # 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # (need blank line for policyRef)
+REM # > policymaker -halg sha256 -if policies/policyauthorizesha256.txt -pr -v -ns -of policies/policyauthorizesha256.bin
+REM # intermediate policy digest length 32
+REM # fc 17 cd 86 c0 4f be ca d7 17 5f ef c7 75 5b 63
+REM # a8 90 49 12 c3 2e e6 9a 4c 99 1a 7b 5a 59 bd 82
+REM # intermediate policy digest length 32
+REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+REM # policy digest length 32
+REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+REM # policy digest:
+REM # eba3f98c5eaf1ea8f94f519b4d2a3183ee79876672398e2315d933c288a8e503
+
+REM # Once the NV Index Name is known, calculated the sealed blob policy.
+
+REM # PolicyAuthorizeNV and Name of NV Index AND Unseal
+REM #
+REM # get NV Index Name from nvreadpublic after provisioning
+REM # 000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+REM #
+REM # policies/policyauthorizenv-unseal.txt
+REM #
+REM # policyauthorizenv and Name of NV Index
+REM # 00000192000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+REM # policy command code unseal
+REM # 0000016c0000015e
+REM #
+REM # > policymaker -halg sha256 -if policies/policyauthorizenv-unseal.txt -of policies/policyauthorizenv-unseal.bin -pr -v -ns
+REM # intermediate policy digest length 32
+REM # 2f 7a d9 b7 53 26 35 e5 03 8c e7 7b 8f 63 5e 4c
+REM # f9 96 c8 62 18 13 98 94 c2 71 45 e7 7d d5 e8 e8
+REM # intermediate policy digest length 32
+REM # cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69
+REM # 33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d
+REM # policy digest length 32
+REM # cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69
+REM # 33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d
+REM # policy digest:
+REM # cd1b2426fe10086c5235859422a05969334b8847820d0bd98c431f7ff736345d
+
+REM # The authorizing signer signs the PCR white list, here just PCR 16 extended with aaa
+REM # PCR 16 is the resettable debug PCR, convenient for development
+
+echo ""
+echo "PolicyAuthorizeNV -> PolicyAuthorize -> PolicyPCR"
+echo ""
+
+REM # Initial provisioning (NV Index)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -hia p -sz 34 +at wst +at ar > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write algorithm ID into NV index 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -off 0 -if policies/sha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write the NV index at offset 2 with policy authorize and the Name of the CA signing key"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -off 2 -if policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Lock the NV Index"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read the NV Index Name to be used above in Policy"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # Initial provisioning (Sealed Data)
+
+echo "Create a sealed data object"
+%TPM_EXE_PATH%create -hp 80000000 -nalg sha256 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -uwa -if msg.bin -pol policies/policyauthorizenv-unseal.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # Once per new PCR approved values, signer authorizing PCRs in policysha256.bin
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaasha256.bin
+
+REM # Once per boot, simulating setting PCRs to authorized values, lock
+REM # the NV index, which is unloaded at reboot to permit platform auth to
+REM # roll the authorized signing key
+
+echo "Lock the NV Index"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "PCR 16 Reset"
+%TPM_EXE_PATH%pcrreset -ha 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Extend PCR 16 to correct value"
+%TPM_EXE_PATH%pcrextend -halg sha256 -ha 16 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # At each unseal, or reuse the ticket tkt.bin for its lifetime
+
+echo "Load external just the public part of PEM authorizing key sha256 80000001"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the signature to generate ticket 80000001 sha256"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/policypcr16aaasha256.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # Run time unseal
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy PCR, update with the correct PCR 16 value"
+%TPM_EXE_PATH%policypcr -halg sha256 -ha 03000000 -bm 10000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy get digest - should be policies/policypcr16aaasha256.bin"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # policyauthorize process
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policypcr16aaasha256.bin -skn h80000001.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be policies/policyauthorizesha256.bin"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the authorizing public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy Authorize NV against NV Index 01000000"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin intermediate"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code - unseal"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin final"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the sealed data object"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Unseal the data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM cleanup
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.sh
new file mode 100755
index 000000000..e39120786
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.sh
@@ -0,0 +1,477 @@
+#!/bin/bash
+
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2016 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# used for the name in policy ticket
+
+if [ -z $TPM_DATA_DIR ]; then
+ TPM_DATA_DIR=.
+fi
+
+# PolicyCommandCode - sign
+
+# cc69 18b2 2627 3b08 f5bd 406d 7f10 cf16
+# 0f0a 7d13 dfd8 3b77 70cc bcd1 aa80 d811
+
+# NV index name after written
+
+# 000b
+# 5e8e bdf0 4581 9419 070c 7d57 77bf eb61
+# ffac 4996 ea4b 6fba de6d a42b 632d 4918
+
+# PolicyAuthorizeNV with above Name
+
+# 66 1f a1 02 db cd c2 f6 a0 61 7b 33 a0 ee 6d 95
+# ab f6 2c 76 b4 98 b2 91 10 0d 30 91 19 f4 11 fa
+
+# Policy in NV index 01000000
+# signing key 80000001
+
+echo ""
+echo "Policy Authorize NV"
+echo ""
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Create a signing key, policyauthnv"
+${PREFIX}create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizenv.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -sz 50 > run.out
+checkSuccess $?
+
+echo "NV not written, policyauthorizenv - should fail"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkFailure $?
+
+echo "Write algorithm ID into NV index 01000000"
+${PREFIX}nvwrite -ha 01000000 -off 0 -if policies/sha256.bin > run.out
+checkSuccess $?
+
+echo "Write policy command code sign into NV index 01000000"
+${PREFIX}nvwrite -ha 01000000 -off 2 -if policies/policyccsign.bin > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be cc 69 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against 01000000"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 66 1f ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy and wrong password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+checkSuccess $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against 01000000"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Quote - policy, should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy command code - quote"
+${PREFIX}policycommandcode -ha 03000000 -cc 158 > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against 01000000 - should fail"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkFailure $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the policy session 03000000"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000001 "
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Template"
+echo ""
+
+# create template hash
+
+# run createprimary -si -v, extract template
+
+# policies/policytemplate.txt
+
+# 00 01 00 0b 00 04 04 72 00 00 00 10 00 10 08 00
+# 00 00 00 00 00 00
+
+# policymaker -if policies/policytemplate.txt -pr -of policies/policytemplate.bin -nz
+# -nz says do not extend, just hash the hexascii line
+# yields a template hash for policytemplate
+
+# ef 64 da 91 18 fc ac 82 f4 36 1b 28 84 28 53 d8
+# aa f8 7d fc e1 45 e9 25 cf fe 58 68 aa 2d 22 b6
+
+# prepend the command code 00000190 to ef 64 ... and construct the actual object policy
+# policymaker -if policies/policytemplatehash.txt -pr -of policies/policytemplatehash.bin
+
+# fb 94 b1 43 e5 2b 07 95 b7 ec 44 37 79 99 d6 47
+# 70 1c ae 4b 14 24 af 5a b8 7e 46 f2 58 af eb de
+
+echo ""
+echo "Policy Template with TPM2_Create"
+echo ""
+
+echo "Create a primary storage key policy template, 80000001"
+${PREFIX}createprimary -hi p -pol policies/policytemplatehash.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Template"
+${PREFIX}policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be fb 94 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create signing key under primary key"
+${PREFIX}create -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Template with TPM2_CreateLoaded"
+echo ""
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy Template"
+${PREFIX}policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be fb 94 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create loaded signing key under primary key"
+${PREFIX}createloaded -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the primary key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the created key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Template with TPM2_CreatePrimary"
+echo ""
+
+echo "Set primary policy for platform hierarchy"
+${PREFIX}setprimarypolicy -hi p -halg sha256 -pol policies/policytemplatehash.bin > run.out
+checkSuccess $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy Template"
+${PREFIX}policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be fb 94 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create loaded primary signing key policy template, 80000001"
+${PREFIX}createprimary -si -hi p -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the primary key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+#
+# Use case of the PCR brittleness solution using PolicyAuthorize, but
+# where the authorizing public key is not hard coded in the sealed
+# blob policy. Rather, it's in an NV Index, so that the authorizing
+# key can be changed. Here, the authorization to change is platform
+# auth. The NV index is locked until reboot as a second level of
+# protection.
+#
+
+# Policy design
+
+# PolicyAuthorizeNV and Name of NV index AND Unseal
+# where the NV index holds PolicyAuthorize with the Name of the authorizing signing key
+# where PolicyAuthorize will authorize command Unseal AND PCR values
+
+# construct Policies
+
+# Provision the NV Index data first. The NV Index Name is needed for the policy
+# PolicyAuthorize with the Name of the authorizing signing key.
+
+# The authorizing signing key Name can be obtained using the TPM from
+# loadexternal below. It can also be calculated off line using this
+# utility
+
+# > publicname -ipem policies/rsapubkey.pem -halg sha256 -nalg sha256 -v -ns
+
+# policyauthorize and CA public key
+# policies/policyauthorizesha256.txt
+# 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# (need blank line for policyRef)
+# > policymaker -halg sha256 -if policies/policyauthorizesha256.txt -pr -v -ns -of policies/policyauthorizesha256.bin
+# intermediate policy digest length 32
+# fc 17 cd 86 c0 4f be ca d7 17 5f ef c7 75 5b 63
+# a8 90 49 12 c3 2e e6 9a 4c 99 1a 7b 5a 59 bd 82
+# intermediate policy digest length 32
+# eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+# ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+# policy digest length 32
+# eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+# ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+# policy digest:
+# eba3f98c5eaf1ea8f94f519b4d2a3183ee79876672398e2315d933c288a8e503
+
+# Once the NV Index Name is known, calculated the sealed blob policy.
+
+# PolicyAuthorizeNV and Name of NV Index AND Unseal
+#
+# get NV Index Name from nvreadpublic after provisioning
+# 000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+#
+# policies/policyauthorizenv-unseal.txt
+#
+# policyauthorizenv and Name of NV Index
+# 00000192000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+# policy command code unseal
+# 0000016c0000015e
+#
+# > policymaker -halg sha256 -if policies/policyauthorizenv-unseal.txt -of policies/policyauthorizenv-unseal.bin -pr -v -ns
+# intermediate policy digest length 32
+# 2f 7a d9 b7 53 26 35 e5 03 8c e7 7b 8f 63 5e 4c
+# f9 96 c8 62 18 13 98 94 c2 71 45 e7 7d d5 e8 e8
+# intermediate policy digest length 32
+# cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69
+# 33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d
+# policy digest length 32
+# cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69
+# 33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d
+# policy digest:
+# cd1b2426fe10086c5235859422a05969334b8847820d0bd98c431f7ff736345d
+
+# The authorizing signer signs the PCR white list, here just PCR 16 extended with aaa
+# PCR 16 is the resettable debug PCR, convenient for development
+
+echo ""
+echo "PolicyAuthorizeNV -> PolicyAuthorize -> PolicyPCR"
+echo ""
+
+# Initial provisioning (NV Index)
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -hia p -sz 34 +at wst +at ar > run.out
+checkSuccess $?
+
+echo "Write algorithm ID into NV index 01000000"
+${PREFIX}nvwrite -ha 01000000 -hia p -off 0 -if policies/sha256.bin > run.out
+checkSuccess $?
+
+echo "Write the NV index at offset 2 with policy authorize and the Name of the CA signing key"
+${PREFIX}nvwrite -ha 01000000 -hia p -off 2 -if policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Lock the NV Index"
+${PREFIX}nvwritelock -ha 01000000 -hia p
+checkSuccess $?
+
+echo "Read the NV Index Name to be used above in Policy"
+${PREFIX}nvreadpublic -ha 01000000 -ns > run.out
+checkSuccess $?
+
+# Initial provisioning (Sealed Data)
+
+echo "Create a sealed data object"
+${PREFIX}create -hp 80000000 -nalg sha256 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -uwa -if msg.bin -pol policies/policyauthorizenv-unseal.bin > run.out
+checkSuccess $?
+
+# Once per new PCR approved values, signer authorizing PCRs in policysha256.bin
+
+echo "Openssl generate and sign aHash (empty policyRef) ${HALG}"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaasha256.bin > run.out 2>&1
+echo " INFO:"
+
+# Once per boot, simulating setting PCRs to authorized values, lock
+# the NV index, which is unloaded at reboot to permit platform auth to
+# roll the authorized signing key
+
+echo "Lock the NV Index"
+${PREFIX}nvwritelock -ha 01000000 -hia p
+checkSuccess $?
+
+echo "PCR 16 Reset"
+${PREFIX}pcrreset -ha 16 > run.out
+checkSuccess $?
+
+echo "Extend PCR 16 to correct value"
+${PREFIX}pcrextend -halg sha256 -ha 16 -if policies/aaa > run.out
+checkSuccess $?
+
+# At each unseal, or reuse the ticket tkt.bin for its lifetime
+
+echo "Load external just the public part of PEM authorizing key sha256 80000001"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem -ns > run.out
+checkSuccess $?
+
+echo "Verify the signature to generate ticket 80000001 sha256"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/policypcr16aaasha256.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+# Run time unseal
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -halg sha256 > run.out
+checkSuccess $?
+
+echo "Policy PCR, update with the correct PCR 16 value"
+${PREFIX}policypcr -halg sha256 -ha 03000000 -bm 10000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be policies/policypcr16aaasha256.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+# policyauthorize process
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policypcr16aaasha256.bin -skn ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policies/policyauthorizesha256.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the authorizing public key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against NV Index 01000000"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin intermediate"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy command code - unseal"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000015e > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin final"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Load the sealed data object"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Unseal the data blob"
+${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+# cleanup
+
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.bat
new file mode 100644
index 000000000..ab8d9856e
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.bat
@@ -0,0 +1,224 @@
+REM #############################################################################
+REM #
+REM TPM2 regression test #
+REM Written by Ken Goldman #
+REM IBM Thomas J. Watson Research Center #
+REM $Id: testprimary.bat 1278 2018-07-23 21:20:42Z kgoldman $ #
+REM #
+REM (c) Copyright IBM Corporation 2015 #
+REM #
+REM All rights reserved. #
+REM #
+REM Redistribution and use in source and binary forms, with or without #
+REM modification, are permitted provided that the following conditions are #
+REM met: #
+REM #
+REM Redistributions of source code must retain the above copyright notice, #
+REM this list of conditions and the following disclaimer. #
+REM #
+REM Redistributions in binary form must reproduce the above copyright #
+REM notice, this list of conditions and the following disclaimer in the #
+REM documentation and/or other materials provided with the distribution. #
+REM #
+REM Neither the names of the IBM Corporation nor the names of its #
+REM contributors may be used to endorse or promote products derived from #
+REM this software without specific prior written permission. #
+REM #
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Primary key - CreatePrimary"
+echo ""
+
+echo "Create a primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Read the public part"
+%TPM_EXE_PATH%readpublic -ho 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create a storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the primary storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the storage key under the primary key - should fail"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "Primary key - CreatePrimary with no unique field"
+echo ""
+
+REM no unique
+
+echo "Create a primary storage key with no unique field"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Create a storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the primary storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+REM empty unique
+
+echo "Create a primary storage key with no unique field"
+touch empty.bin
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -iu empty.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the original storage key under the primary key with empty unique field"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the primary storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "Primary key - CreatePrimary with unique field"
+echo ""
+
+REM unique
+
+echo "Create a primary storage key with unique field"
+touch empty.bin
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -iu policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the original storage key under the primary key - should fail"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+echo "Create a storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the primary storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+REM same unique
+
+echo "Create a primary storage key with same unique field"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -iu policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Load the previous storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo "Flush the primary storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.sh
new file mode 100755
index 000000000..073d04f44
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.sh
@@ -0,0 +1,175 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testprimary.sh 1277 2018-07-23 20:30:23Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015 - 2018 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Primary key - CreatePrimary"
+echo ""
+
+echo "Create a primary storage key"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo "Read the public part"
+${PREFIX}readpublic -ho 80000001 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key - should fail"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkFailure $?
+
+echo ""
+echo "Primary key - CreatePrimary with no unique field"
+echo ""
+
+# no unique
+
+echo "Create a primary storage key with no unique field"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# empty unique
+
+echo "Create a primary storage key with empty unique field"
+touch empty.bin
+${PREFIX}createprimary -hi p -pwdk sto -iu empty.bin > run.out
+checkSuccess $?
+
+echo "Load the original storage key under the primary key with empty unique field"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary key - CreatePrimary with unique field"
+echo ""
+
+# unique
+
+echo "Create a primary storage key with unique field"
+touch empty.bin
+${PREFIX}createprimary -hi p -pwdk sto -iu policies/aaa > run.out
+checkSuccess $?
+
+echo "Load the original storage key under the primary key - should fail"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkFailure $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# same unique
+
+echo "Create a primary storage key with same unique field"
+${PREFIX}createprimary -hi p -pwdk sto -iu policies/aaa > run.out
+checkSuccess $?
+
+echo "Load the previous storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f empty.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.bat
new file mode 100644
index 000000000..5422a7841
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.bat
@@ -0,0 +1,59 @@
+REM #############################################################################
+REM #
+REM TPM2 regression test #
+REM Written by Ken Goldman #
+REM IBM Thomas J. Watson Research Center #
+REM $Id: testrng.bat 480 2015-12-29 22:41:45Z kgoldman $ #
+REM #
+REM (c) Copyright IBM Corporation 2015 #
+REM #
+REM All rights reserved. #
+REM #
+REM Redistribution and use in source and binary forms, with or without #
+REM modification, are permitted provided that the following conditions are #
+REM met: #
+REM #
+REM Redistributions of source code must retain the above copyright notice, #
+REM this list of conditions and the following disclaimer. #
+REM #
+REM Redistributions in binary form must reproduce the above copyright #
+REM notice, this list of conditions and the following disclaimer in the #
+REM documentation and/or other materials provided with the distribution. #
+REM #
+REM Neither the names of the IBM Corporation nor the names of its #
+REM contributors may be used to endorse or promote products derived from #
+REM this software without specific prior written permission. #
+REM #
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Random Number Generator"
+echo ""
+
+echo "Stir Random"
+%TPM_EXE_PATH%stirrandom -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Get Random"
+%TPM_EXE_PATH%getrandom -by 64 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.sh
new file mode 100755
index 000000000..5da840df0
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# $Id: testrng.sh 979 2017-04-04 17:57:18Z kgoldman $ #
+# #
+# (c) Copyright IBM Corporation 2015, 2016 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Random Number Generator"
+echo ""
+
+echo "Stir Random"
+${PREFIX}stirrandom -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Get Random"
+${PREFIX}getrandom -by 64 > run.out
+checkSuccess $?
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.bat
new file mode 100644
index 000000000..789f02810
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.bat
@@ -0,0 +1,432 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+for %%B in (2048 3072) do (
+
+ echo "generate the %%B encryption key with openssl"
+ openssl genrsa -out tmpkeypairrsa%%B.pem -aes256 -passout pass:rrrr 2048
+
+ echo "Convert key pair to plaintext DER format"
+ openssl rsa -inform pem -outform der -in tmpkeypairrsa%%B.pem -out tmpkeypairrsa%%B.der -passin pass:rrrr > run.out
+)
+
+echo ""
+echo "RSA decryption key"
+echo ""
+
+for %%B in (2048 3072) do (
+
+ echo "Load the RSA %%B decryption key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr derrsa%%Bpriv.bin -ipu derrsa%%Bpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "RSA encrypt with the %%B encryption key"
+ %TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "RSA decrypt with the %%B decryption key"
+ %TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin -pwdk dec > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ tail --bytes=3 dec.bin > tmp.bin
+ diff policies/aaa tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the %%B decryption key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "RSA decryption key to sign with OID"
+echo ""
+
+for %%B in (2048 3072) do (
+
+ echo "Load the RSA %%B decryption key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipu derrsa%%Bpub.bin -ipr derrsa%%Bpriv.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ set HSIZ=20 32 48 64
+ set HALG=%ITERATE_ALGS%
+
+ set i=0
+ for %%a in (!HSIZ!) do set /A i+=1 & set HSIZ[!i!]=%%a
+ set i=0
+ for %%b in (!HALG!) do set /A i+=1 & set HALG[!i!]=%%b
+ set L=!i!
+
+ for /L %%i in (1,1,!L!) do (
+
+ echo "Decrypt/Sign with a caller specified OID - !HALG[%%i]!"
+ %TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk dec -ie policies/!HALG[%%i]!aaa.bin -od tmpsig.bin -oid !HALG[%%i]! > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Encrypt/Verify - !HALG[%%i]!"
+ %TPM_EXE_PATH%rsaencrypt -hk 80000001 -id tmpsig.bin -oe tmpmsg.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify Result - !HALG[%%i]! !HSIZ[%%i]! bytes"
+ tail --bytes=!HSIZ[%%i]! tmpmsg.bin > tmpdig.bin
+ diff tmpdig.bin policies/!HALG[%%i]!aaa.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ )
+
+ echo "Flush the RSA %%B signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+)
+
+echo ""
+echo "Import PEM RSA encryption key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%B in (2048 3072) do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Import the %%B encryption key under the primary key"
+ %TPM_EXE_PATH%importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa%%B.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the TPM encryption key"
+ %TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign the message %%~S - should fail"
+ %TPM_EXE_PATH%sign -hk 80000001 -pwdk rrrr -if policies/aaa -os tmpsig.bin %%~S > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "RSA encrypt with the encryption key"
+ %TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "RSA decrypt with the decryption key %%~S"
+ %TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ tail --bytes=3 dec.bin > tmp.bin
+ diff policies/aaa tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the encryption key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Loadexternal DER encryption key"
+echo ""
+
+for %%B in (2048 3072) do (
+
+ echo "Start an HMAC auth session"
+ %TPM_EXE_PATH%startauthsession -se h > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Load the openssl key pair in the NULL hierarchy 80000001"
+ %TPM_EXE_PATH%loadexternal -den -ider tmpkeypairrsa%%B.der -pwdk rrrr > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "RSA encrypt with the encryption key"
+ %TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "RSA decrypt with the decryption key %%~S"
+ %TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the decrypt result"
+ tail --bytes=3 dec.bin > tmp.bin
+ diff policies/aaa tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the encryption key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+
+ echo "Flush the session"
+ %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo ""
+echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
+echo ""
+
+echo "Create OAEP encryption key"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load encryption key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Encrypt using OpenSSL and the PEM public key"
+openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Decrypt using TPM key at 80000001"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the decrypt result"
+diff policies/aaa dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Child RSA decryption key RSAES"
+echo ""
+
+echo "Create RSAES encryption key"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load encryption key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr deepriv.bin -ipu deepub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "RSA encrypt with the encryption key"
+%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "RSA decrypt with the decryption key"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the decrypt result"
+tail --bytes=3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Primary RSA decryption key RSAES"
+echo ""
+
+echo "Create Primary RSAES encryption key"
+%TPM_EXE_PATH%createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "RSA encrypt with the encryption key"
+%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "RSA decrypt with the decryption key"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the decrypt result"
+tail --bytes=3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Primary Create Loaded RSA decryption key RSAES"
+echo ""
+
+echo "CreateLoaded primary key, storage parent 80000001"
+%TPM_EXE_PATH%createloaded -hp 40000001 -dee > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "RSA encrypt with the encryption key"
+%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "RSA decrypt with the decryption key"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+echo "Verify the decrypt result"
+tail --bytes=3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM cleanup
+
+rm -f tmp.bin
+rm -f enc.bin
+rm -f dec.bin
+rm -f deepub.bin
+rm -f deepriv.bin
+rm -f tmpmsg.bin
+rm -f tmpdig.bin
+rm -f tmpsig.bin
+rm -f tmpkeypairrsa2048.der
+rm -f tmpkeypairrsa2048.pem
+rm -f tmpkeypairrsa3072.der
+rm -f tmpkeypairrsa3072.pem
+rm -f tmppubkey.bin
+rm -f tmppubkey.pem
+rm -f tmpprivkey.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+REM
+REM flushcontext -ha 80000001
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.sh
new file mode 100755
index 000000000..23bf8947b
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.sh
@@ -0,0 +1,350 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# openssl keys to use in this file
+
+echo ""
+echo "Test RSA"
+echo ""
+
+for BITS in 2048 3072
+do
+
+ echo "generate the RSA $BITS encryption key with openssl"
+ openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+
+ echo "Convert key pair to plaintext DER format"
+ openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
+
+done
+
+echo ""
+echo "RSA decryption key"
+echo ""
+
+for BITS in 2048 3072
+do
+
+ echo "Load the RSA $BITS decryption key under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr derrsa${BITS}priv.bin -ipu derrsa${BITS}pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "RSA encrypt with the $BITS encryption key"
+ ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+ checkSuccess $?
+
+ echo "RSA decrypt with the ${BITS} decryption key"
+ ${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin -pwdk dec > run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ tail -c 3 dec.bin > tmp.bin
+ diff policies/aaa tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the $BITS decryption key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "RSA decryption key to sign with OID"
+echo ""
+
+for BITS in 2048 3072
+do
+
+ echo "Load the RSA $BITS decryption key"
+ ${PREFIX}load -hp 80000000 -ipu derrsa${BITS}pub.bin -ipr derrsa${BITS}priv.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ HALG=(${ITERATE_ALGS})
+ HSIZ=("20" "32" "48" "64")
+
+ for ((i = 0 ; i < 4 ; i++))
+ do
+
+ echo "Decrypt/Sign with a caller specified OID - ${HALG[i]}"
+ ${PREFIX}rsadecrypt -hk 80000001 -pwdk dec -ie policies/${HALG[i]}aaa.bin -od tmpsig.bin -oid ${HALG[i]} > run.out
+ checkSuccess $?
+
+ echo "Encrypt/Verify - ${HALG[i]}"
+ ${PREFIX}rsaencrypt -hk 80000001 -id tmpsig.bin -oe tmpmsg.bin > run.out
+ checkSuccess $?
+
+ echo "Verify Result - ${HALG[i]} ${HSIZ[i]} bytes"
+ tail -c ${HSIZ[i]} tmpmsg.bin > tmpdig.bin
+ diff tmpdig.bin policies/${HALG[i]}aaa.bin > run.out
+ checkSuccess $?
+
+ done
+
+ echo "Flush the RSA ${BITS} decryption key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Import PEM RSA encryption key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for BITS in 2048 3072
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Import the $BITS encryption key under the primary key"
+ ${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa${BITS}.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+ checkSuccess $?
+
+ echo "Load the TPM encryption key"
+ ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+ checkSuccess $?
+
+ echo "Sign the message ${SESS} - should fail"
+ ${PREFIX}sign -hk 80000001 -pwdk rrrr -if policies/aaa -os tmpsig.bin ${SESS} > run.out
+ checkFailure $?
+
+ echo "RSA encrypt with the encryption key"
+ ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+ checkSuccess $?
+
+ echo "RSA decrypt with the decryption key ${SESS}"
+ ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ tail -c 3 dec.bin > tmp.bin
+ diff policies/aaa tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the encryption key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+
+done
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Loadexternal DER encryption key"
+echo ""
+
+for BITS in 2048 3072
+do
+
+ echo "Start an HMAC auth session"
+ ${PREFIX}startauthsession -se h > run.out
+ checkSuccess $?
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Load the openssl key pair in the NULL hierarchy 80000001"
+ ${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out
+ checkSuccess $?
+
+ echo "RSA encrypt with the encryption key"
+ ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+ checkSuccess $?
+
+ echo "RSA decrypt with the decryption key ${SESS}"
+ ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Verify the decrypt result"
+ tail -c 3 dec.bin > tmp.bin
+ diff policies/aaa tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the encryption key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+
+ echo "Flush the session"
+ ${PREFIX}flushcontext -ha 02000000 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
+echo ""
+
+echo "Create OAEP encryption key"
+${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
+checkSuccess $?
+
+echo "Load encryption key at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin > run.out
+checkSuccess $?
+
+echo "Encrypt using OpenSSL and the PEM public key"
+openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out 2>&1
+checkSuccess $?
+
+echo "Decrypt using TPM key at 80000001"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+diff policies/aaa dec.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Child RSA decryption key RSAES"
+echo ""
+
+echo "Create RSAES encryption key"
+${PREFIX}create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out
+checkSuccess $?
+
+echo "Load encryption key at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr deepriv.bin -ipu deepub.bin > run.out
+checkSuccess $?
+
+echo "RSA encrypt with the encryption key"
+${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+checkSuccess $?
+
+echo "RSA decrypt with the decryption key"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+tail -c 3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary RSA decryption key RSAES"
+echo ""
+
+echo "Create Primary RSAES encryption key"
+${PREFIX}createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out
+checkSuccess $?
+
+echo "RSA encrypt with the encryption key"
+${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+checkSuccess $?
+
+echo "RSA decrypt with the decryption key"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+tail -c 3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary Create Loaded RSA decryption key RSAES"
+echo ""
+
+echo "CreateLoaded primary key, storage parent 80000001"
+${PREFIX}createloaded -hp 40000001 -dee > run.out
+checkSuccess $?
+
+echo "RSA encrypt with the encryption key"
+${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+checkSuccess $?
+
+echo "RSA decrypt with the decryption key"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+tail -c 3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f tmp.bin
+rm -f enc.bin
+rm -f dec.bin
+rm -f deepriv.bin
+rm -f deepub.bin
+rm -f tmpmsg.bin
+rm -f tmpdig.bin
+rm -f tmpsig.bin
+rm -f tmpkeypairrsa2048.der
+rm -f tmpkeypairrsa2048.pem
+rm -f tmpkeypairrsa3072.der
+rm -f tmpkeypairrsa3072.pem
+rm -f tmppubkey.bin
+rm -f tmppubkey.pem
+rm -f tmpprivkey.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+
+# ${PREFIX}flushcontext -ha 80000001
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.bat
new file mode 100644
index 000000000..774751bd3
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.bat
@@ -0,0 +1,433 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Salt Session - Load"
+echo ""
+
+for %%A in ("-rsa 2048" "-rsa 3072" "-ecc nistp256") do (
+
+ for %%H in (%ITERATE_ALGS%) do (
+
+ REM In general a storage key can be used. A decryption key is
+ REM used here because the hash algorithm doesn't have to match
+ REM that of the parent.
+
+ echo "Create a %%A %%H storage key under the primary key "
+ %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -halg %%H %%~A -deo -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 222 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the %%A storage key 80000001 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a %%A salted HMAC auth session"
+ %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a signing key using the salt"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+)
+
+echo ""
+echo "Salt Session - Load External"
+echo ""
+
+echo "Create RSA and ECC key pairs in PEM format using openssl"
+
+openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > run.out
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out
+
+echo "Convert key pair to plaintext DER format"
+
+openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out tmpkeypairrsa.der -passin pass:rrrr > run.out
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Load the RSA openssl key pair in the NULL hierarchy 80000001 - %%H"
+ %TPM_EXE_PATH%loadexternal -halg %%H -st -ider tmpkeypairrsa.der > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a salted HMAC auth session"
+ %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a signing key using the salt"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Load the ECC openssl key pair in the NULL hierarchy 80000001 - %%H"
+ %TPM_EXE_PATH%loadexternal -ecc -halg %%H -st -ider tmpkeypairecc.der > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a salted HMAC auth session"
+ %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a signing key using the salt"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo ""
+echo "Salt Session - CreatePrimary storage key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a primary storage key - %%H"
+ %TPM_EXE_PATH%createprimary -nalg %%H -hi p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a salted HMAC auth session"
+ %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a signing key using the salt"
+ %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the storage key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "Salt Session - CreatePrimary RSA key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a primary RSA key - %%H"
+ %TPM_EXE_PATH%createprimary -nalg %%H -halg %%H -hi p -deo > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a salted HMAC auth session"
+ %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Create a primary HMAC key using the salt"
+ %TPM_EXE_PATH%createprimary -kh -se0 02000000 0 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the HMAC key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the RSA key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo ""
+echo "Salt Session - EvictControl"
+echo ""
+
+echo "Load the storage key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Make the storage key persistent"
+%TPM_EXE_PATH%evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a salted HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 81800000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key from transient memory"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key from persistent memory"
+%TPM_EXE_PATH%evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Salt Session - ContextSave and ContextLoad"
+echo ""
+
+echo "Load the storage key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save context for the key at 80000001"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load context, new storage key at 80000001"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a salted HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the context loaded key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Salt Audit Session - PCR Read, Read Public, NV Read Public"
+echo ""
+
+echo "Load the storage key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a salted HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "PCR read with salted audit session"
+%TPM_EXE_PATH%pcrread -ha 16 -se0 02000000 81 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read public with salted audit session"
+%TPM_EXE_PATH%readpublic -ho 80000001 -se0 02000000 81 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV define space"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Read public with salted audit session"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -se0 02000000 81 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the salt session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV undefine space"
+%TPM_EXE_PATH%nvundefinespace -ha 01000000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+
+echo ""
+echo "Salt Policy Session with policyauthvalue"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key 80000000"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a salted policy session"
+%TPM_EXE_PATH%startauthsession -se p -hs 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy command code - create"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 153 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the storage key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Salt Policy Session with no policyauthvalue"
+echo ""
+
+echo "Start a salted policy session"
+%TPM_EXE_PATH%startauthsession -se p -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rm -f tmpkeypairrsa.pem
+rm -f tmpkeypairecc.pem
+rm -f tmpkeypairrsa.der
+rm -f tmpkeypairecc.der
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.sh
new file mode 100755
index 000000000..05e0b3071
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.sh
@@ -0,0 +1,347 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "Salt Session - Load"
+echo ""
+
+# mbedtls port does not support ECC salted sessions yet
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+ SALTALGS=("-rsa 2048" "-rsa 3072" "-ecc nistp256")
+elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
+ SALTALGS=("-rsa 2048")
+else
+ echo "Error: crypto library ${CRYPTOLIBRARY} not supported"
+ exit 255
+fi
+
+for ASY in "${SALTALGS[@]}"
+do
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ # In general a storage key can be used. A decryption key is
+ # used here because the hash algorithm doesn't have to match
+ # that of the parent.
+
+ echo "Create a ${ASY} ${HALG} decryption key under the primary key "
+ ${PREFIX}create -hp 80000000 -nalg ${HALG} -halg ${HALG} ${ASY} -deo -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 222 > run.out
+ checkSuccess $?
+
+ echo "Load the ${ASY} storage key 80000001 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Start a ${ASY} salted HMAC auth session"
+ ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a signing key using the salt"
+ ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ checkSuccess $?
+
+ echo "Flush the storage key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+done
+
+echo ""
+echo "Salt Session - Load External"
+echo ""
+
+echo "Create RSA and ECC key pairs in PEM format using openssl"
+
+openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
+
+echo "Convert key pair to plaintext DER format"
+
+openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out tmpkeypairrsa.der -passin pass:rrrr > run.out 2>&1
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Load the RSA openssl key pair in the NULL hierarchy 80000001 - ${HALG}"
+ ${PREFIX}loadexternal -rsa -halg ${HALG} -st -ider tmpkeypairrsa.der > run.out
+ checkSuccess $?
+
+ echo "Start a salted HMAC auth session"
+ ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a signing key using the salt"
+ ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ checkSuccess $?
+
+ echo "Flush the storage key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ echo "Load the ECC openssl key pair in the NULL hierarchy 80000001 - ${HALG}"
+ ${PREFIX}loadexternal -ecc -halg ${HALG} -st -ider tmpkeypairecc.der > run.out
+ checkSuccess $?
+
+ echo "Start a salted HMAC auth session"
+ ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a signing key using the salt"
+ ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ checkSuccess $?
+
+ echo "Flush the storage key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ done
+fi
+
+echo ""
+echo "Salt Session - CreatePrimary storage key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Create a primary storage key - $HALG"
+ ${PREFIX}createprimary -nalg $HALG -hi p > run.out
+ checkSuccess $?
+
+ echo "Start a salted HMAC auth session"
+ ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a signing key using the salt"
+ ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+ checkSuccess $?
+
+ echo "Flush the storage key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Salt Session - CreatePrimary RSA key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Create a primary RSA key - $HALG"
+ ${PREFIX}createprimary -nalg $HALG -halg $HALG -hi p -deo > run.out
+ checkSuccess $?
+
+ echo "Start a salted HMAC auth session"
+ ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+ checkSuccess $?
+
+ echo "Create a primary HMAC key using the salt"
+ ${PREFIX}createprimary -kh -se0 02000000 0 > run.out
+ checkSuccess $?
+
+ echo "Flush the HMAC key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Flush the RSA key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Salt Session - EvictControl"
+echo ""
+
+echo "Load the storage key"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Make the storage key persistent"
+${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo "Start a salted HMAC auth session"
+${PREFIX}startauthsession -se h -hs 81800000 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the storage key from transient memory"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the storage key from persistent memory"
+${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Session - ContextSave and ContextLoad"
+echo ""
+
+echo "Load the storage key at 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Save context for the key at 80000001"
+${PREFIX}contextsave -ha 80000001 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the storage key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Load context, new storage key at 80000001"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Start a salted HMAC auth session"
+${PREFIX}startauthsession -se h -hs 80000001 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the context loaded key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Audit Session - PCR Read, Read Public, NV Read Public"
+echo ""
+
+echo "Load the storage key at 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a salted HMAC auth session"
+${PREFIX}startauthsession -se h -hs 80000001 > run.out
+checkSuccess $?
+
+echo "PCR read with salted audit session"
+${PREFIX}pcrread -ha 16 -se0 02000000 81 > run.out
+checkSuccess $?
+
+echo "Read public with salted audit session"
+${PREFIX}readpublic -ho 80000001 -se0 02000000 81 > run.out
+checkSuccess $?
+
+echo "NV define space"
+${PREFIX}nvdefinespace -ha 01000000 -hi p > run.out
+checkSuccess $?
+
+echo "NV Read public with salted audit session"
+${PREFIX}nvreadpublic -ha 01000000 -se0 02000000 81 > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the salt session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "NV undefine space"
+${PREFIX}nvundefinespace -ha 01000000 -hi p > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Policy Session with policyauthvalue"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key 80000000"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a salted policy session"
+${PREFIX}startauthsession -se p -hs 80000001 > run.out
+checkSuccess $?
+
+echo "Policy command code - create"
+${PREFIX}policycommandcode -ha 03000000 -cc 153 > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the storage key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Policy Session with no policyauthvalue"
+echo ""
+
+echo "Start a salted policy session"
+${PREFIX}startauthsession -se p -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+rm -f tmpkeypairrsa.pem
+rm -f tmpkeypairecc.pem
+rm -f tmpkeypairrsa.der
+rm -f tmpkeypairecc.der
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.bat
new file mode 100644
index 000000000..052126119
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.bat
@@ -0,0 +1,541 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+REM 01000000 WST
+REM 01000001 WD WST
+REM 01000002 GL
+REM 01000003 GL WD
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "TPM Resume (state/state) - suspend"
+echo ""
+
+echo "PCR 0 Extend"
+%TPM_EXE_PATH%pcrextend -ha 0 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "PCR 0 Read"
+%TPM_EXE_PATH%pcrread -ha 0 -of tmp1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save the session context"
+%TPM_EXE_PATH%contextsave -ha 02000001 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Context save the signing key"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmpsk.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Define index 01000000 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst +at wst > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Define index 01000001 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at rst +at wst +at wd > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Define index 01000002 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000002 -pwdn nnn -sz 16 +at rst +at gl > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Define index 01000003 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000003 -pwdn nnn -sz 16 +at rst +at gl +at wd > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000001"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000002"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000003"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Read lock"
+%TPM_EXE_PATH%nvreadlock -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write lock 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write lock 01000001"
+%TPM_EXE_PATH%nvwritelock -ha 01000001 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV global lock (01000002 and 01000003)"
+%TPM_EXE_PATH%nvglobalwritelock -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000001 - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV write 01000002 - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV write 01000003 - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Shutdown state"
+%TPM_EXE_PATH%shutdown -s > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Startup state"
+%TPM_EXE_PATH%startup -s > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "PCR 0 Read"
+%TPM_EXE_PATH%pcrread -ha 0 -of tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify that PCR 0 is restored"
+diff tmp1.bin tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Context load the signing key"
+%TPM_EXE_PATH%contextload -if tmpsk.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Signing Key Self Certify"
+%TPM_EXE_PATH%certify -hk 80000000 -ho 80000000 -pwdk sig -pwdo sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Load the signing key - should fail, primary key missing"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Create a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Signing Key Self Certify - should fail, session missing"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Load the saved session context"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Signing Key Self Certify"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000001 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000000 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV write 01000001 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV write 01000002 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV write 01000003 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV read - should fail, still locked"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "TPM Restart (state/clear) - hibernate"
+echo ""
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Context save the signing key"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmpsk.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save the session"
+%TPM_EXE_PATH%contextsave -ha 02000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Shutdown state"
+%TPM_EXE_PATH%shutdown -s > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Startup clear"
+%TPM_EXE_PATH%startup -c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the session"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Context load the signing key"
+%TPM_EXE_PATH%contextload -if tmpsk.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "PCR 0 Read"
+%TPM_EXE_PATH%pcrread -ha 0 -halg sha1 -of tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify that PCR 0 is reset"
+diff policies/policypcr0.bin tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000000 - unlocked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000001 - should fail, still locked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV write 01000002 - unlocked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000003 - should fail, still locked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV read"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Write lock 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV global lock (01000002 and 01000003)"
+%TPM_EXE_PATH%nvglobalwritelock -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Recreate a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "TPM Reset (clear/clear) - cold boot"
+echo ""
+
+echo "Start a session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Save the session"
+%TPM_EXE_PATH%contextsave -ha 02000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Shutdown clear"
+%TPM_EXE_PATH%shutdown -c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Startup clear"
+%TPM_EXE_PATH%startup -c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the session - should fail"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Recreate a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000000 - unlocked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000001 - should fail, still locked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV write 01000002 - unlocked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV write 01000003 - should fail, still locked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space 01000000"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space 01000001"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space 01000002"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "NV Undefine Space 01000003"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000003 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM shutdown removes the session
+rm h02000000.bin
+rm tmpsk.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+REM getcapability -cap 1 -pr 01000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.sh
new file mode 100755
index 000000000..c73481c04
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.sh
@@ -0,0 +1,396 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# NV Index
+# 01000000 WST
+# 01000001 WD WST
+# 01000002 GL
+# 01000003 GL WD
+
+echo ""
+echo "TPM Resume (state/state) - suspend"
+echo ""
+
+echo "PCR 0 Extend"
+${PREFIX}pcrextend -ha 0 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "PCR 0 Read"
+${PREFIX}pcrread -ha 0 -of tmp1.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Save the session context"
+${PREFIX}contextsave -ha 02000001 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Context save the signing key"
+${PREFIX}contextsave -ha 80000001 -of tmpsk.bin > run.out
+checkSuccess $?
+
+echo "Define index 01000000 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst +at wst > run.out
+checkSuccess $?
+
+echo "Define index 01000001 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at rst +at wst +at wd > run.out
+checkSuccess $?
+
+echo "Define index 01000002 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000002 -pwdn nnn -sz 16 +at rst +at gl > run.out
+checkSuccess $?
+
+echo "Define index 01000003 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000003 -pwdn nnn -sz 16 +at rst +at gl +at wd > run.out
+checkSuccess $?
+
+echo "NV write 01000000"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000001"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000002"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000003"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Read lock"
+${PREFIX}nvreadlock -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Write lock 01000000"
+${PREFIX}nvwritelock -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Write lock 01000001"
+${PREFIX}nvwritelock -ha 01000001 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "NV global lock (01000002 and 01000003)"
+${PREFIX}nvglobalwritelock -hia p > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - should fail"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000001 - should fail"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - should fail"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000003 - should fail"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "Shutdown state"
+${PREFIX}shutdown -s > run.out
+checkSuccess $?
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup state"
+${PREFIX}startup -s > run.out
+checkSuccess $?
+
+echo "PCR 0 Read"
+${PREFIX}pcrread -ha 0 -of tmp2.bin > run.out
+checkSuccess $?
+
+echo "Verify that PCR 0 is restored"
+diff tmp1.bin tmp2.bin > run.out
+checkSuccess $?
+
+echo "Context load the signing key"
+${PREFIX}contextload -if tmpsk.bin > run.out
+checkSuccess $?
+
+echo "Signing Key Self Certify"
+${PREFIX}certify -hk 80000000 -ho 80000000 -pwdk sig -pwdo sig > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000000 > run.out
+checkSuccess $?
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load the signing key - should fail, primary key missing"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkFailure $?
+
+# Create a platform primary storage key
+initprimary
+checkSuccess $?
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Signing Key Self Certify - should fail, session missing"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load the saved session context"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Signing Key Self Certify"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000001 0 > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000001 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000003 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV read - should fail, still locked"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkFailure $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "TPM Restart (state/clear) - hibernate"
+echo ""
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Context save the signing key"
+${PREFIX}contextsave -ha 80000001 -of tmpsk.bin > run.out
+checkSuccess $?
+
+echo "Start a session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Save the session"
+${PREFIX}contextsave -ha 02000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Shutdown state"
+${PREFIX}shutdown -s > run.out
+checkSuccess $?
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup clear"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
+echo "Load the session"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Context load the signing key"
+${PREFIX}contextload -if tmpsk.bin > run.out
+checkSuccess $?
+
+echo "PCR 0 Read"
+${PREFIX}pcrread -ha 0 -halg sha1 -of tmp2.bin > run.out
+checkSuccess $?
+
+echo "Verify that PCR 0 is reset"
+diff policies/policypcr0.bin tmp2.bin > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - unlocked after TPM Restart"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000001 - should fail, still locked after TPM Restart"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - unlocked after TPM Restart"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000003 - should fail, still locked after TPM Restart"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV read"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkSuccess $?
+
+echo "Write lock 01000000"
+${PREFIX}nvwritelock -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "NV global lock (01000002 and 01000003)"
+${PREFIX}nvglobalwritelock -hia p > run.out
+checkSuccess $?
+
+echo "Recreate a platform primary storage key"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo ""
+echo "TPM Reset (clear/clear) - cold boot"
+echo ""
+
+echo "Start a session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Save the session"
+${PREFIX}contextsave -ha 02000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Shutdown clear"
+${PREFIX}shutdown -c > run.out
+checkSuccess $?
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup clear"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
+echo "Load the session - should fail"
+${PREFIX}contextload -if tmp.bin > run.out
+checkFailure $?
+
+echo "Recreate a platform primary storage key"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo "NV write - unlocked after TPM Reset"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - unlocked after TPM Reset"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000001 - should fail, still locked after TPM Reset"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - unlocked after TPM Reset"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000003 - should fail, still locked after TPM Reset"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+# cleanup
+
+echo "NV Undefine Space 01000000"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000001"
+${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000002"
+${PREFIX}nvundefinespace -hi p -ha 01000002 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000003"
+${PREFIX}nvundefinespace -hi p -ha 01000003 > run.out
+checkSuccess $?
+
+# shutdown removes the session
+rm h02000000.bin
+rm tmpsk.bin
+
+exit
+
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+# ${PREFIX}getcapability -cap 1 -pr 01000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.bat
new file mode 100644
index 000000000..18b331b73
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.bat
@@ -0,0 +1,504 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "RSA Signing key"
+echo ""
+
+for %%B in (2048 3072) do (
+
+ echo "Create an RSA key pair in PEM format using openssl"
+ openssl genrsa -out tmpkeypairrsa%%B.pem -aes256 -passout pass:rrrr 2048 > run.out
+
+ echo "Convert key pair to plaintext DER format"
+ openssl rsa -inform pem -outform der -in tmpkeypairrsa%%B.pem -out tmpkeypairrsa%%B.der -passin pass:rrrr > run.out
+
+ echo "Load the RSA signing key under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr signrsa%%Bpriv.bin -ipu signrsa%%Bpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ for %%H in (%ITERATE_ALGS%) do (
+ for %%S in (rsassa rsapss) do (
+
+ echo "Sign a digest - %%H %%S %%B"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -scheme %%S -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa%%Bpub.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature signature using the TPM - %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem signrsa%%Bpub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the public part"
+ %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using readpublic PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the openssl key pair in the NULL hierarchy - %%H %%S %%B"
+ %TPM_EXE_PATH%loadexternal -halg %%H -scheme %%S -ider tmpkeypairrsa%%B.der > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Use the TPM as a crypto coprocessor to sign - %%H"
+ %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -scheme %%S -if policies/aaa -os sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature - %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the openssl signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+ )
+ echo "Flush the signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "ECC Signing key"
+echo ""
+
+echo "Create an ECC key pair in PEM format using openssl"
+
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out
+
+echo "Convert key pair to plaintext DER format"
+
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out
+
+echo "Load the ECC signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Sign a digest - %%H"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the ECC signature using the TPM - %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -ecc -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem signeccpub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the public part"
+ %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using readpublic PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the openssl key pair in the NULL hierarchy 80000002 - %%H"
+ %TPM_EXE_PATH%loadexternal -halg %%H -ecc -ider tmpkeypairecc.der > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Use the TPM as a crypto coprocessor to sign - %%H"
+ %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -salg ecc -if policies/aaa -os sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature - %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -ecc -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the openssl signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo "Flush the ECC signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+echo ""
+echo "Primary RSA Signing Key 80000001"
+echo ""
+
+echo "Create primary signing key - RSA"
+%TPM_EXE_PATH%createprimary -si -opu tmppub.bin -opem tmppub.pem -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Sign a digest - %%H"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature - %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the public part"
+ %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using readpublic PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Convert TPM public key to PEM"
+ %TPM_EXE_PATH%tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using createprimary converted PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the primary signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Primary ECC Signing Key"
+echo ""
+
+echo "Create primary signing key - ECC 80000001"
+%TPM_EXE_PATH%createprimary -si -opu tmppub.bin -opem tmppub.pem -ecc nistp256 -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Sign a digest - %%H"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature - %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the public part"
+ %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using readpublic PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ echo "Convert TPM public key to PEM"
+ %TPM_EXE_PATH%tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature using createprimary converted PEM - %%H"
+ %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo "Flush the primary signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Restricted Signing Key"
+echo ""
+
+echo "Create primary signing key - restricted"
+%TPM_EXE_PATH%createprimary -sir -opu tmppub.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a digest - SHA256 - should fail TPM_RC_TICKET"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "External Verification Key"
+echo ""
+
+REM # create rsaprivkey.pem
+REM # > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+REM # extract the public key
+REM # > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem
+REM # sign a test message msg.bin
+REM # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+echo "Load external just the public part of PEM RSA"
+%TPM_EXE_PATH%loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a test message with openssl RSA"
+openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+echo "Verify the RSA signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # generate the p256 key
+REM # > openssl ecparam -name prime256v1 -genkey -noout -out p256privkey.pem
+REM # extract public key
+REM # > openssl pkey -inform pem -outform pem -in p256privkey.pem -pubout -out p256pubkey.pem
+
+echo "Load external just the public part of PEM ECC"
+%TPM_EXE_PATH%loadexternal -halg sha1 -nalg sha1 -ipem policies/p256pubkey.pem -ecc > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Sign a test message with openssl ECC"
+openssl dgst -sha1 -sign policies/p256privkey.pem -out pssig.bin msg.bin
+
+echo "Verify the ECC signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Sign with restricted HMAC key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a %%H restricted keyed hash key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -khr -kt f -kt p -opr khrpriv%%H.bin -opu khrpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key under the primary key 80000001"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr khrpriv%%H.bin -ipu khrpub%%H.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Hash and create ticket"
+ %TPM_EXE_PATH%hash -hi p -halg %%H -if msg.bin -tk tkt.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest with a restricted signing key and ticket"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg hmac -if msg.bin -tk tkt.bin -os sig.bin -pwdk khk > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest with a restricted signing key and no ticket - should fail"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key 80000001 "
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+echo ""
+echo "Sign with unrestricted HMAC key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a %%H unrestricted keyed hash key under the primary key"
+ %TPM_EXE_PATH%create -hp 80000000 -kh -kt f -kt p -opr khpriv%%H.bin -opu khpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key under the primary key 80000001"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr khpriv%%H.bin -ipu khpub%%H.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Hash"
+ %TPM_EXE_PATH%hash -hi p -halg %%H -if msg.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Sign a digest with an unrestricted signing key"
+ %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key 80000001 "
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+rm tmpkeypairrsa2048.pem
+rm tmpkeypairrsa2048.der
+rm tmpkeypairrsa3072.pem
+rm tmpkeypairrsa3072.der
+rm tmpkeypairecc.pem
+rm tmpkeypairecc.der
+rm pssig.bin
+rm tmppub.bin
+rm tmppub.pem
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.sh
new file mode 100755
index 000000000..98841e312
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.sh
@@ -0,0 +1,402 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+echo ""
+echo "RSA Signing key"
+echo ""
+
+for BITS in 2048 3072
+do
+
+ echo "Create an RSA $BITS key pair in PEM format using openssl"
+ openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+
+ echo "Convert RSA $BITS key pair to plaintext DER format"
+ openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
+
+ echo "Load the RSA $BITS signing key under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr signrsa${BITS}priv.bin -ipu signrsa${BITS}pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ for HALG in ${ITERATE_ALGS}
+ do
+
+ for SCHEME in rsassa rsapss
+ do
+
+ echo "Sign a digest - $HALG $SCHEME $BITS"
+ ${PREFIX}sign -hk 80000001 -halg $HALG -scheme $SCHEME -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa${BITS}pub.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using the TPM - $HALG"
+ ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using PEM - $HALG"
+ ${PREFIX}verifysignature -ipem signrsa${BITS}pub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Read the public part"
+ ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using readpublic PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Load the openssl key pair in the NULL hierarchy 80000002 - $HALG $SCHEME $BITS"
+ ${PREFIX}loadexternal -halg $HALG -scheme $SCHEME -ider tmpkeypairrsa${BITS}.der > run.out
+ checkSuccess $?
+
+ echo "Use the TPM as a crypto coprocessor to sign - $HALG $SCHEME"
+ ${PREFIX}sign -hk 80000002 -halg $HALG -scheme $SCHEME -if policies/aaa -os sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature - $HALG"
+ ${PREFIX}verifysignature -hk 80000002 -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the openssl signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ done
+
+ done
+
+ echo "Flush the RSA signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "ECC Signing key"
+echo ""
+
+echo "Load the ECC signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Create an ECC key pair in PEM format using openssl"
+
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
+
+echo "Convert key pair to plaintext DER format"
+
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Sign a digest - $HALG"
+ ${PREFIX}sign -hk 80000001 -halg $HALG -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkSuccess $?
+
+ echo "Verify the ECC signature using the TPM - $HALG"
+ ${PREFIX}verifysignature -hk 80000001 -halg $HALG -ecc -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using PEM - $HALG"
+ ${PREFIX}verifysignature -ipem signeccpub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Read the public part"
+ ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using readpublic PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Load the openssl key pair in the NULL hierarchy 80000002 - $HALG"
+ ${PREFIX}loadexternal -halg $HALG -ecc -ider tmpkeypairecc.der > run.out
+ checkSuccess $?
+
+ echo "Use the TPM as a crypto coprocessor to sign - $HALG"
+ ${PREFIX}sign -hk 80000002 -halg $HALG -salg ecc -if policies/aaa -os sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature - $HALG"
+ ${PREFIX}verifysignature -hk 80000002 -halg $HALG -ecc -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the openssl signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the ECC signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary RSA Signing Key"
+echo ""
+
+echo "Create primary signing key - RSA 80000001"
+${PREFIX}createprimary -si -opu tmppub.bin -opem tmppub.pem -pwdk sig > run.out
+checkSuccess $?
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Sign a digest - $HALG"
+ ${PREFIX}sign -hk 80000001 -halg $HALG -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature - $HALG"
+ ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Read the public part and convert to PEM"
+ ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using readpublic PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Convert TPM public key to PEM"
+ ${PREFIX}tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using createprimary converted PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the primary signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary ECC Signing Key"
+echo ""
+
+echo "Create primary signing key - ECC 80000001"
+${PREFIX}createprimary -si -opu tmppub.bin -opem tmppub.pem -ecc nistp256 -pwdk sig > run.out
+checkSuccess $?
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Sign a digest - $HALG"
+ ${PREFIX}sign -hk 80000001 -halg $HALG -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkSuccess $?
+
+ echo "Verify the signature - $HALG"
+ ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Read the public part"
+ ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using readpublic PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+ echo "Convert TPM public key to PEM"
+ ${PREFIX}tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+ checkSuccess $?
+
+ echo "Verify the signature using createprimary converted PEM - $HALG"
+ ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+ checkSuccess $?
+
+done
+
+echo "Flush the primary signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Restricted Signing Key"
+echo ""
+
+echo "Create primary signing key - restricted"
+${PREFIX}createprimary -sir -opu tmppub.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Sign a digest - SHA256 - should fail TPM_RC_TICKET"
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+checkFailure $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "External Verification Key"
+echo ""
+
+# create rsaprivkey.pem
+# > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+# convert to der
+# > openssl rsa -inform pem -outform der -in rsaprivkey.pem -out rsaprivkey.der -passin pass:rrrr
+# extract the public key
+# > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem
+# sign a test message msg.bin
+# > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+echo "Load external just the public part of PEM RSA"
+${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Sign a test message with openssl RSA"
+openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
+
+echo "Verify the RSA signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# generate the p256 key
+# > openssl ecparam -name prime256v1 -genkey -noout -out p256privkey.pem
+# extract public key
+# > openssl pkey -inform pem -outform pem -in p256privkey.pem -pubout -out p256pubkey.pem
+
+echo "Load external just the public part of PEM ECC"
+${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/p256pubkey.pem -ecc > run.out
+checkSuccess $?
+
+echo "Sign a test message with openssl ECC"
+openssl dgst -sha1 -sign policies/p256privkey.pem -out pssig.bin msg.bin > run.out 2>&1
+
+echo "Verify the ECC signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Sign with restricted HMAC key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+
+do
+
+ echo "Create a ${HALG} restricted keyed hash key under the primary key"
+ ${PREFIX}create -hp 80000000 -khr -kt f -kt p -opr khrpriv${HALG}.bin -opu khrpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Load the signing key under the primary key 80000001"
+ ${PREFIX}load -hp 80000000 -ipr khrpriv${HALG}.bin -ipu khrpub${HALG}.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Hash and create ticket"
+ ${PREFIX}hash -hi p -halg ${HALG} -if msg.bin -tk tkt.bin > run.out
+ checkSuccess $?
+
+ echo "Sign a digest with a restricted signing key and ticket"
+ ${PREFIX}sign -hk 80000001 -halg ${HALG} -salg hmac -if msg.bin -tk tkt.bin -os sig.bin -pwdk khk > run.out
+ checkSuccess $?
+
+ echo "Sign a digest with a restricted signing key and no ticket - should fail"
+ ${PREFIX}sign -hk 80000001 -halg ${HALG} -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+ checkFailure $?
+
+ echo "Flush the signing key 80000001 "
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Sign with unrestricted HMAC key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+
+do
+
+ echo "Create a ${HALG} unrestricted keyed hash key under the primary key"
+ ${PREFIX}create -hp 80000000 -kh -kt f -kt p -opr khpriv${HALG}.bin -opu khpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "Load the signing key under the primary key 80000001"
+ ${PREFIX}load -hp 80000000 -ipr khpriv${HALG}.bin -ipu khpub${HALG}.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Hash"
+ ${PREFIX}hash -hi p -halg ${HALG} -if msg.bin > run.out
+ checkSuccess $?
+
+ echo "Sign a digest with an unrestricted signing key"
+ ${PREFIX}sign -hk 80000001 -halg ${HALG} -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key 80000001 "
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+done
+
+rm -f tmpkeypairrsa2048.pem
+rm -f tmpkeypairrsa2048.der
+rm -f tmpkeypairrsa3072.pem
+rm -f tmpkeypairrsa3072.der
+rm -f tmpkeypairecc.pem
+rm -f tmpkeypairecc.der
+rm -r pssig.bin
+rm -r tmppub.bin
+rm -r tmppub.pem
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.bat
new file mode 100644
index 000000000..11a6e16ea
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.bat
@@ -0,0 +1,205 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+REM Primary storage key at 80000000 password sto
+REM storage key at 80000001 password sto
+
+echo ""
+echo "RSA Storage key"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%N in (%ITERATE_ALGS%) do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Create an unrestricted signing key under the RSA storage key 80000001 %%N %%~S"
+ %TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg %%N %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the signing key 80000002 under the storage key 80000001 %%~S"
+ %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the signing key 80000002 public area"
+ %TPM_EXE_PATH%readpublic -ho 80000002 -opu tmppub2.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load external just the storage key public part 80000002 %%N"
+ %TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu storersa2048pub.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the public key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load external, signing key public part 80000002 %%N"
+ %TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu tmppub2.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the public key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+)
+
+echo "Flush the RSA storage key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "ECC Storage key"
+echo ""
+
+echo "Load ECC the storage key 80000001 under the primary key 80000000"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storeeccpriv.bin -ipu storeeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+for %%N in (%ITERATE_ALGS%) do (
+
+ for %%S in ("" "-se0 02000000 1") do (
+
+ echo "Create an unrestricted signing key under the ECC storage key 80000001 %%N %%~S"
+ %TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -ecc nistp256 -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg %%N %%~S > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the ECC signing key 80000002 under the ECC storage key 80000001 %%~S"
+ %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto %%~S> run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Read the signing key 80000002 public area"
+ %TPM_EXE_PATH%readpublic -ho 80000002 -opu tmppub2.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load external, storage key public part 80000002 %%N"
+ %TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu storeeccpub.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the public key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load external, signing key public part 80000002 %%N"
+ %TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu tmppub2.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the signing key 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+ )
+)
+
+echo "Flush the ECC storage key 80000001 "
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+rm -f tmppub2.bin
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpsig.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.sh
new file mode 100755
index 000000000..f2b91f4bd
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.sh
@@ -0,0 +1,164 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# Primary storage key at 80000000 password sto
+# storage key at 80000001 password sto
+
+echo ""
+echo "RSA Storage key"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key 80000000"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for NALG in ${ITERATE_ALGS}
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Create an unrestricted signing key under the RSA storage key 80000001 ${NALG} ${SESS}"
+ ${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg ${NALG} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Load the signing key 80000002 under the storage key 80000001 ${SESS}"
+ ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Read the signing key 80000002 public area"
+ ${PREFIX}readpublic -ho 80000002 -opu tmppub2.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Load external just the storage key public part 80000002 ${NALG}"
+ ${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu storersa2048pub.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the public key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Load external, signing key public part 80000002 ${NALG}"
+ ${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu tmppub2.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the public key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+ done
+done
+
+echo "Flush the RSA storage key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "ECC Storage key"
+echo ""
+
+echo "Load ECC the storage key 80000001 under the primary key 80000000"
+${PREFIX}load -hp 80000000 -ipr storeeccpriv.bin -ipu storeeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+for NALG in ${ITERATE_ALGS}
+do
+
+ for SESS in "" "-se0 02000000 1"
+ do
+
+ echo "Create an unrestricted signing key under the ECC storage key 80000001 ${NALG} ${SESS}"
+ ${PREFIX}create -hp 80000001 -si -kt f -kt p -ecc nistp256 -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg ${NALG} ${SESS} > run.out
+ checkSuccess $?
+
+ echo "Load the ECC signing key 80000002 under the ECC storage key 80000001 ${SESS}"
+ ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto ${SESS}> run.out
+ checkSuccess $?
+
+ echo "Read the signing key 80000002 public area"
+ ${PREFIX}readpublic -ho 80000002 -opu tmppub2.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Load external, storage key public part 80000002 ${NALG}"
+ ${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu storeeccpub.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the public key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Load external, signing key public part 80000002 ${NALG}"
+ ${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu tmppub2.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the signing key 80000002"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+ done
+done
+
+echo "Flush the ECC storage key 80000001 "
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+rm -f tmppub2.bin
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpsig.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.bat
new file mode 100644
index 000000000..03449e2bc
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.bat
@@ -0,0 +1,765 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2015 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Seal and Unseal to Password"
+echo ""
+
+echo "Create a sealed data object"
+%TPM_EXE_PATH%create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the sealed data object"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Unseal the data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Unseal with bad password - should fail"
+%TPM_EXE_PATH%unseal -ha 80000001 -pwd xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a primary sealed data object"
+%TPM_EXE_PATH%createprimary -bl -kt f -kt p -pwdk seap -if msg.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Unseal the primary data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -pwd seap -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the primary sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo ""
+echo "Seal and Unseal to PolicySecret Platform Auth"
+echo ""
+
+REM # policy is policy secret pointing to platform auth
+REM # 000001514000000C plus newline for policyRef
+
+echo "Change platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Create a sealed data object with policysecret platform auth under primary key"
+%TPM_EXE_PATH%create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Load the sealed data object under primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Unseal the data blob - policy failure, policysecret not run"
+%TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+)
+
+echo "Policy Secret with PWAP session and platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Unseal the data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Change platform hierarchy auth back to null"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+)
+
+REM # extend of aaa + 0 pad to digest length
+REM # pcrreset -ha 16
+REM # pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+REM # pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+REM #
+REM # 1d47f68aced515f7797371b554e32d47981aa0a0
+REM # c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+REM # 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+REM # 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+REM #
+REM # paste that with no white space to file policypcr16aaasha1.txt, etc.
+REM #
+REM # create AND term for policy PCR, PCR 16
+REM # and then convert to binary policy
+REM
+REM # > policymakerpcr -halg sha1 -bm 10000 -if policies/policypcr16aaasha1.txt -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr16aaasha1.bin -pr -v
+REM # 12 b6 dd 16 43 82 ca e4 5d 0e d0 7f 9e 51 d1 63
+REM # a4 24 f5 f2
+REM
+REM # > policymakerpcr -halg sha256 -bm 10000 -if policies/policypcr16aaasha256.txt -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+REM # > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr16aaasha256.bin -pr -v
+REM # 76 44 f6 11 ea 10 d7 60 da b9 36 c3 95 1e 1d 85
+REM # ec db 84 ce 9a 79 03 dd e1 c7 e0 a2 d9 09 a0 13
+REM
+REM # > policymakerpcr -halg sha384 -bm 10000 -if policies/policypcr16aaasha384.txt -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+REM # > policymaker -halg sha384 -if policies/policypcr.txt -of policies/policypcr16aaasha384.bin -pr -v
+REM # ea aa 8b 90 d2 69 b6 31 c0 85 91 e4 bf 29 a3 12
+REM # 87 04 f2 18 4c 02 ee 83 6a fb c4 c6 7f 28 c1 7f
+REM # 86 ea 22 b7 00 3d 06 fc b4 57 a3 b5 c4 f7 3c 95
+REM
+REM # > policymakerpcr -halg sha512 -bm 10000 -if policies/policypcr16aaasha512.txt -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+REM # policymaker -halg sha512 -if policies/policypcr.txt -of policies/policypcr16aaasha512.bin -pr -v
+REM # 1a 57 25 8d 99 64 d8 74 f0 85 0f 2c 8d 70 41 cc
+REM # be 21 c2 0f df 7e 07 e6 b1 99 ea 05 66 46 b7 fb
+REM # 23 55 77 4b 96 7e ab e2 65 db 5a 52 82 08 9c af
+REM # 3c c0 10 e4 99 36 5d ec 7f 0d 3e 6d 2a 62 6d 2e
+
+REM sealed blob 80000001
+REM policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a sealed data object %%H"
+ %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the sealed data object"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session %%H"
+ %TPM_EXE_PATH%startauthsession -se p -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR 16 Reset"
+ %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Unseal the data blob - policy failure, policypcr not run"
+ %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Policy PCR, update with the wrong PCR 16 value"
+ %TPM_EXE_PATH%policypcr -halg %%H -ha 03000000 -bm 10000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Unseal the data blob - policy failure, PCR 16 incorrect"
+ %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Extend PCR 16 to correct value"
+ %TPM_EXE_PATH%pcrextend -halg %%H -ha 16 -if policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy restart, set back to zero"
+ %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy PCR, update with the correct PCR 16 value"
+ %TPM_EXE_PATH%policypcr -halg %%H -ha 03000000 -bm 10000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Unseal the data blob"
+ %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sealed object"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the policy session"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+rem # This test uses the same values for PCR 16 and PCR 23 for simplicity.
+rem # For different values, calculate the PCR white list value and change
+rem # the cat line to use two different values.
+
+rem # extend of aaa + 0 pad to digest length
+rem # pcrreset -ha 16
+rem # pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+rem # pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+rem #
+rem # 1d47f68aced515f7797371b554e32d47981aa0a0
+rem # c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+rem # 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+rem # 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+rem #
+rem # paste that with no white space to file policypcr16aaasha1.txt, etc.
+rem #
+rem # create AND term for policy PCR, PCR 16 and 23
+rem # and then convert to binary policy
+
+rem # > cat policies/policypcr16aaasha1.txt policies/policypcr16aaasha1.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha1 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem #0000017f0000000100040300008173820c1f0f279933a5a58629fe44d081e740d4ae
+rem # > policymaker -halg sha1 -if policypcr.txt -of policies/policypcr1623aaasha1.bin -pr -v
+rem # policy digest length 20
+rem # b4 ed de a3 35 87 d7 43 29 f6 a8 d1 e7 89 92 64
+rem # 46 f0 4c 85
+
+rem # > cat policies/policypcr16aaasha256.txt policies/policypcr16aaasha256.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha256 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem # 0000017f00000001000b030000815a9f104273886b7ec8919a449d440d107d0da5df367e28c6ac145c9023cb5e76
+rem # > policymaker -halg sha256 -if policypcr.txt -of policies/policypcr1623aaasha256.bin -pr -v
+rem # policy digest length 32
+rem # 84 ff 2f f1 2d 37 cb 23 fb 3d 14 d9 66 77 ca ec
+rem # 48 94 5c 0b 83 e5 ea a2 be 98 e9 75 aa 21 e3 d6
+
+rem # > cat policies/policypcr16aaasha384.txt policies/policypcr16aaasha384.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha384 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem # 0000017f00000001000c0300008105f7f12c86c3b0ed988d369a96d401bb4a58b74f982eb03e8474cb66076114ba2b933dd95cde1c7ea69d0a797abc99d4
+rem # > policymaker -halg sha384 -if policypcr.txt -of policies/policypcr1623aaasha384.bin -pr -v
+rem # policy digest length 48
+rem # 4b 03 cd b3 eb 07 15 14 7c 49 93 43 a5 65 ee dc
+rem # 86 22 7c 86 36 20 97 a2 5e 0f 34 2e d2 4f 7e ad
+rem # a0 61 8b 5e d7 ba bb e3 5e f0 ab ea 99 55 df 84
+
+rem # > cat policies/policypcr16aaasha512.txt policies/policypcr16aaasha512.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha512 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem # 0000017f00000001000d03000081266ae24c92f63b30322e9c22e44e9540313a2223ae79b27eafe798168bef373ac55de22a0ca78ec8b2e9402aa1f8b47b6ef40e9e53aebaa694af58f240efa0fd
+rem # > policymaker -halg sha512 -if policypcr.txt -of policies/policypcr1623aaasha512.bin -pr -v
+rem # policy digest length 64
+rem # 13 84 59 76 b8 d4 d8 a9 a4 7d 75 0e 3e 81 cd c2
+rem # 78 08 ec 95 d7 13 e8 ef 0c 0b 85 c7 38 2e ad 46
+rem # e4 72 31 1d 11 a3 38 17 54 e5 cf 2e 6d 23 67 6d
+rem # 39 5a 93 51 9d f3 f0 90 56 4d 66 f8 7b 90 fc 61
+
+rem # sealed blob 80000001
+rem # policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16 and 23"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ echo "Create a sealed data object %%H"
+ %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the sealed data object"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session %%H"
+ %TPM_EXE_PATH%startauthsession -se p -halg %%H > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR 16 Reset"
+ %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR 23 Reset"
+ %TPM_EXE_PATH%pcrreset -ha 23 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Extend PCR 16 to correct value"
+ %TPM_EXE_PATH%pcrextend -halg %%H -ha 16 -if policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Extend PCR 23 to correct value"
+ %TPM_EXE_PATH%pcrextend -halg %%H -ha 23 -if policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy PCR, update with the correct PCR 16 and 23 values"
+ %TPM_EXE_PATH%policypcr -halg %%H -ha 03000000 -bm 810000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Unseal the data blob"
+ %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sealed object"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the policy session"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+)
+
+
+REM #
+REM # Sample application to demonstrate the policy authorize solution to
+REM # the PCR brittleness problem when sealing. Rather than sealing
+REM # directly to the PCRs, the blob is sealed to an authorizing public
+REM # key. The authorizing private key signs the approved policy PCR
+REM # digest.
+REM #
+REM # Name for 80000001 authorizing key (output of loadexternal below) is
+REM # used to calculate the policy authorize policy
+REM #
+REM # 00044234c24fc1b9de6693a62453417d2734d7538f6f
+REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+REM # 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+REM #
+REM # Use 0000016a || the above Name, with a following blank line for
+REM # policyRef to make policies/policyauthorizesha[].txt. Use policymaker
+REM # to create the binary policy. This will be the session digest after
+REM # the policyauthorize command.
+REM #
+REM # > policymaker -halg sha[] -if policies/policyauthorizesha[].txt -of policies/policyauthorizesha[].bin -pr
+REM # 16 82 10 58 c0 32 8c c4 e5 2e c4 ec ce 61 6c 0a
+REM # f4 8a 30 88
+REM #
+REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+REM #
+REM # 5c c6 34 89 fe f9 c8 42 7e fe 2c 5f 08 39 74 b6
+REM # d9 a8 36 02 4a cd d9 70 7e f0 b9 fd 15 26 56 da
+REM # a5 07 0a 9b bf d6 66 df 49 d2 5b 8d 50 8e 16 38
+REM #
+REM # c9 c8 29 fb bc 75 54 99 db 48 b7 26 88 24 d1 f8
+REM # 29 72 01 60 6b d6 5f 41 8e 06 98 7e f7 3e 6a 7e
+REM # 25 82 c7 6d 8f 1c 36 43 68 01 ee 56 51 d5 06 b4
+REM # 68 4c fe d1 d0 6a d7 65 23 3f c2 92 94 fd 2c c5
+
+REM # setup and policy PCR calculations
+REM #
+REM # 16 is the debug PCR, a typical application may seal to PCR 0-7
+REM # > pcrreset -ha 16
+REM #
+REM # policies/aaa represents the new 'BIOS' measurement hash extended
+REM # into all PCR banks
+REM #
+REM # > pcrextend -ha 16 -halg [] -if policies/aaa
+REM #
+REM # These are the new PCR values to be authorized. Typically, these are
+REM # calculated by other software based on the enterprise. Here, they're
+REM # just read from the TPM.
+REM #
+REM # > pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+REM #
+REM # 1d47f68aced515f7797371b554e32d47981aa0a0
+REM # c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+REM # 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+REM # 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+REM #
+REM # Put the above authorized PCR value in an intermediate file
+REM # policies/policypcr16aaasha1.txt for policymakerpcr, and create the
+REM # policypcr AND term policies/policypcr.txt. policymakerpcr prepends the command code and
+REM # PCR select bit mask.
+REM #
+REM # > policymakerpcr -halg sha[] -bm 010000 -if policies/policypcr16aaasha1.txt -of policies/policypcr.txt -pr -v
+REM #
+REM # 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+REM # 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+REM # 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+REM # 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+REM #
+REM # Send the policymakerpcr AND term result to policymaker to create the
+REM # Policy PCR digest. This is the authorized policy signed by the
+REM # authorizing private key.
+REM #
+REM # > policymaker -halg sha[] -if policies/policypcr.txt -of policies/policypcr16aaasha[].bin -v -pr -ns
+REM #
+REM # 12b6dd164382cae45d0ed07f9e51d163a424f5f2
+REM # 7644f611ea10d760dab936c3951e1d85ecdb84ce9a7903dde1c7e0a2d909a013
+REM # eaaa8b90d269b631c08591e4bf29a3128704f2184c02ee836afbc4c67f28c17f86ea22b7003d06fcb457a3b5c4f73c95
+REM # 1a57258d9964d874f0850f2c8d7041ccbe21c20fdf7e07e6b199ea056646b7fb2355774b967eabe265db5a5282089caf3cc010e499365dec7f0d3e6d2a626d2e
+
+echo ""
+echo "Policy PCR with Policy Authorize (PCR brittleness solution)"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+ REM # One time task, create sealed blob with policy of policyauthorize
+ REM # with Name of authorizing key
+
+ echo "Create a sealed data object %%H"
+ %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize%%H.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM # Once per new PCR approved values, authorizing PCRs in policy%%H.bin
+
+ echo "Openssl generate and sign aHash (empty policyRef) %%H"
+ openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaa%%H.bin
+
+ REM # Once per boot, simulating setting PCRs to authorized values
+
+ echo "Reset PCR 16 back to zero"
+ %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "PCR extend PCR 16 %%H"
+ %TPM_EXE_PATH%pcrextend -ha 16 -halg %%H -if policies/aaa > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM # beginning of unseal process, policy PCR
+
+ echo "Start a policy session %%H"
+ %TPM_EXE_PATH%startauthsession -halg %%H -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy PCR, update with the correct digest %%H"
+ %TPM_EXE_PATH%policypcr -ha 03000000 -halg %%H -bm 10000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy get digest, should be policies/policypcr16aaa%%H.bin"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM # policyauthorize process
+
+ echo "Load external just the public part of PEM authorizing key %%H 80000001"
+ %TPM_EXE_PATH%loadexternal -hi p -halg %%H -nalg %%H -ipem policies/rsapubkey.pem -ns > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the signature to generate ticket 80000001 %%H"
+ %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/policypcr16aaa%%H.bin -is pssig.bin -raw -tk tkt.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy authorize using the ticket"
+ %TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policypcr16aaa%%H.bin -skn h80000001.bin -tk tkt.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get policy digest, should be policies/policyauthorize%%H.bin"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the verification public key 80000001"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ REM # load the sealed blob and unseal
+
+ echo "Load the sealed data object 80000001"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Unseal the data blob using the policy session"
+ %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sealed object"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the policy session"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "Import and Unseal"
+echo ""
+
+REM # primary key P1 80000000
+REM # sealed data S1 80000001 originally under 80000000
+REM # target storage key K1 80000002
+
+for %%A in ("rsa2048" "ecc") do (
+
+ echo "Create a sealed data object S1 under the primary key P1 80000000"
+ %TPM_EXE_PATH%create -hp 80000000 -bl -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policyccduplicate.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the sealed data object S1 at 80000001"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the %%~A storage key K1 80000002"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr store%%~Apriv.bin -ipu store%%~Apub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Start a policy session 03000000"
+ %TPM_EXE_PATH%startauthsession -se p > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Policy command code, duplicate"
+ %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Get policy digest"
+ %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Duplicate sealed data object S1 80000001 under %%~A K1 80000002"
+ %TPM_EXE_PATH%duplicate -ho 80000001 -pwdo sig -hp 80000002 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the original S1 to free object slot for import"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Import S1 under %%~A K1 80000002"
+ %TPM_EXE_PATH%import -hp 80000002 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv1.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the duplicated sealed data object S1 at 80000001 under %%~A K1 80000002"
+ %TPM_EXE_PATH%load -hp 80000002 -ipr tmppriv1.bin -ipu tmppub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Unseal the data blob"
+ %TPM_EXE_PATH%unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the sealed data object at 80000001"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the storage key at 80000002"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the session"
+ %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+rm tmppriv.bin
+rm tmppub.bin
+rm tmp.bin
+rm tmpdup.bin
+rm tmpss.bin
+rm tmppriv1.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.sh
new file mode 100755
index 000000000..c48458ea9
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.sh
@@ -0,0 +1,619 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2015 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# used for the name in policy authorize
+
+if [ -z $TPM_DATA_DIR ]; then
+ TPM_DATA_DIR=.
+fi
+
+echo ""
+echo "Seal and Unseal to Password"
+echo ""
+
+echo "Create a sealed data object"
+${PREFIX}create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin > run.out
+checkSuccess $?
+
+echo "Load the sealed data object"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Unseal the data blob"
+${PREFIX}unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Unseal with bad password - should fail"
+${PREFIX}unseal -ha 80000001 -pwd xxx > run.out
+checkFailure $?
+
+echo "Flush the sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Create a primary sealed data object"
+${PREFIX}createprimary -bl -kt f -kt p -pwdk seap -if msg.bin > run.out
+checkSuccess $?
+
+echo "Unseal the primary data blob"
+${PREFIX}unseal -ha 80000001 -pwd seap -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the primary sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Seal and Unseal to PolicySecret Platform Auth"
+echo ""
+
+# policy is policy secret pointing to platform auth
+# 000001514000000C plus newline for policyRef
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Create a sealed data object with policysecret platform auth under primary key"
+${PREFIX}create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Load the sealed data object under primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Unseal the data blob - policy failure, policysecret not run"
+${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session and platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+checkSuccess $?
+
+echo "Unseal the data blob"
+${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# extend of aaa + 0 pad to digest length
+# pcrreset -ha 16
+# pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+# pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+#
+# 1d47f68aced515f7797371b554e32d47981aa0a0
+# c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+# 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+# 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+#
+# paste that with no white space to file policypcr16aaasha1.txt, etc.
+#
+# create AND term for policy PCR, PCR 16
+# and then convert to binary policy
+
+# > policymakerpcr -halg sha1 -bm 10000 -if policies/policypcr16aaasha1.txt -v -pr -of policies/policypcr.txt
+# 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr16aaasha1.bin -pr -v
+# 12 b6 dd 16 43 82 ca e4 5d 0e d0 7f 9e 51 d1 63
+# a4 24 f5 f2
+
+# > policymakerpcr -halg sha256 -bm 10000 -if policies/policypcr16aaasha256.txt -v -pr -of policies/policypcr.txt
+# 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr16aaasha256.bin -pr -v
+# 76 44 f6 11 ea 10 d7 60 da b9 36 c3 95 1e 1d 85
+# ec db 84 ce 9a 79 03 dd e1 c7 e0 a2 d9 09 a0 13
+
+# > policymakerpcr -halg sha384 -bm 10000 -if policies/policypcr16aaasha384.txt -v -pr -of policies/policypcr.txt
+# 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+# > policymaker -halg sha384 -if policies/policypcr.txt -of policies/policypcr16aaasha384.bin -pr -v
+# ea aa 8b 90 d2 69 b6 31 c0 85 91 e4 bf 29 a3 12
+# 87 04 f2 18 4c 02 ee 83 6a fb c4 c6 7f 28 c1 7f
+# 86 ea 22 b7 00 3d 06 fc b4 57 a3 b5 c4 f7 3c 95
+
+# > policymakerpcr -halg sha512 -bm 10000 -if policies/policypcr16aaasha512.txt -v -pr -of policies/policypcr.txt
+# 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+# policymaker -halg sha512 -if policies/policypcr.txt -of policies/policypcr16aaasha512.bin -pr -v
+# 1a 57 25 8d 99 64 d8 74 f0 85 0f 2c 8d 70 41 cc
+# be 21 c2 0f df 7e 07 e6 b1 99 ea 05 66 46 b7 fb
+# 23 55 77 4b 96 7e ab e2 65 db 5a 52 82 08 9c af
+# 3c c0 10 e4 99 36 5d ec 7f 0d 3e 6d 2a 62 6d 2e
+
+# sealed blob 80000001
+# policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Create a sealed data object ${HALG}"
+ ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa${HALG}.bin > run.out
+ checkSuccess $?
+
+ echo "Load the sealed data object"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Start a policy session ${HALG}"
+ ${PREFIX}startauthsession -se p -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "PCR 16 Reset"
+ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+
+ echo "Unseal the data blob - policy failure, policypcr not run"
+ ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ checkFailure $?
+
+ echo "Policy PCR, update with the wrong PCR 16 value"
+ ${PREFIX}policypcr -halg ${HALG} -ha 03000000 -bm 10000 > run.out
+ checkSuccess $?
+
+ echo "Unseal the data blob - policy failure, PCR 16 incorrect"
+ ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ checkFailure $?
+
+ echo "Extend PCR 16 to correct value"
+ ${PREFIX}pcrextend -halg ${HALG} -ha 16 -if policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Policy restart, set back to zero"
+ ${PREFIX}policyrestart -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Policy PCR, update with the correct PCR 16 value"
+ ${PREFIX}policypcr -halg ${HALG} -ha 03000000 -bm 10000 > run.out
+ checkSuccess $?
+
+ echo "Unseal the data blob"
+ ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the sealed object"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the policy session"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+done
+
+# This test uses the same values for PCR 16 and PCR 23 for simplicity.
+# For different values, calculate the PCR white list value and change
+# the cat line to use two different values.
+
+# extend of aaa + 0 pad to digest length
+# pcrreset -ha 16
+# pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+# pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+#
+# 1d47f68aced515f7797371b554e32d47981aa0a0
+# c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+# 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+# 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+#
+# paste that with no white space to file policypcr16aaasha1.txt, etc.
+#
+# create AND term for policy PCR, PCR 16 and 23
+# and then convert to binary policy
+
+# > cat policies/policypcr16aaasha1.txt policies/policypcr16aaasha1.txt >! policypcra.txt
+# > policymakerpcr -halg sha1 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+#0000017f0000000100040300008173820c1f0f279933a5a58629fe44d081e740d4ae
+# > policymaker -halg sha1 -if policypcr.txt -of policies/policypcr1623aaasha1.bin -pr -v
+ # policy digest length 20
+ # b4 ed de a3 35 87 d7 43 29 f6 a8 d1 e7 89 92 64
+ # 46 f0 4c 85
+
+# > cat policies/policypcr16aaasha256.txt policies/policypcr16aaasha256.txt >! policypcra.txt
+# > policymakerpcr -halg sha256 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+# 0000017f00000001000b030000815a9f104273886b7ec8919a449d440d107d0da5df367e28c6ac145c9023cb5e76
+# > policymaker -halg sha256 -if policypcr.txt -of policies/policypcr1623aaasha256.bin -pr -v
+ # policy digest length 32
+ # 84 ff 2f f1 2d 37 cb 23 fb 3d 14 d9 66 77 ca ec
+ # 48 94 5c 0b 83 e5 ea a2 be 98 e9 75 aa 21 e3 d6
+
+# > cat policies/policypcr16aaasha384.txt policies/policypcr16aaasha384.txt >! policypcra.txt
+# > policymakerpcr -halg sha384 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+# 0000017f00000001000c0300008105f7f12c86c3b0ed988d369a96d401bb4a58b74f982eb03e8474cb66076114ba2b933dd95cde1c7ea69d0a797abc99d4
+# > policymaker -halg sha384 -if policypcr.txt -of policies/policypcr1623aaasha384.bin -pr -v
+ # policy digest length 48
+ # 4b 03 cd b3 eb 07 15 14 7c 49 93 43 a5 65 ee dc
+ # 86 22 7c 86 36 20 97 a2 5e 0f 34 2e d2 4f 7e ad
+ # a0 61 8b 5e d7 ba bb e3 5e f0 ab ea 99 55 df 84
+
+# > cat policies/policypcr16aaasha512.txt policies/policypcr16aaasha512.txt >! policypcra.txt
+# > policymakerpcr -halg sha512 -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+# 0000017f00000001000d03000081266ae24c92f63b30322e9c22e44e9540313a2223ae79b27eafe798168bef373ac55de22a0ca78ec8b2e9402aa1f8b47b6ef40e9e53aebaa694af58f240efa0fd
+# > policymaker -halg sha512 -if policypcr.txt -of policies/policypcr1623aaasha512.bin -pr -v
+ # policy digest length 64
+ # 13 84 59 76 b8 d4 d8 a9 a4 7d 75 0e 3e 81 cd c2
+ # 78 08 ec 95 d7 13 e8 ef 0c 0b 85 c7 38 2e ad 46
+ # e4 72 31 1d 11 a3 38 17 54 e5 cf 2e 6d 23 67 6d
+ # 39 5a 93 51 9d f3 f0 90 56 4d 66 f8 7b 90 fc 61
+
+# sealed blob 80000001
+# policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16 and 23"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+ echo "Create a sealed data object ${HALG}"
+ ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa${HALG}.bin > run.out
+ checkSuccess $?
+
+ echo "Load the sealed data object"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Start a policy session ${HALG}"
+ ${PREFIX}startauthsession -se p -halg ${HALG} > run.out
+ checkSuccess $?
+
+ echo "PCR 16 Reset"
+ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+
+ echo "PCR 23 Reset"
+ ${PREFIX}pcrreset -ha 23 > run.out
+ checkSuccess $?
+
+ echo "Extend PCR 16 to correct value"
+ ${PREFIX}pcrextend -halg ${HALG} -ha 16 -if policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Extend PCR 23 to correct value"
+ ${PREFIX}pcrextend -halg ${HALG} -ha 23 -if policies/aaa > run.out
+ checkSuccess $?
+
+ echo "Policy PCR, update with the correct PCR 16 and 23 values"
+ ${PREFIX}policypcr -halg ${HALG} -ha 03000000 -bm 810000 > run.out
+ checkSuccess $?
+
+ echo "Unseal the data blob"
+ ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the sealed object"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the policy session"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+done
+
+#
+# Sample application to demonstrate the policy authorize solution to
+# the PCR brittleness problem when sealing. Rather than sealing
+# directly to the PCRs, the blob is sealed to an authorizing public
+# key. The authorizing private key signs the approved policy PCR
+# digest.
+#
+# Name for 80000001 authorizing key (output of loadexternal below) is
+# used to calculate the policy authorize policy
+#
+# 00044234c24fc1b9de6693a62453417d2734d7538f6f
+# 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+# 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+#
+# Use 0000016a || the above Name, with a following blank line for
+# policyRef to make policies/policyauthorizesha[].txt. Use policymaker
+# to create the binary policy. This will be the session digest after
+# the policyauthorize command.
+#
+# > policymaker -halg sha[] -if policies/policyauthorizesha[].txt -of policies/policyauthorizesha[].bin -pr
+# 16 82 10 58 c0 32 8c c4 e5 2e c4 ec ce 61 6c 0a
+# f4 8a 30 88
+#
+# eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
+# ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
+#
+# 5c c6 34 89 fe f9 c8 42 7e fe 2c 5f 08 39 74 b6
+# d9 a8 36 02 4a cd d9 70 7e f0 b9 fd 15 26 56 da
+# a5 07 0a 9b bf d6 66 df 49 d2 5b 8d 50 8e 16 38
+#
+# c9 c8 29 fb bc 75 54 99 db 48 b7 26 88 24 d1 f8
+# 29 72 01 60 6b d6 5f 41 8e 06 98 7e f7 3e 6a 7e
+# 25 82 c7 6d 8f 1c 36 43 68 01 ee 56 51 d5 06 b4
+# 68 4c fe d1 d0 6a d7 65 23 3f c2 92 94 fd 2c c5
+
+# setup and policy PCR calculations
+#
+# 16 is the debug PCR, a typical application may seal to PCR 0-7
+# > pcrreset -ha 16
+#
+# policies/aaa represents the new 'BIOS' measurement hash extended
+# into all PCR banks
+#
+# > pcrextend -ha 16 -halg [] -if policies/aaa
+#
+# These are the new PCR values to be authorized. Typically, these are
+# calculated by other software based on the enterprise. Here, they're
+# just read from the TPM.
+#
+# > pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+#
+# 1d47f68aced515f7797371b554e32d47981aa0a0
+# c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+# 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+# 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+#
+# Put the above authorized PCR value in an intermediate file
+# policies/policypcr16aaasha1.txt for policymakerpcr, and create the
+# policypcr AND term policies/policypcr.txt. policymakerpcr prepends the command code and
+# PCR select bit mask.
+#
+# > policymakerpcr -halg sha[] -bm 010000 -if policies/policypcr16aaasha1.txt -of policies/policypcr.txt -pr -v
+#
+# 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+# 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+# 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+# 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+#
+# Send the policymakerpcr AND term result to policymaker to create the
+# Policy PCR digest. This is the authorized policy signed by the
+# authorizing private key.
+#
+# > policymaker -halg sha[] -if policies/policypcr.txt -of policies/policypcr16aaasha[].bin -v -pr -ns
+#
+# 12b6dd164382cae45d0ed07f9e51d163a424f5f2
+# 7644f611ea10d760dab936c3951e1d85ecdb84ce9a7903dde1c7e0a2d909a013
+# eaaa8b90d269b631c08591e4bf29a3128704f2184c02ee836afbc4c67f28c17f86ea22b7003d06fcb457a3b5c4f73c95
+# 1a57258d9964d874f0850f2c8d7041ccbe21c20fdf7e07e6b199ea056646b7fb2355774b967eabe265db5a5282089caf3cc010e499365dec7f0d3e6d2a626d2e
+
+echo ""
+echo "Policy PCR with Policy Authorize (PCR brittleness solution)"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+ # One time task, create sealed blob with policy of policyauthorize
+ # with Name of authorizing key
+
+ echo "Create a sealed data object ${HALG}"
+ ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize${HALG}.bin > run.out
+ checkSuccess $?
+
+ # Once per new PCR approved values, authorizing PCRs in policy${HALG}.bin
+
+ echo "Openssl generate and sign aHash (empty policyRef) ${HALG}"
+ openssl dgst -${HALG} -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaa${HALG}.bin > run.out 2>&1
+
+ # Once per boot, simulating setting PCRs to authorized values
+
+ echo "Reset PCR 16 back to zero"
+ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+
+ echo "PCR extend PCR 16 ${HALG}"
+ ${PREFIX}pcrextend -ha 16 -halg ${HALG} -if policies/aaa > run.out
+ checkSuccess $?
+
+ # beginning of unseal process, policy PCR
+
+ echo "Start a policy session ${HALG}"
+ ${PREFIX}startauthsession -halg ${HALG} -se p > run.out
+ checkSuccess $?
+
+ echo "Policy PCR, update with the correct digest ${HALG}"
+ ${PREFIX}policypcr -ha 03000000 -halg ${HALG} -bm 10000 > run.out
+ checkSuccess $?
+
+ echo "Policy get digest, should be policies/policypcr16aaa${HALG}.bin"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ # policyauthorize process
+
+ echo "Load external just the public part of PEM authorizing key ${HALG} 80000001"
+ ${PREFIX}loadexternal -hi p -halg ${HALG} -nalg ${HALG} -ipem policies/rsapubkey.pem -ns > run.out
+ checkSuccess $?
+
+ echo "Verify the signature to generate ticket 80000001 ${HALG}"
+ ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if policies/policypcr16aaa${HALG}.bin -is pssig.bin -raw -tk tkt.bin > run.out
+ checkSuccess $?
+
+ echo "Policy authorize using the ticket"
+ ${PREFIX}policyauthorize -ha 03000000 -appr policies/policypcr16aaa${HALG}.bin -skn ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+ checkSuccess $?
+
+ echo "Get policy digest, should be policies/policyauthorize${HALG}.bin"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Flush the verification public key 80000001"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ # load the sealed blob and unseal
+
+ echo "Load the sealed data object 80000001"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Unseal the data blob using the policy session"
+ ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the sealed object"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the policy session"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "Import and Unseal"
+echo ""
+
+# primary key P1 80000000
+# sealed data S1 80000001 originally under 80000000
+# target storage key K1 80000002
+
+for ALG in "rsa2048" "ecc"
+do
+
+ echo "Create a sealed data object S1 under the primary key P1 80000000"
+ ${PREFIX}create -hp 80000000 -bl -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policyccduplicate.bin > run.out
+ checkSuccess $?
+
+ echo "Load the sealed data object S1 at 80000001"
+ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the ${ALG} storage key K1 80000002"
+ ${PREFIX}load -hp 80000000 -ipr store${ALG}priv.bin -ipu store${ALG}pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Start a policy session 03000000"
+ ${PREFIX}startauthsession -se p > run.out
+ checkSuccess $?
+
+ echo "Policy command code, duplicate"
+ ${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+ checkSuccess $?
+
+ echo "Get policy digest"
+ ${PREFIX}policygetdigest -ha 03000000 > run.out
+ checkSuccess $?
+
+ echo "Duplicate sealed data object S1 80000001 under ${ALG} K1 80000002"
+ ${PREFIX}duplicate -ho 80000001 -pwdo sig -hp 80000002 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+ checkSuccess $?
+
+ echo "Flush the original S1 to free object slot for import"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Import S1 under ${ALG} K1 80000002"
+ ${PREFIX}import -hp 80000002 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv1.bin > run.out
+ checkSuccess $?
+
+ echo "Load the duplicated sealed data object S1 at 80000001 under ${ALG} K1 80000002"
+ ${PREFIX}load -hp 80000002 -ipr tmppriv1.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Unseal the data blob"
+ ${PREFIX}unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Verify the unsealed result"
+ diff msg.bin tmp.bin > run.out
+ checkSuccess $?
+
+ echo "Flush the sealed data object at 80000001"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+ echo "Flush the storage key at 80000002"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the session"
+ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+
+done
+
+rm -r tmppriv.bin
+rm -r tmppub.bin
+rm -r tmp.bin
+rm -f tmpdup.bin
+rm -f tmpss.bin
+rm -f tmppriv1.bin
+rm -f pssig.bin
+rm -f tkt.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.bat b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.bat
new file mode 100644
index 000000000..d6a677f76
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.bat
@@ -0,0 +1,426 @@
+REM #############################################################################
+REM # #
+REM # TPM2 regression test #
+REM # Written by Ken Goldman #
+REM # IBM Thomas J. Watson Research Center #
+REM # #
+REM # (c) Copyright IBM Corporation 2018 - 2020 #
+REM # #
+REM # All rights reserved. #
+REM # #
+REM # Redistribution and use in source and binary forms, with or without #
+REM # modification, are permitted provided that the following conditions are #
+REM # met: #
+REM # #
+REM # Redistributions of source code must retain the above copyright notice, #
+REM # this list of conditions and the following disclaimer. #
+REM # #
+REM # Redistributions in binary form must reproduce the above copyright #
+REM # notice, this list of conditions and the following disclaimer in the #
+REM # documentation and/or other materials provided with the distribution. #
+REM # #
+REM # Neither the names of the IBM Corporation nor the names of its #
+REM # contributors may be used to endorse or promote products derived from #
+REM # this software without specific prior written permission. #
+REM # #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+REM # #
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "TPM2_CertifyX509"
+echo ""
+
+rem # basic test
+
+rem # sign%%Arpriv.bin is a restricted signing key
+rem # sign%%Apriv.bin is an unrestricted signing key
+
+set SALG=rsa ecc
+set SKEY=rsa2048 ecc
+
+set i=0
+for %%a in (!SALG!) do set /A i+=1 & set SALG[!i!]=%%a
+set i=0
+for %%b in (!SKEY!) do set /A i+=1 & set SKEY[!i!]=%%b
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Load the !SALG[%%i]! issuer key 80000001 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!rpriv.bin -ipu sign!SKEY[%%i]!rpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the !SALG[%%i]! subject key 80000002 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!priv.bin -ipu sign!SKEY[%%i]!pub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Self Certify CA Root !SKEY[%%i]!"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000001 -halg sha256 -pwdk sig -pwdo sig -opc tmppart1.bin -os tmpsig1.bin -oa tmpadd1.bin -otbs tmptbs1.bin -ocert tmpx5091.bin -salg !SALG[%%i]! -sub -v -iob 00050472 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+
+ rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i1.dump
+ rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
+ rem # dumpasn1 -a -l -d tmppart1.bin > tmppart1.dump
+ rem # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
+ rem # dumpasn1 -a -l -d tmpadd1.bin > tmpadd1.dump
+ rem # dumpasn1 -a -l -d -hh tmpadd1.bin > tmpadd1.dumphh
+ rem # dumpasn1 -a -l -d tmpx5091.bin > tmpx5091.dump
+ rem # dumpasn1 -a -l -d -hh tmpx5091.bin > tmpx5091.dumphh
+ rem # openssl x509 -text -inform der -in tmpx5091.bin -noout > tmpx5091.txt
+
+ echo "Convert issuer X509 DER to PEM"
+ openssl x509 -inform der -in tmpx5091.bin -out tmpx5091.pem
+
+ echo "Verify !SKEY[%%i]! self signed issuer root"
+ openssl verify -CAfile tmpx5091.pem tmpx5091.pem
+
+ echo "Signing Key Certify !SALG[%%i]!"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -iob 00040472 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i2.dump
+rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
+rem # dumpasn1 -a -l -d tmppart2.bin > tmppart2.dump
+rem # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe
+rem # dumpasn1 -a -l -d tmpadd2.bin > tmpadd2.dump
+rem # dumpasn1 -a -l -d -hh tmpadd2.bin > tmpadd2.dumphh
+rem # dumpasn1 -a -l -d tmpx5092.bin > tmpx5092.dump
+rem # dumpasn1 -a -l -d -hh tmpx5092.bin > tmpx5092.dumphh
+rem # openssl x509 -text -inform der -in tmpx5092.bin -noout > tmpx5092.txt
+
+ echo "Convert subject X509 DER to PEM"
+ openssl x509 -inform der -in tmpx5092.bin -out tmpx5092.pem
+
+ echo "Verify !SKEY[%%i]! subject against issuer"
+ openssl verify -CAfile tmpx5091.pem tmpx5092.pem
+
+
+ echo "Signing Key Certify !SALG[%%i]! with bad OID"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -iob ffffffff > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+rem # bad der, test bits for 250 bytes
+rem # better to get size from tmppart2.bin
+
+rem # for bit in {0..2}
+rem # do
+rem # echo "Signing Key Certify !SKEY[%%i]! testing bit $bit"
+rem # %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -bit $bit > run.out
+ rem IF !ERRORLEVEL! NEQ 0 (
+ rem exit /B 1
+ rem )
+
+ echo "Flush the root CA issuer signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the subject signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+rem # bad extensions for key type
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTPM signing key"
+echo ""
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Load the !SKEY[%%i]! issuer key 80000001 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!rpriv.bin -ipu sign!SKEY[%%i]!rpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the !SKEY[%%i]! subject key 80000002 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!priv.bin -ipu sign!SKEY[%%i]!pub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! digitalSignature"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,digitalSignature > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! nonRepudiation"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,nonRepudiation > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyEncipherment"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyEncipherment > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! dataEncipherment"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,dataEncipherment > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyAgreement"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyAgreement > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyCertSign"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyCertSign > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! cRLSign"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,cRLSign > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! encipherOnly"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,encipherOnly > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! decipherOnly"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,decipherOnly > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Flush the root CA issuer signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the subject signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for not fixedTPM signing key"
+echo ""
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Load the !SKEY[%%i]! issuer key 80000001 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!nfpriv.bin -ipu sign!SKEY[%%i]!nfpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the !SKEY[%%i]! subject key 80000002 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!nfpriv.bin -ipu sign!SKEY[%%i]!nfpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! digitalSignature"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,digitalSignature > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! nonRepudiation"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,nonRepudiation > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyEncipherment"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyEncipherment > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! dataEncipherment"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,dataEncipherment > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyAgreement"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyAgreement > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyCertSign"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyCertSign > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! cRLSign"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,cRLSign > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! encipherOnly"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,encipherOnly > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! decipherOnly"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg!SALG[%%i]!A -ku critical,decipherOnly > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Flush the root CA issuer signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the subject signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTpm restricted encryption key"
+echo ""
+
+for /L %%i in (1,1,!L!) do (
+
+ echo "Load the !SKEY[%%i]! issuer key 80000001 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!rpriv.bin -ipu sign!SKEY[%%i]!rpub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Load the !SKEY[%%i]! subject key 80000002 under the primary key"
+ %TPM_EXE_PATH%load -hp 80000000 -ipr store!SKEY[%%i]!priv.bin -ipu store!SKEY[%%i]!pub.bin -pwdp sto > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! digitalSignature"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,digitalSignature > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! nonRepudiation"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,nonRepudiation > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyEncipherment"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyEncipherment > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! dataEncipherment"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,dataEncipherment > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyAgreement"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyAgreement > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! keyCertSign"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyCertSign > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! cRLSign"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,cRLSign > run.out
+ IF !ERRORLEVEL! EQU 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! encipherOnly"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,encipherOnly > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Signing Key Certify !SALG[%%i]! decipherOnly"
+ %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,decipherOnly > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the root CA issuer signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+ echo "Flush the subject signing key"
+ %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+ IF !ERRORLEVEL! NEQ 0 (
+ exit /B 1
+ )
+
+)
+
+rem # cleanup
+
+rm tmppart1.bin
+rm tmpadd1.bin
+rm tmptbs1.bin
+rm tmpsig1.bin
+rm tmpx5091.bin
+rm tmpx5091.pem
+rm tmpx5092.pem
+rm tmpx509i.bin
+rm tmppart2.bin
+rm tmpadd2.bin
+rm tmptbs2.bin
+rm tmpsig2.bin
+rm tmpx5092.bin
+
+exit /B 0
diff --git a/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.sh b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.sh
new file mode 100755
index 000000000..a41cfcca1
--- /dev/null
+++ b/roms/skiboot/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.sh
@@ -0,0 +1,342 @@
+#!/bin/bash
+#
+
+#################################################################################
+# #
+# TPM2 regression test #
+# Written by Ken Goldman #
+# IBM Thomas J. Watson Research Center #
+# #
+# (c) Copyright IBM Corporation 2019 - 2020 #
+# #
+# All rights reserved. #
+# #
+# Redistribution and use in source and binary forms, with or without #
+# modification, are permitted provided that the following conditions are #
+# met: #
+# #
+# Redistributions of source code must retain the above copyright notice, #
+# this list of conditions and the following disclaimer. #
+# #
+# Redistributions in binary form must reproduce the above copyright #
+# notice, this list of conditions and the following disclaimer in the #
+# documentation and/or other materials provided with the distribution. #
+# #
+# Neither the names of the IBM Corporation nor the names of its #
+# contributors may be used to endorse or promote products derived from #
+# this software without specific prior written permission. #
+# #
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
+# #
+#################################################################################
+
+# The mbedtls port does not support TPM2_CertifyX509 yet */
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+
+echo ""
+echo "TPM2_CertifyX509"
+echo ""
+
+# basic test
+
+# sign${SKEY[i]}rpriv.bin is a restricted signing key
+# sign${SKEY[i]}priv.bin is an unrestricted signing key
+
+SALG=(rsa ecc)
+SKEY=(rsa2048 ecc)
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+ echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}rpriv.bin -ipu sign${SKEY[i]}rpub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}priv.bin -ipu sign${SKEY[i]}pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Signing Key Self Certify CA Root ${SALG[i]}"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000001 -halg sha256 -pwdk sig -pwdo sig -opc tmppart1.bin -os tmpsig1.bin -oa tmpadd1.bin -otbs tmptbs1.bin -ocert tmpx5091.bin -salg ${SALG[i]} -sub -v -iob 00050472 > run.out
+ checkSuccess $?
+
+
+ # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i1.dump
+ # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
+ # dumpasn1 -a -l -d tmppart1.bin > tmppart1.dump
+ # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
+ # dumpasn1 -a -l -d tmpadd1.bin > tmpadd1.dump
+ # dumpasn1 -a -l -d -hh tmpadd1.bin > tmpadd1.dumphh
+ # dumpasn1 -a -l -d tmpx5091.bin > tmpx5091.dump
+ # dumpasn1 -a -l -d -hh tmpx5091.bin > tmpx5091.dumphh
+ # openssl x509 -text -inform der -in tmpx5091.bin -noout > tmpx5091.txt
+
+ echo "Convert issuer X509 DER to PEM"
+ openssl x509 -inform der -in tmpx5091.bin -out tmpx5091.pem > run.out 2>&1
+ echo " INFO:"
+
+ echo "Verify ${SALG[i]} self signed issuer root"
+ echo -n " INFO: "
+ openssl verify -CAfile tmpx5091.pem tmpx5091.pem > run.out 2>&1
+
+ echo "Signing Key Certify ${SALG[i]}"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -iob 00040472 > run.out
+ checkSuccess $?
+
+ # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i2.dump
+ # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
+ # dumpasn1 -a -l -d tmppart2.bin > tmppart2.dump
+ # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe
+ # dumpasn1 -a -l -d tmpadd2.bin > tmpadd2.dump
+ # dumpasn1 -a -l -d -hh tmpadd2.bin > tmpadd2.dumphh
+ # dumpasn1 -a -l -d tmpx5092.bin > tmpx5092.dump
+ # dumpasn1 -a -l -d -hh tmpx5092.bin > tmpx5092.dumphh
+ # openssl x509 -text -inform der -in tmpx5092.bin -noout > tmpx5092.txt
+
+ echo "Convert subject X509 DER to PEM"
+ openssl x509 -inform der -in tmpx5092.bin -out tmpx5092.pem > run.out 2>&1
+ echo " INFO:"
+
+ echo "Verify ${SALG[i]} subject against issuer"
+ echo -n " INFO: "
+ openssl verify -CAfile tmpx5091.pem tmpx5092.pem > run.out 2>&1
+
+
+ echo "Signing Key Certify ${SALG[i]} with bad OID"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -iob ffffffff > run.out
+ checkFailure $?
+
+# bad der, test bits for 250 bytes
+# better to get size from tmppart2.bin
+
+ # for bit in {0..2}
+ # do
+ # echo "Signing Key Certify ${SALG[i]} testing bit $bit"
+ # ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -bit $bit > run.out
+ # checkSuccess0 $?
+ # done
+
+ echo "Flush the root CA issuer signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the subject signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+done
+
+# bad extensions for key type
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTPM signing key"
+echo ""
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+ echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}rpriv.bin -ipu sign${SKEY[i]}rpub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}priv.bin -ipu sign${SKEY[i]}pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} digitalSignature"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,digitalSignature > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} nonRepudiation"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,nonRepudiation > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} keyEncipherment"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyEncipherment > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} dataEncipherment"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,dataEncipherment > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} keyAgreement"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyAgreement > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} keyCertSign"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyCertSign > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} cRLSign"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,cRLSign > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} encipherOnly"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,encipherOnly > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} decipherOnly"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,decipherOnly > run.out
+ checkFailure $?
+
+ echo "Flush the root CA issuer signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the subject signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for not fixedTPM signing key"
+echo ""
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+ echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}nfpriv.bin -ipu sign${SKEY[i]}nfpub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}nfpriv.bin -ipu sign${SKEY[i]}nfpub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} digitalSignature"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,digitalSignature > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} nonRepudiation"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,nonRepudiation > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} keyEncipherment"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SAL[i]} -ku critical,keyEncipherment > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} dataEncipherment"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,dataEncipherment > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} keyAgreement"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyAgreement > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} keyCertSign"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyCertSign > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} cRLSign"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,cRLSign > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} encipherOnly"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,encipherOnly > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} decipherOnly"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,decipherOnly > run.out
+ checkFailure $?
+
+ echo "Flush the root CA issuer signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the subject signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+done
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTpm restricted encryption key"
+echo ""
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+ echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}rpriv.bin -ipu sign${SKEY[i]}rpub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+ ${PREFIX}load -hp 80000000 -ipr store${SKEY[i]}priv.bin -ipu store${SKEY[i]}pub.bin -pwdp sto > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} digitalSignature"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,digitalSignature > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} nonRepudiation"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,nonRepudiation > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} keyEncipherment"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyEncipherment > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} dataEncipherment"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,dataEncipherment > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} keyAgreement"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyAgreement > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} keyCertSign"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyCertSign > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} cRLSign"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,cRLSign > run.out
+ checkFailure $?
+
+ echo "Signing Key Certify ${SALG[i]} encipherOnly"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,encipherOnly > run.out
+ checkSuccess $?
+
+ echo "Signing Key Certify ${SALG[i]} decipherOnly"
+ ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,decipherOnly > run.out
+ checkSuccess $?
+
+ echo "Flush the root CA issuer signing key"
+ ${PREFIX}flushcontext -ha 80000001 > run.out
+ checkSuccess $?
+
+ echo "Flush the subject signing key"
+ ${PREFIX}flushcontext -ha 80000002 > run.out
+ checkSuccess $?
+
+done
+
+# cleanup
+
+rm -r tmppart1.bin
+rm -r tmpadd1.bin
+rm -r tmptbs1.bin
+rm -r tmpsig1.bin
+rm -r tmpx5091.bin
+rm -r tmpx5091.pem
+rm -r tmpx5092.pem
+rm -r tmpx509i.bin
+rm -r tmppart2.bin
+rm -r tmpadd2.bin
+rm -r tmptbs2.bin
+rm -r tmpsig2.bin
+rm -r tmpx5092.bin
+
+# openssl only
+fi