From 19424c86c92d2084b02139a95664b143f3cf32c6 Mon Sep 17 00:00:00 2001 From: David Garske Date: Sat, 19 Aug 2023 14:03:58 -0700 Subject: [PATCH] Added optional `WOLFBOOT_TPM_KEYSTORE_AUTH` for build-time NV auth. --- .github/workflows/test-build-sim-tpm.yml | 7 +++++-- .github/workflows/test-tpm.yml | 3 +++ config/examples/sim-tpm-keystore.config | 1 + options.mk | 1 + src/image.c | 6 +++--- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-build-sim-tpm.yml b/.github/workflows/test-build-sim-tpm.yml index d805befb..f70fefec 100644 --- a/.github/workflows/test-build-sim-tpm.yml +++ b/.github/workflows/test-build-sim-tpm.yml @@ -16,6 +16,9 @@ on: rot-args: required: false type: string + authstr: + required: false + type: string jobs: @@ -52,7 +55,7 @@ jobs: - name: Build wolfboot run: | - make ${{inputs.make-args}} + make ${{inputs.make-args}} WOLFBOOT_TPM_KEYSTORE_AUTH="${{inputs.authstr}}" - name: Build TPM tools run: | @@ -60,7 +63,7 @@ jobs: - name: Write TPM ROT to TPM run: | - ./tools/tpm/rot -write ${{inputs.rot-args}} + ./tools/tpm/rot -write ${{inputs.rot-args}} -auth="${{inputs.authstr}}" - name: Run wolfBoot run: | diff --git a/.github/workflows/test-tpm.yml b/.github/workflows/test-tpm.yml index 3328d439..e4dfeac1 100644 --- a/.github/workflows/test-tpm.yml +++ b/.github/workflows/test-tpm.yml @@ -64,6 +64,7 @@ jobs: arch: host config-file: ./config/examples/sim-tpm-keystore.config make-args: SIGN=ECC256 HASH=SHA256 + authstr: TestAuth sim_tpm_keystore_ecc384: uses: ./.github/workflows/test-build-sim-tpm.yml @@ -72,6 +73,7 @@ jobs: config-file: ./config/examples/sim-tpm-keystore.config make-args: SIGN=ECC384 HASH=SHA384 rot-args: -sha384 + authstr: TestAuth sim_tpm_keystore_rsa2048: uses: ./.github/workflows/test-build-sim-tpm.yml @@ -79,3 +81,4 @@ jobs: arch: host config-file: ./config/examples/sim-tpm-keystore.config make-args: SIGN=RSA2048 HASH=SHA256 + authstr: TestAuth diff --git a/config/examples/sim-tpm-keystore.config b/config/examples/sim-tpm-keystore.config index 080148f9..add3382e 100644 --- a/config/examples/sim-tpm-keystore.config +++ b/config/examples/sim-tpm-keystore.config @@ -20,6 +20,7 @@ WOLFBOOT_FIXED_PARTITIONS=1 # Use NV for TPM based Root of Trust WOLFBOOT_TPM_KEYSTORE?=1 WOLFBOOT_TPM_KEYSTORE_NV_INDEX?=0x01400200 +#WOLFBOOT_TPM_KEYSTORE_AUTH?=TestAuth # TPM Logging #CFLAGS_EXTRA+=-DDEBUG_WOLFTPM diff --git a/options.mk b/options.mk index 26a97b71..7503e4d3 100644 --- a/options.mk +++ b/options.mk @@ -12,6 +12,7 @@ ifeq ($(WOLFBOOT_TPM_KEYSTORE),1) WOLFTPM:=1 CFLAGS+=-DWOLFBOOT_TPM_KEYSTORE CFLAGS+=-DWOLFBOOT_TPM_KEYSTORE_NV_INDEX=$(WOLFBOOT_TPM_KEYSTORE_NV_INDEX) + CFLAGS+=-DWOLFBOOT_TPM_KEYSTORE_AUTH='"$(WOLFBOOT_TPM_KEYSTORE_AUTH)"' endif endif diff --git a/src/image.c b/src/image.c index cff7e67d..8a7e96c1 100644 --- a/src/image.c +++ b/src/image.c @@ -1269,9 +1269,9 @@ static int keyslot_id_by_sha(const uint8_t *hint) XMEMSET(&nv, 0, sizeof(nv)); nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_INDEX; -#if 0 /* TODO: Add auth */ - nv.handle.auth.size = sizeof(authBuf); - XMEMCPY(nv.handle.auth.buffer, authBuf, sizeof(authBuf)); +#ifdef WOLFBOOT_TPM_KEYSTORE_AUTH + nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH); + memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH, nv.handle.auth.size); #endif rc = wolfTPM2_NVReadAuth(&wolftpm_dev, &nv, WOLFBOOT_TPM_KEYSTORE_NV_INDEX,