Fixes for sealing/unsealing:

* Fix for sealing policy, which was not being set on creation. * Fix to clear the userWithAuth bit requiring policy * Updated wolfTPM submodule with changes in https://github.com/wolfSSL/wolfTPM/pull/327
2024-02-02 15:51:08 -08:00 · 2024-02-02 15:51:08 -08:00 · 4408eeaa74
parent c6ac284ba0
commit 4408eeaa74
3 changed files with 28 additions and 7 deletions
--- a/docs/TPM.md
+++ b/docs/TPM.md
@ -15,7 +15,7 @@ In wolfBoot we support TPM based root of trust, sealing/unsealing, cryptographic
 | `MEASURED_PCR_A=16` | `WOLFBOOT_MEASURED_PCR_A=16` | The PCR index to use. See [docs/measured_boot.md](/docs/measured_boot.md). |
 | `WOLFBOOT_TPM_SEAL=1` | `WOLFBOOT_TPM_SEAL` | Enables support for sealing/unsealing based on PCR policy signed externally. |
 | `WOLFBOOT_TPM_SEAL_NV_BASE=0x01400300` | `WOLFBOOT_TPM_SEAL_NV_BASE` | To override the default sealed blob storage location in the platform hierarchy. |
-| `WOLFBOOT_TPM_SEAL_AUTH=secret` | `WOLFBOOT_TPM_SEAL_AUTH` | Password for sealing/unsealing secrets |
+| `WOLFBOOT_TPM_SEAL_AUTH=secret` | `WOLFBOOT_TPM_SEAL_AUTH` | Password for sealing/unsealing secrets, if omitted the PCR policy will be used |

 ## Root of Trust (ROT)

--- a/lib/wolfTPM
+++ b/lib/wolfTPM
@ -1 +1 @@
-Subproject commit 7c079dd3f0e40539519101cffd0c27c5d6c1777c
+Subproject commit bc1415d0da8e882723cb1a4b2aca0764afa6aac0
--- a/src/tpm.c
+++ b/src/tpm.c
@ -788,6 +788,8 @@ int wolfBoot_seal_blob(const uint8_t* pubkey_hint,
        /* build authorization policy based on public key */
        /* digest here is input and output, must be zero'd */
        uint32_t digestSz = TPM2_GetHashDigestSize(pcrAlg);
+        /* Create a new key for sealing using external signing auth */
+        wolfTPM2_GetKeyTemplate_KeySeal(&template, pcrAlg);
        memset(template.authPolicy.buffer, 0, digestSz);
        rc = wolfTPM2_PolicyAuthorizeMake(pcrAlg, &authKey.pub,
            template.authPolicy.buffer, &digestSz, NULL, 0);
@ -800,8 +802,15 @@ int wolfBoot_seal_blob(const uint8_t* pubkey_hint,
        wolfBoot_print_hexstr(template.authPolicy.buffer,
            template.authPolicy.size, 0);
    #endif
-        /* Create a new key for sealing using external signing auth */
-        wolfTPM2_GetKeyTemplate_KeySeal(&template, pcrAlg);
+
+        if (auth != NULL && authSz > 0) {
+            /* allow password based sealing */
+            template.objectAttributes |= TPMA_OBJECT_userWithAuth;
+        }
+        else {
+            /* disable password based sealing, require policy */
+            template.objectAttributes &= ~TPMA_OBJECT_userWithAuth;
+        }
        rc = wolfTPM2_CreateKeySeal_ex(&wolftpm_dev, seal_blob,
            &wolftpm_srk.handle, &template, auth, authSz,
            pcrAlg, NULL, 0, secret, secret_sz);
@ -1005,9 +1014,21 @@ int wolfBoot_unseal_blob(const uint8_t* pubkey_hint,
        wolfBoot_printf("Loaded seal blob to 0x%x\n",
            (uint32_t)seal_blob->handle.hndl);
    #endif
+
+        /* if using password auth, set it otherwise use policy auth */
+        if (auth != NULL && authSz > 0) {
            seal_blob->handle.auth.size = authSz;
            memcpy(seal_blob->handle.auth.buffer, auth, authSz);
            wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &seal_blob->handle);
+        }
+        else {
+            /* use the policy session for unseal */
+            rc = wolfTPM2_SetAuthSession(&wolftpm_dev, 0, &policy_session,
+                (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
+                TPMA_SESSION_continueSession));
+            /* set the sealed object name 0 (required) */
+            wolfTPM2_SetAuthHandleName(&wolftpm_dev, 0, &seal_blob->handle);
+        }

        /* unseal */
        unsealIn.itemHandle = seal_blob->handle.hndl;