WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix to use the new unset auth session API, that captures the last TPM nonce, so the session auth can be properly set again. Requires wolfTPM PR https://github.com/wolfSSL/wolfTPM/pull/299

pull/369/head
David Garske 2023-09-15 14:10:18 -07:00 committed by Daniele Lacamera
parent e3f97f401e
commit bc90f85f1b
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/wolfTPM

@ -1 +1 @@
Subproject commit acdbc446d27272735177f768c3b06f4ae776570d
Subproject commit 5497830567222e9a278e5a69aaeef32d5f3fc890

14
src/tpm.c
View File

@ -611,6 +611,7 @@ int wolfBoot_store_blob(TPMI_RH_NV_AUTH authHandle, uint32_t nvIndex,
}
/* write sealed blob to NV */
if (rc == 0) {
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
pos = 0;
/* write pub size */
rc = wolfTPM2_NVWriteAuth(&wolftpm_dev, &nv, nv.handle.hndl,
@ -664,6 +665,7 @@ int wolfBoot_read_blob(uint32_t nvIndex, WOLFTPM2_KEYBLOB* blob,
nv.handle.hndl = nvIndex;
nv.handle.auth.size = authSz;
memcpy(nv.handle.auth.buffer, auth, authSz);
wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &nv.handle);
pos = 0;
readSz = sizeof(blob->pub.size);
@ -769,7 +771,7 @@ int wolfBoot_seal_blob(uint8_t* pubkey_hint, uint8_t* policy, uint16_t policySz,
}
wolfTPM2_UnloadHandle(&wolftpm_dev, &policy_session.handle);
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);
return rc;
}
@ -949,7 +951,7 @@ int wolfBoot_unseal_blob(uint8_t* pubkey_hint,
wolfTPM2_UnloadHandle(&wolftpm_dev, &seal_blob->handle);
wolfTPM2_UnloadHandle(&wolftpm_dev, &policy_session.handle);
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);
return rc;
}
@ -996,6 +998,7 @@ static int wolfRNG_GetSeedCB(OS_Seed* os, uint8_t* seed, uint32_t sz)
if (rc == 0) {
rc = wolfTPM2_GetRandom(&wolftpm_dev, seed, sz);
}
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 0, &wolftpm_session);
return rc;
}
#endif
@ -1141,7 +1144,8 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_BASE + key_slot;
#ifdef WOLFBOOT_TPM_KEYSTORE_AUTH
nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH);
memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH, nv.handle.auth.size);
memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH,
nv.handle.auth.size);
#endif
wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &nv.handle);
@ -1150,6 +1154,8 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
TPMA_SESSION_continueSession));
if (rc == 0) {
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
/* read index */
rc = wolfTPM2_NVReadAuth(&wolftpm_dev, &nv, nv.handle.hndl,
digest, &digestSz, 0);
@ -1170,7 +1176,7 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
wolfBoot_print_hexstr(pubkey_hint, digestSz, 0);
}
}
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);
return rc;
}