WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #304 from jpbland1/preseal-compiled 

add ability to compile preseal with no filesystem
pull/305/head
David Garske 2023-05-08 15:07:40 -07:00 committed by GitHub
parent 0b7603f7bf f4cca4a367
commit bd8d45e40f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 106 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/PubkeySealing.md
View File

@ -40,4 +40,12 @@ Lastly, the pubkey needs to be sealed to the TPM. Note that the previous command
tools/preseal/preseal public-key.raw policy-public-key.raw policySigned.raw test-app/image_v1_digest.bin 25166336 25166337 16
```
If you need to seal a pubkey to a system with no filesystem or command line you can compile preseal with the following environment variables and run it without arguments
```
NO_FILESYSTEM=1 PUBKEY="c46f95fab07b0ad2412f4b18ba14c37314feb058f106a0c21728985cd1636db9f5b73a477da4f552c1470f8c83769981f33e23ec772a2582f82ea765b221d417" POLICY_PUBKEY="925a8a35dbe4bd419a35fbf9bd30ce1440380f6d3bcd9bc5558c1fa8adb88d92c88b797dfca39af80ca9729c61508813df8254575cef48674071cf75c30e6aa8" POLICY_SIGNED="4BDAC51C517C0F3D8EDBB632B514262C256E289565A2F1CD8605A4F775302C0CD7BBFE0242CAA536A30C87A37756C390DB9A2B06037B15476A509CA06B857B6D" IMAGE_DIGEST="5b09b05afaf98e43fd59c0dc286fca8337604ec0815caad09fc0784c8a5e692b" SEAL_NV_INDEX=25166336 POLICY_DIGEST_NV_INDEX=25166337 PCR_INDEX=16 make
# Then on the target system running the resulting binary
./preseal
```
## NOTE: the PolicySigned key is used in place of the real signing key and acts as an intermediate key to unseal the actual signing key form the TPM

10
src/image.c
View File

@ -142,15 +142,21 @@ static void wolfBoot_verify_signature(uint8_t key_slot,
return;
#ifdef WOLFTPM_KEYSTORE
ret = wolfBoot_unseal_pubkey(pubkey, &tpmKey);
if (ret < 0)
if (ret < 0) {
wolfTPM2_UnloadHandle(&wolftpm_dev, &tpmKey.handle);
return;
}
#endif
ret = wolfTPM2_VerifyHashScheme(&wolftpm_dev, &tpmKey, sig,
IMAGE_SIGNATURE_SIZE, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE,
TPM_ALG_ECDSA, TPM_ALG_SHA256);
/* unload handlre regardless of result */
wolfTPM2_UnloadHandle(&wolftpm_dev, &tpmKey.handle);
if (ret != TPM_RC_SUCCESS)
return;
wolfTPM2_UnloadHandle(&wolftpm_dev, &tpmKey.handle);
if (ret == 0) {
verify_res = 1; /* TPM does hash verify compare */
}

17
tools/preseal/Makefile
View File

@ -1,12 +1,25 @@
CC = gcc
CFLAGS:=
ifneq ($(NO_FILESYSTEM),)
CFLAGS+= \
-DNO_FILESYSTEM \
-DPUBKEY=\"$(PUBKEY)\" \
-DPOLICY_PUBKEY=\"$(POLICY_PUBKEY)\" \
-DPOLICY_SIGNED=\"$(POLICY_SIGNED)\" \
-DIMAGE_DIGEST=\"$(IMAGE_DIGEST)\" \
-DSEAL_NV_INDEX=$(SEAL_NV_INDEX) \
-DPOLICY_DIGEST_NV_INDEX=$(POLICY_DIGEST_NV_INDEX) \
-DPCR_INDEX=$(PCR_INDEX) \
endif
all: preseal
preseal:
$(Q)$(CC) -o $@ $@.c -lwolftpm
$(Q)$(CC) $(CFLAGS) -o $@ $@.c -lwolftpm
debug:
$(Q)$(CC) -o preseal preseal.c -g -lwolftpm -lwolfssl
$(Q)$(CC) $(CFLAGS) -o preseal preseal.c -g -lwolftpm -lwolfssl
clean:
rm -f preseal

81
tools/preseal/preseal.c
View File

@ -66,9 +66,39 @@ static int readFile(char* name, uint8_t* buf, uint32_t* bufSz)
return ret;
}
static signed char HexCharToByte(signed char ch)
{
signed char ret = (signed char)ch;
if (ret >= '0' && ret <= '9')
ret -= '0';
else if (ret >= 'A' && ret <= 'F')
ret -= 'A' - 10;
else if (ret >= 'a' && ret <= 'f')
ret -= 'a' - 10;
else
ret = -1; /* error case - return code must be signed */
return ret;
}
static int HexToByte(const char *hex, unsigned char *output, unsigned long sz)
{
word32 i;
for (i = 0; i < sz; i++) {
signed char ch1, ch2;
ch1 = HexCharToByte(hex[i * 2]);
ch2 = HexCharToByte(hex[i * 2 + 1]);
if ((ch1 < 0) || (ch2 < 0)) {
return -1;
}
output[i] = (unsigned char)((ch1 << 4) + ch2);
}
return (int)sz;
}
static void usage()
{
printf("preseal pubkey policypubkey policysignature imagedigest sealNVindex digestNVindex [pcrindex]\n");
printf("NOTE currently policy sealing only supports ecc256 keys");
printf("Expected usage: ./preseal pubkey policypubkey policysignature imagedigest sealNVindex digestNVindex [pcrindex]\n");
printf("pubkey: the verification key to seal into the tpm\n");
printf("policypubkey: the pubkey used sign the policy expiration date\n");
printf("policysignature: the signature of the policy expiration date\n");
@ -104,16 +134,17 @@ int main(int argc, char** argv)
wolfSSL_Debugging_ON();
#endif
if (argc < 7) {
usage();
return 0;
}
XMEMSET(&dev, 0, sizeof(WOLFTPM2_DEV));
XMEMSET(&tpmSession, 0, sizeof(WOLFTPM2_SESSION));
XMEMSET(&authKey, 0, sizeof(WOLFTPM2_KEY));
XMEMSET(&pcrReset, 0, sizeof(PCR_Reset_In));
#ifndef NO_FILESYSTEM
if (argc < 7) {
usage();
return 0;
}
rc = readFile(argv[1], pubkey, &pubkeySz);
if (rc != 0) {
printf("Failed to read pubkey\n");
@ -146,6 +177,44 @@ int main(int argc, char** argv)
pcrArray[0] = atoi(argv[7]);
else
pcrArray[0] = DEFAULT_PCR_INDEX;
#else
rc = HexToByte(PUBKEY, pubkey, strlen(PUBKEY) / 2);
if (rc < 0) {
printf("Failed to read pubkey\n");
return 1;
}
pubkeySz = strlen(PUBKEY) / 2;
rc = HexToByte(POLICY_PUBKEY, policyPubkey, strlen(POLICY_PUBKEY) / 2);
if (rc < 0) {
printf("Failed to read pubkey\n");
return 1;
}
policyPubkeySz = strlen(POLICY_PUBKEY) / 2;
rc = HexToByte(POLICY_SIGNED, policySigned, strlen(POLICY_SIGNED) / 2);
if (rc < 0) {
printf("Failed to read pubkey\n");
return 1;
}
policySignedSz = strlen(POLICY_SIGNED) / 2;
rc = HexToByte(IMAGE_DIGEST, imageDigest, strlen(IMAGE_DIGEST) / 2);
if (rc < 0) {
printf("Failed to read pubkey\n");
return 1;
}
imageDigestSz = strlen(IMAGE_DIGEST) / 2;
sealNvIndex = SEAL_NV_INDEX;
policyDigestNvIndex = POLICY_DIGEST_NV_INDEX;
#ifdef PCR_INDEX
pcrArray[0] = PCR_INDEX;
#else
pcrArray[0] = DEFAULT_PCR_INDEX;
#endif
#endif
rc = wolfTPM2_Init(&dev, NULL, NULL);
if (rc != TPM_RC_SUCCESS) {