WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix simulator to not just while(1) on panic, which causes CI to spin/timeout (instead exit with error). Fix ROT logic and make sure read error code gets passed up stack.

pull/366/head
David Garske 2023-09-08 13:00:41 -07:00 committed by Daniele Lacamera
parent 2349a68e76
commit c04960c097
8 changed files with 44 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/test-build-sim-tpm.yml vendored
View File

@ -53,14 +53,9 @@ jobs:
run: | run: |
make -C tools/keytools && make -C tools/bin-assemble make -C tools/keytools && make -C tools/bin-assemble
# needed for tpm tools
- name: Build keystore.c
run: |
make keys ${{inputs.make-args}}
- name: Build TPM tools - name: Build TPM tools
run: | run: |
make tpmtools make tpmtools ${{inputs.make-args}}
- name: Write TPM ROT to TPM - name: Write TPM ROT to TPM
run: | run: |

3
.github/workflows/test-tpm.yml vendored
View File

@ -107,5 +107,6 @@ jobs:
with: with:
arch: host arch: host
config-file: ./config/examples/sim-tpm-seal.config config-file: ./config/examples/sim-tpm-seal.config
make-args: SIGN=RSA2048ENC HASH=SHA256 POLICY_FILE=policy.bin # use larger image header size for two 2048-bit signatures
make-args: SIGN=RSA2048ENC HASH=SHA256 POLICY_FILE=policy.bin IMAGE_HEADER_SIZE=1024
authstr: TestAuth authstr: TestAuth

2
Makefile
View File

@ -167,7 +167,7 @@ keytools:
@$(MAKE) -C tools/keytools -s clean @$(MAKE) -C tools/keytools -s clean
@$(MAKE) -C tools/keytools -j @$(MAKE) -C tools/keytools -j
tpmtools: tpmtools: keys
@echo "Building TPM tools" @echo "Building TPM tools"
@$(MAKE) -C tools/tpm -s clean @$(MAKE) -C tools/tpm -s clean
@$(MAKE) -C tools/tpm -j @$(MAKE) -C tools/tpm -j

6
include/loader.h
View File

@ -83,6 +83,12 @@ void wolfBoot_start(void);
asm volatile("b .-6"); \ asm volatile("b .-6"); \
asm volatile("b .-8"); asm volatile("b .-8");
#elif defined(ARCH_SIM)
#include <stdlib.h>
static inline void wolfBoot_panic(void)
{
exit(1);
}
#else #else
static inline void wolfBoot_panic(void) static inline void wolfBoot_panic(void)
{ {

2
lib/wolfTPM

@ -1 +1 @@
Subproject commit 50bfac48a970a61afa1463ec6514bf9b404830cb Subproject commit acdbc446d27272735177f768c3b06f4ae776570d

17
src/tpm.c
View File

@ -824,7 +824,6 @@ int wolfBoot_unseal_blob(struct wolfBoot_image* img, WOLFTPM2_KEYBLOB* seal_blob
int rc, i; int rc, i;
WOLFTPM2_SESSION policy_session; WOLFTPM2_SESSION policy_session;
uint32_t key_type; uint32_t key_type;
int key_slot = -1;
TPM_ALG_ID pcrAlg = WOLFBOOT_TPM_PCR_ALG; TPM_ALG_ID pcrAlg = WOLFBOOT_TPM_PCR_ALG;
TPM_ALG_ID alg = TPM_ALG_NULL, sigAlg; TPM_ALG_ID alg = TPM_ALG_NULL, sigAlg;
TPMT_PUBLIC template; TPMT_PUBLIC template;
@ -868,6 +867,7 @@ int wolfBoot_unseal_blob(struct wolfBoot_image* img, WOLFTPM2_KEYBLOB* seal_blob
memset(&authKey, 0, sizeof(authKey)); memset(&authKey, 0, sizeof(authKey));
memset(&template, 0, sizeof(template)); memset(&template, 0, sizeof(template));
memset(&policy_session, 0, sizeof(policy_session)); memset(&policy_session, 0, sizeof(policy_session));
memset(&checkTicket, 0, sizeof(checkTicket));
/* Setup a TPM session that can be used for parameter encryption */ /* Setup a TPM session that can be used for parameter encryption */
rc = wolfTPM2_StartSession(&wolftpm_dev, &policy_session, &wolftpm_srk, rc = wolfTPM2_StartSession(&wolftpm_dev, &policy_session, &wolftpm_srk,
@ -1152,6 +1152,7 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
#ifdef WOLFBOOT_TPM_KEYSTORE_AUTH #ifdef WOLFBOOT_TPM_KEYSTORE_AUTH
nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH); nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH);
memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH, nv.handle.auth.size); memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH, nv.handle.auth.size);
wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &nv.handle);
#endif #endif
/* Enable parameter encryption for session - to protect auth */ /* Enable parameter encryption for session - to protect auth */
@ -1163,12 +1164,16 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_BASE + key_slot; nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_BASE + key_slot;
rc = wolfTPM2_NVReadAuth(&wolftpm_dev, &nv, nv.handle.hndl, rc = wolfTPM2_NVReadAuth(&wolftpm_dev, &nv, nv.handle.hndl,
digest, &digestSz, 0); digest, &digestSz, 0);
if (rc == 0 && digestSz == WOLFBOOT_SHA_DIGEST_SIZE && if (rc == 0) {
memcmp(digest, pubkey_hint, WOLFBOOT_SHA_DIGEST_SIZE) == 0) { if (digestSz == WOLFBOOT_SHA_DIGEST_SIZE &&
wolfBoot_printf("TPM Root of Trust valid (id %d)\n", key_slot); memcmp(digest, pubkey_hint, WOLFBOOT_SHA_DIGEST_SIZE) == 0) {
wolfBoot_printf("TPM Root of Trust valid (id %d)\n", key_slot);
}
else {
rc = -1; /* digest match failure */
}
} }
else { if (rc != 0) {
if (rc >= 0) rc = -1; /* failure */
wolfBoot_printf("TPM Root of Trust failed! %d (%s)\n", wolfBoot_printf("TPM Root of Trust failed! %d (%s)\n",
rc, wolfTPM2_GetRCString(rc)); rc, wolfTPM2_GetRCString(rc));
wolfBoot_printf("Expected Hash %d\n", digestSz); wolfBoot_printf("Expected Hash %d\n", digestSz);

33
tools/keytools/sign.c
View File

@ -614,19 +614,22 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
if (*pubkey_sz <= KEYSTORE_PUBKEY_SIZE_RSA2048) { if (*pubkey_sz <= KEYSTORE_PUBKEY_SIZE_RSA2048) {
CMD.sign = SIGN_RSA2048; CMD.sign = SIGN_RSA2048;
CMD.header_sz = 512; if (CMD.policy_sign) {
CMD.signature_sz = 256; CMD.header_sz = 1024;
} }
else if (*pubkey_sz <= KEYSTORE_PUBKEY_SIZE_RSA3072) { else {
CMD.sign = SIGN_RSA3072; CMD.header_sz = 512;
}
if(CMD.hash_algo != HASH_SHA256) { CMD.signature_sz = 256;
}
else if (*pubkey_sz <= KEYSTORE_PUBKEY_SIZE_RSA3072) {
CMD.sign = SIGN_RSA3072;
if (CMD.hash_algo != HASH_SHA256 || CMD.policy_sign) {
CMD.header_sz = 1024; CMD.header_sz = 1024;
} }
else { else {
CMD.header_sz = 512; CMD.header_sz = 512;
} }
CMD.signature_sz = 384; CMD.signature_sz = 384;
} }
else if (*pubkey_sz <= KEYSTORE_PUBKEY_SIZE_RSA4096) { else if (*pubkey_sz <= KEYSTORE_PUBKEY_SIZE_RSA4096) {
@ -673,22 +676,24 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
} }
else if (keySzOut == 384) { else if (keySzOut == 384) {
CMD.sign = SIGN_RSA3072; CMD.sign = SIGN_RSA3072;
if (CMD.hash_algo != HASH_SHA256 || CMD.policy_sign) {
if(CMD.hash_algo != HASH_SHA256) {
CMD.header_sz = 1024; CMD.header_sz = 1024;
} }
else { else {
CMD.header_sz = 512; CMD.header_sz = 512;
} }
CMD.signature_sz = 384; CMD.signature_sz = 384;
} }
else { else {
CMD.sign = SIGN_RSA2048; CMD.sign = SIGN_RSA2048;
CMD.header_sz = 512; if (CMD.policy_sign) {
CMD.header_sz = 1024;
}
else {
CMD.header_sz = 512;
}
CMD.signature_sz = 256; CMD.signature_sz = 256;
} }
break; break;
} }
} }
@ -743,7 +748,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
printf("image header size overridden by config value (%u bytes)\n", IMAGE_HEADER_SIZE); printf("image header size overridden by config value (%u bytes)\n", IMAGE_HEADER_SIZE);
CMD.header_sz = IMAGE_HEADER_SIZE; CMD.header_sz = IMAGE_HEADER_SIZE;
} else { } else {
printf("image header size calculated at runtime (%u bytes)\n", IMAGE_HEADER_SIZE); printf("image header size calculated at runtime (%u bytes)\n", CMD.header_sz);
} }
#ifdef DEBUG_SIGNTOOL #ifdef DEBUG_SIGNTOOL

3
tools/tpm/rot.c
View File

@ -104,6 +104,9 @@ static int TPM2_Boot_SecureROT_Example(TPMI_RH_NV_AUTH authHandle, word32 nvBase
printf("Computing keystore hash for index %d\n", id); printf("Computing keystore hash for index %d\n", id);
printf("Public Key (%d)\n", bufSz);
TPM2_PrintBin(buf, bufSz);
/* hash public key */ /* hash public key */
digestSz = wc_HashGetDigestSize(hashType); digestSz = wc_HashGetDigestSize(hashType);
rc = wc_Hash(hashType, buf, (word32)bufSz, digest, digestSz); rc = wc_Hash(hashType, buf, (word32)bufSz, digest, digestSz);