WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity
1,628 Commits
29 Branches
28 Tags
20 MiB
Commit Graph

9 Commits (x86_fsp_backport)

Author SHA1 Message Date
David Garske 4408eeaa74 Fixes for sealing/unsealing: 
* Fix for sealing policy, which was not being set on creation.
* Fix to clear the userWithAuth bit requiring policy
* Updated wolfTPM submodule with changes in https://github.com/wolfSSL/wolfTPM/pull/327
 2024-02-03 10:09:03 -08:00
David Garske cd9370bd95 Fix link in TPM docs. 2023-12-05 15:14:51 -08:00
David Garske 758eda1ad4 Add support for sealing/unsealing a secret with auth. 2023-10-25 13:24:27 +02:00
David Garske eb2978ab7f TPM sealing cleanups. If using simulator don't extend the unseal PCR to prevent further access. Added `WOLFBOOT_NO_UNSEAL_PCR_EXTEND` option to prevent locking of PCR by random extend. Improvements to the `policy_sign` tool (example usage, ecc384 support). 2023-10-06 13:34:37 -07:00
David Garske 6dbe4a0129 Refactor to allow using seal/unseal without image header. Just pass the public key hint and policy directly. 2023-09-12 12:26:48 +02:00
David Garske 05b83544fb Fixes based on peer review. Add output of signed policy to file (append .sig). Tested successfully with multiple PCRs. In example unlock_disk extend PCR with random value after unseal to prevent unsealing after boot. 2023-09-12 12:26:48 +02:00
David Garske 2349a68e76 Added support for storing sealed blobs into NV. Refactor the TPM signature verify to use existing load public key function and generic verify hash TPM function. Added support for RSA sign with ASN.1 encoding (Example: `SIGN=RSA2048ENC`). 2023-09-12 12:26:48 +02:00
David Garske 490286be7d Support for sealing/unseal a secret based on an externally signed PCR policy. 
* Added new `WOLFBOOT_TPM_SEAL` and `WOLFBOOT_TPM_SEAL_NV_BASE` config options.
* Added new `tools/tpm/policy_create` tool for assisting with creation of a policy digest. The sign keytool `--policy=file` signs the policy.
* Added new `WOLFBOOT_TPM_VERIFY` option to enable offloading of the asymmetric verification to the TPM. By default wolfCrypt will be used.
* Added example seal/unseal to update_flash for ARCH_SIM.
* Renamed `WOLFBOOT_TPM_KEYSTORE_NV_INDEX` to `WOLFBOOT_TPM_KEYSTORE_NV_BASE` to support multiple public keys.
* Refactored most TPM code into tpm.c.
* Refactored the keystore ROT to use new `wolfBoot_check_rot` API.
* Refactored the sign keytool to have a sign_digest function to allow signing firmware and policy for sealing/unsealing.
* Fix for make distclean && make using the wrong key tools.
 2023-09-12 12:26:48 +02:00
David Garske b05c7ab980 Measure wolfBoot, not application. Added TPM docs. 2023-08-17 13:43:58 +02:00