WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add Infineon firmware update recovery support.

pull/342/head
David Garske 2024-04-05 14:57:09 -07:00
parent 53d8179142
commit 4a2e2506a4
4 changed files with 79 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -874,7 +874,6 @@ Connection: close
* Add support for Endorsement certificates (EK Credential Profile). * Add support for Endorsement certificates (EK Credential Profile).
* Update to v1.59 of specification (adding CertifyX509). * Update to v1.59 of specification (adding CertifyX509).
* Inner wrap support for SensitiveToPrivate. * Inner wrap support for SensitiveToPrivate.
* Firmware upgrade support on TPM's.
* Add support for IRQ (interrupt line) * Add support for IRQ (interrupt line)
## Support ## Support

58
examples/firmware/ifx_fw_update.c
View File

@ -94,35 +94,26 @@ static const char* TPM2_IFX_GetOpModeStr(int opMode)
return opModeStr; return opModeStr;
} }
static int TPM2_IFX_PrintInfo(WOLFTPM2_DEV* dev) static void TPM2_IFX_PrintInfo(WOLFTPM2_CAPS* caps)
{ {
int rc; printf("Mfg %s (%d), Vendor %s, Fw %u.%u (0x%x)\n",
WOLFTPM2_CAPS caps; caps->mfgStr, caps->mfg, caps->vendorStr, caps->fwVerMajor,
rc = wolfTPM2_GetCapabilities(dev, &caps); caps->fwVerMinor, caps->fwVerVendor);
if (rc == TPM_RC_SUCCESS) { printf("Operational mode: %s (0x%x)\n",
printf("Mfg %s (%d), Vendor %s, Fw %u.%u (0x%x)\n", TPM2_IFX_GetOpModeStr(caps->opMode), caps->opMode);
caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor, printf("KeyGroupId 0x%x, FwCounter %d (%d same)\n",
caps.fwVerMinor, caps.fwVerVendor); caps->keyGroupId, caps->fwCounter, caps->fwCounterSame);
printf("Operational mode: %s (0x%x)\n",
TPM2_IFX_GetOpModeStr(caps.opMode), caps.opMode);
printf("KeyGroupId 0x%x, FwCounter %d (%d same)\n",
caps.keyGroupId, caps.fwCounter, caps.fwCounterSame);
if (caps.keyGroupId == 0) {
printf("Error getting key group id from TPM!\n");
rc = -1;
}
}
return rc;
} }
int TPM2_IFX_Firmware_Update(void* userCtx, int argc, char *argv[]) int TPM2_IFX_Firmware_Update(void* userCtx, int argc, char *argv[])
{ {
int rc; int rc;
WOLFTPM2_DEV dev; WOLFTPM2_DEV dev;
WOLFTPM2_CAPS caps;
const char* manifest_file = NULL; const char* manifest_file = NULL;
const char* firmware_file = NULL; const char* firmware_file = NULL;
fw_info_t fwinfo; fw_info_t fwinfo;
int abandon = 0; int abandon = 0, recovery = 0;
XMEMSET(&fwinfo, 0, sizeof(fwinfo)); XMEMSET(&fwinfo, 0, sizeof(fwinfo));
@ -156,10 +147,18 @@ int TPM2_IFX_Firmware_Update(void* userCtx, int argc, char *argv[])
goto exit; goto exit;
} }
rc = TPM2_IFX_PrintInfo(&dev); rc = wolfTPM2_GetCapabilities(&dev, &caps);
if (rc != 0) { if (rc != TPM_RC_SUCCESS) {
goto exit; goto exit;
} }
TPM2_IFX_PrintInfo(&caps);
if (caps.keyGroupId == 0) {
printf("Error getting key group id from TPM!\n");
}
if (caps.opMode == 0x02 || (caps.opMode & 0x80)) {
/* if opmode == 2 or 0x8x then we need to use recovery mode */
recovery = 1;
}
if (abandon) { if (abandon) {
printf("Firmware Update Abandon:\n"); printf("Firmware Update Abandon:\n");
@ -188,12 +187,21 @@ int TPM2_IFX_Firmware_Update(void* userCtx, int argc, char *argv[])
&fwinfo.firmware_buf, &fwinfo.firmware_bufSz); &fwinfo.firmware_buf, &fwinfo.firmware_bufSz);
} }
if (rc == 0) { if (rc == 0) {
rc = wolfTPM2_FirmwareUpgrade(&dev, if (recovery) {
fwinfo.manifest_buf, (uint32_t)fwinfo.manifest_bufSz, printf("Firmware Update (recovery mode):\n");
TPM2_IFX_FwData_Cb, &fwinfo); rc = wolfTPM2_FirmwareUpgradeRecover(&dev,
fwinfo.manifest_buf, (uint32_t)fwinfo.manifest_bufSz,
TPM2_IFX_FwData_Cb, &fwinfo);
}
else {
printf("Firmware Update (normal mode):\n");
rc = wolfTPM2_FirmwareUpgrade(&dev,
fwinfo.manifest_buf, (uint32_t)fwinfo.manifest_bufSz,
TPM2_IFX_FwData_Cb, &fwinfo);
}
} }
if (rc == 0) { if (rc == 0) {
rc = TPM2_IFX_PrintInfo(&dev); TPM2_IFX_PrintInfo(&caps);
} }
exit: exit:

54
src/tpm2_wrap.c
View File

@ -7432,18 +7432,13 @@ static int tpm2_ifx_firmware_final(WOLFTPM2_DEV* dev)
return rc; return rc;
} }
int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev, int wolfTPM2_FirmwareUpgradeHash(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg,
uint8_t* manifest_hash, uint32_t manifest_hash_sz,
uint8_t* manifest, uint32_t manifest_sz, uint8_t* manifest, uint32_t manifest_sz,
wolfTPM2FwDataCb cb, void* cb_ctx) wolfTPM2FwDataCb cb, void* cb_ctx)
{ {
int rc; int rc;
WOLFTPM2_CAPS caps; WOLFTPM2_CAPS caps;
TPM_ALG_ID hashAlg;
uint8_t manifest_hash[TPM_SHA384_DIGEST_SIZE];
uint32_t manifest_hash_sz = (uint32_t)sizeof(manifest_hash);
/* Can use SHA2-384 or SHA2-512 for manifest hash */
hashAlg = TPM_ALG_SHA384;
/* check the operational mode */ /* check the operational mode */
rc = wolfTPM2_GetCapabilities(dev, &caps); rc = wolfTPM2_GetCapabilities(dev, &caps);
@ -7456,16 +7451,12 @@ int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev,
return tpm2_ifx_firmware_final(dev); return tpm2_ifx_firmware_final(dev);
} }
} }
if (rc == TPM_RC_SUCCESS && caps.opMode == 0x00) {
if (rc == TPM_RC_SUCCESS) {
/* hash the manifest */
rc = wc_Sha384Hash(manifest, manifest_sz, manifest_hash);
}
if (rc == TPM_RC_SUCCESS) {
rc = tpm2_ifx_firmware_enable_policy(dev); rc = tpm2_ifx_firmware_enable_policy(dev);
} if (rc == TPM_RC_SUCCESS) {
if (rc == TPM_RC_SUCCESS) { rc = tpm2_ifx_firmware_start(dev, hashAlg,
rc = tpm2_ifx_firmware_start(dev, hashAlg, manifest_hash, manifest_hash_sz); manifest_hash, manifest_hash_sz);
}
} }
if (rc == TPM_RC_SUCCESS) { if (rc == TPM_RC_SUCCESS) {
rc = tpm2_ifx_firmware_manifest(dev, manifest, manifest_sz); rc = tpm2_ifx_firmware_manifest(dev, manifest, manifest_sz);
@ -7485,6 +7476,37 @@ int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev,
return rc; return rc;
} }
int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev,
uint8_t* manifest, uint32_t manifest_sz,
wolfTPM2FwDataCb cb, void* cb_ctx)
{
int rc;
uint8_t manifest_hash[TPM_SHA384_DIGEST_SIZE];
/* hash the manifest */
rc = wc_Sha384Hash(manifest, manifest_sz, manifest_hash);
if (rc == 0) {
rc = wolfTPM2_FirmwareUpgradeHash(dev, TPM_ALG_SHA384,
manifest_hash, (uint32_t)sizeof(manifest_hash),
manifest, manifest_sz, cb, cb_ctx);
}
return rc;
}
int wolfTPM2_FirmwareUpgradeRecover(WOLFTPM2_DEV* dev,
uint8_t* manifest, uint32_t manifest_sz,
wolfTPM2FwDataCb cb, void* cb_ctx)
{
uint8_t manifest_hash[TPM_SHA384_DIGEST_SIZE];
/* recovery mode manifest hash is all 0x3C */
XMEMSET(manifest_hash, 0x3C, sizeof(manifest_hash));
return wolfTPM2_FirmwareUpgradeHash(dev, TPM_ALG_SHA384,
manifest_hash, (uint32_t)sizeof(manifest_hash),
manifest, manifest_sz, cb, cb_ctx);
}
/* terminate a firmware update */ /* terminate a firmware update */
int wolfTPM2_FirmwareUpgradeCancel(WOLFTPM2_DEV* dev) int wolfTPM2_FirmwareUpgradeCancel(WOLFTPM2_DEV* dev)
{ {

8
wolftpm/tpm2_wrap.h
View File

@ -3578,9 +3578,17 @@ WOLFTPM_LOCAL int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate,
typedef int (*wolfTPM2FwDataCb)( typedef int (*wolfTPM2FwDataCb)(
uint8_t* data, uint32_t data_req_sz, uint32_t offset, void* cb_ctx); uint8_t* data, uint32_t data_req_sz, uint32_t offset, void* cb_ctx);
WOLFTPM_API int wolfTPM2_FirmwareUpgradeHash(WOLFTPM2_DEV* dev,
TPM_ALG_ID hashAlg, /* Can use SHA2-384 or SHA2-512 for manifest hash */
uint8_t* manifest_hash, uint32_t manifest_hash_sz,
uint8_t* manifest, uint32_t manifest_sz,
wolfTPM2FwDataCb cb, void* cb_ctx);
WOLFTPM_API int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev, WOLFTPM_API int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev,
uint8_t* manifest, uint32_t manifest_sz, uint8_t* manifest, uint32_t manifest_sz,
wolfTPM2FwDataCb cb, void* cb_ctx); wolfTPM2FwDataCb cb, void* cb_ctx);
WOLFTPM_API int wolfTPM2_FirmwareUpgradeRecover(WOLFTPM2_DEV* dev,
uint8_t* manifest, uint32_t manifest_sz,
wolfTPM2FwDataCb cb, void* cb_ctx);
WOLFTPM_API int wolfTPM2_FirmwareUpgradeCancel(WOLFTPM2_DEV* dev); WOLFTPM_API int wolfTPM2_FirmwareUpgradeCancel(WOLFTPM2_DEV* dev);
#endif /* WOLFTPM_FIRMWARE_UPGRADE */ #endif /* WOLFTPM_FIRMWARE_UPGRADE */