WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fixes for attestation with endorsement key. Enable the broken endorsement tests.

pull/320/head
David Garske 2023-12-29 09:27:21 -08:00
parent 4c753683c2
commit 93a2493dbf
8 changed files with 158 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -791,9 +791,10 @@ Connection: close
## Todo ## Todo
* Key Generation and Attestation examples using endorsement hierarchy "-eh" are broken. * Add support for Endorsement certificates (EK Credential Profile).
* Update to v1.59 of specification (adding CertifyX509) * Update to v1.59 of specification (adding CertifyX509).
* Inner wrap support for SensitiveToPrivate. * Inner wrap support for SensitiveToPrivate.
* Firmware upgrade support on TPM's.
## Support ## Support

47
examples/attestation/activate_credential.c
View File

@ -44,6 +44,7 @@ static void usage(void)
printf("Expected usage:\n"); printf("Expected usage:\n");
printf("./examples/attestation/activate_credential [cred.blob] [-eh]\n"); printf("./examples/attestation/activate_credential [cred.blob] [-eh]\n");
printf("* cred.blob is a input file holding the generated credential.\n"); printf("* cred.blob is a input file holding the generated credential.\n");
printf("* -eh: Use the EK public key to encrypt the challenge\n");
printf("Demo usage without parameters, uses \"cred.blob\" filename.\n"); printf("Demo usage without parameters, uses \"cred.blob\" filename.\n");
} }
@ -64,14 +65,8 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
const char *input = "cred.blob"; const char *input = "cred.blob";
const char *keyblob = "keyblob.bin"; const char *keyblob = "keyblob.bin";
union { ActivateCredential_In activCredIn;
ActivateCredential_In activCred; ActivateCredential_Out activCredOut;
byte maxInput[MAX_COMMAND_SIZE];
} cmdIn;
union {
ActivateCredential_Out activCred;
byte maxOutput[MAX_RESPONSE_SIZE];
} cmdOut;
if (argc == 1) { if (argc == 1) {
printf("Using default values\n"); printf("Using default values\n");
@ -157,9 +152,13 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
/* Set the created Policy Session for use in next operation */ /* Set the created Policy Session for use in next operation */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 0); rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 0);
if (rc != 0) goto exit; if (rc != 0) goto exit;
/* Set the name for the endorsement handle */
rc = wolfTPM2_SetAuthHandleName(&dev, 1, &endorse.handle);
if (rc != 0) goto exit;
} }
else { else {
wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle); rc = wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
if (rc != 0) goto exit;
} }
/* Prepare the auth password for the Attestation Key */ /* Prepare the auth password for the Attestation Key */
@ -169,19 +168,19 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle); wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle);
/* Prepare the Activate Credential command */ /* Prepare the Activate Credential command */
XMEMSET(&cmdIn.activCred, 0, sizeof(cmdIn.activCred)); XMEMSET(&activCredIn, 0, sizeof(activCredIn));
XMEMSET(&cmdOut.activCred, 0, sizeof(cmdOut.activCred)); XMEMSET(&activCredOut, 0, sizeof(activCredOut));
cmdIn.activCred.activateHandle = akKey.handle.hndl; activCredIn.activateHandle = akKey.handle.hndl;
cmdIn.activCred.keyHandle = primary->handle.hndl; activCredIn.keyHandle = primary->handle.hndl;
/* Read credential from the user file */ /* Read credential from the user file */
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
fp = XFOPEN(input, "rb"); fp = XFOPEN(input, "rb");
if (fp != XBADFILE) { if (fp != XBADFILE) {
dataSize = (int)XFREAD((BYTE*)&cmdIn.activCred.credentialBlob, 1, dataSize = (int)XFREAD((BYTE*)&activCredIn.credentialBlob, 1,
sizeof(cmdIn.activCred.credentialBlob), fp); sizeof(activCredIn.credentialBlob), fp);
if (dataSize > 0) { if (dataSize > 0) {
dataSize += (int)XFREAD((BYTE*)&cmdIn.activCred.secret, 1, dataSize += (int)XFREAD((BYTE*)&activCredIn.secret, 1,
sizeof(cmdIn.activCred.secret), fp); sizeof(activCredIn.secret), fp);
} }
XFCLOSE(fp); XFCLOSE(fp);
} }
@ -192,18 +191,28 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
goto exit; goto exit;
#endif #endif
/* All required data to verify the credential is prepared */ /* All required data to verify the credential is prepared */
rc = TPM2_ActivateCredential(&cmdIn.activCred, &cmdOut.activCred); rc = TPM2_ActivateCredential(&activCredIn, &activCredOut);
if (rc != TPM_RC_SUCCESS) { if (rc != TPM_RC_SUCCESS) {
printf("TPM2_ActivateCredentials failed 0x%x: %s\n", rc, printf("TPM2_ActivateCredential failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc)); TPM2_GetRCString(rc));
goto exit; goto exit;
} }
printf("TPM2_ActivateCredential success\n"); printf("TPM2_ActivateCredential success\n");
if (endorseKey) {
/* The policy session is closed after use.
* Reset handle, so we don't try and free it */
tpmSession.handle.hndl = TPM_RH_NULL;
}
printf("Secret: %d\n", activCredOut.certInfo.size);
TPM2_PrintBin(activCredOut.certInfo.buffer,
activCredOut.certInfo.size);
exit: exit:
wolfTPM2_UnloadHandle(&dev, &primary->handle); wolfTPM2_UnloadHandle(&dev, &primary->handle);
wolfTPM2_UnloadHandle(&dev, &akKey.handle); wolfTPM2_UnloadHandle(&dev, &akKey.handle);
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
wolfTPM2_Cleanup(&dev); wolfTPM2_Cleanup(&dev);
exit_badargs: exit_badargs:

66
examples/attestation/make_credential.c
View File

@ -68,16 +68,10 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
const char *srkPubFile = "srk.pub"; const char *srkPubFile = "srk.pub";
const char *pubFilename = NULL; const char *pubFilename = NULL;
union { MakeCredential_In makeCredIn;
MakeCredential_In makeCred; MakeCredential_Out makeCredOut;
LoadExternal_In loadExtIn; LoadExternal_In loadExtIn;
byte maxInput[MAX_COMMAND_SIZE];
} cmdIn;
union {
MakeCredential_Out makeCred;
LoadExternal_Out loadExtOut; LoadExternal_Out loadExtOut;
byte maxOutput[MAX_RESPONSE_SIZE];
} cmdOut;
if (argc == 1) { if (argc == 1) {
printf("Using public key from SRK to create the challenge\n"); printf("Using public key from SRK to create the challenge\n");
@ -100,12 +94,6 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
goto exit_badargs; goto exit_badargs;
} }
XMEMSET(&name, 0, sizeof(name));
XMEMSET(&cmdIn.makeCred, 0, sizeof(cmdIn.makeCred));
XMEMSET(&cmdOut.makeCred, 0, sizeof(cmdOut.makeCred));
XMEMSET(&cmdIn.loadExtIn, 0, sizeof(cmdIn.loadExtIn));
XMEMSET(&cmdOut.loadExtOut, 0, sizeof(cmdOut.loadExtOut));
printf("Demo how to create a credential challenge for remote attestation\n"); printf("Demo how to create a credential challenge for remote attestation\n");
printf("Credential will be stored in %s\n", output); printf("Credential will be stored in %s\n", output);
@ -125,24 +113,26 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
} }
rc = readKeyBlob(pubFilename, &primary); rc = readKeyBlob(pubFilename, &primary);
if (rc != 0) { if (rc != 0) {
printf("Failure to load %s\n", pubFilename); printf("Failure to read %s\n", pubFilename);
goto exit; goto exit;
} }
/* Prepare the key for use by the TPM */ /* Prepare the key for use by the TPM */
XMEMCPY(&cmdIn.loadExtIn.inPublic, &primary.pub, XMEMSET(&loadExtIn, 0, sizeof(loadExtIn));
sizeof(cmdIn.loadExtIn.inPublic)); XMEMSET(&loadExtOut, 0, sizeof(loadExtOut));
cmdIn.loadExtIn.hierarchy = TPM_RH_NULL; XMEMCPY(&loadExtIn.inPublic, &primary.pub, sizeof(loadExtIn.inPublic));
rc = TPM2_LoadExternal(&cmdIn.loadExtIn, &cmdOut.loadExtOut); loadExtIn.hierarchy = TPM_RH_NULL;
rc = TPM2_LoadExternal(&loadExtIn, &loadExtOut);
if (rc != TPM_RC_SUCCESS) { if (rc != TPM_RC_SUCCESS) {
printf("TPM2_LoadExternal: failed %d: %s\n", rc, printf("TPM2_LoadExternal: failed %d: %s\n", rc,
wolfTPM2_GetRCString(rc)); wolfTPM2_GetRCString(rc));
return rc; return rc;
} }
printf("Public key for encryption loaded\n"); printf("Public key for encryption loaded\n");
handle.hndl = cmdOut.loadExtOut.objectHandle; handle.hndl = loadExtOut.objectHandle;
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
/* Load AK Name digest */ /* Load AK Name digest */
XMEMSET(&name, 0, sizeof(name));
fp = XFOPEN("ak.name", "rb"); fp = XFOPEN("ak.name", "rb");
if (fp != XBADFILE) { if (fp != XBADFILE) {
size_t nameReadSz = XFREAD((BYTE*)&name, 1, sizeof(name), fp); size_t nameReadSz = XFREAD((BYTE*)&name, 1, sizeof(name), fp);
@ -153,31 +143,37 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
#endif #endif
/* Create secret for the attestation server */ /* Create secret for the attestation server */
cmdIn.makeCred.credential.size = CRED_SECRET_SIZE; XMEMSET(&makeCredIn, 0, sizeof(makeCredIn));
wolfTPM2_GetRandom(&dev, cmdIn.makeCred.credential.buffer, XMEMSET(&makeCredOut, 0, sizeof(makeCredOut));
cmdIn.makeCred.credential.size); makeCredIn.credential.size = CRED_SECRET_SIZE;
/* Prepare the AK name */ wolfTPM2_GetRandom(&dev, makeCredIn.credential.buffer,
cmdIn.makeCred.objectName.size = name.size; makeCredIn.credential.size);
XMEMCPY(cmdIn.makeCred.objectName.name, name.name, /* Set the object name */
cmdIn.makeCred.objectName.size); makeCredIn.objectName.size = name.size;
XMEMCPY(makeCredIn.objectName.name, name.name,
makeCredIn.objectName.size);
/* Set TPM key and execute */ /* Set TPM key and execute */
cmdIn.makeCred.handle = handle.hndl; makeCredIn.handle = handle.hndl;
rc = TPM2_MakeCredential(&cmdIn.makeCred, &cmdOut.makeCred); rc = TPM2_MakeCredential(&makeCredIn, &makeCredOut);
if (rc != TPM_RC_SUCCESS) { if (rc != TPM_RC_SUCCESS) {
printf("TPM2_MakeCredentials failed 0x%x: %s\n", rc, printf("TPM2_MakeCredential failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc)); TPM2_GetRCString(rc));
goto exit; goto exit;
} }
printf("TPM2_MakeCredential success\n"); printf("TPM2_MakeCredential success\n");
printf("Secret: %d\n", makeCredIn.credential.size);
TPM2_PrintBin(makeCredIn.credential.buffer,
makeCredIn.credential.size);
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
fp = XFOPEN(output, "wb"); fp = XFOPEN(output, "wb");
if (fp != XBADFILE) { if (fp != XBADFILE) {
dataSize = (int)XFWRITE((BYTE*)&cmdOut.makeCred.credentialBlob, 1, dataSize = (int)XFWRITE((BYTE*)&makeCredOut.credentialBlob, 1,
sizeof(cmdOut.makeCred.credentialBlob), fp); sizeof(makeCredOut.credentialBlob), fp);
if (dataSize > 0) { if (dataSize > 0) {
dataSize += (int)XFWRITE((BYTE*)&cmdOut.makeCred.secret, 1, dataSize += (int)XFWRITE((BYTE*)&makeCredOut.secret, 1,
sizeof(cmdOut.makeCred.secret), fp); sizeof(makeCredOut.secret), fp);
} }
XFCLOSE(fp); XFCLOSE(fp);
} }

33
examples/keygen/keygen.c
View File

@ -141,7 +141,6 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA) #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
const char *pemFilename = NULL; const char *pemFilename = NULL;
#endif #endif
FILE *fp;
#endif #endif
size_t len = 0; size_t len = 0;
char symMode[] = "aesctr"; char symMode[] = "aesctr";
@ -251,20 +250,26 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL, rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL,
TPM_SE_HMAC, paramEncAlg); TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit; if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", printf("HMAC Session: Handle 0x%x\n",
(word32)tpmSession.handle.hndl); (word32)tpmSession.handle.hndl);
/* set session for authorization of the primary key */ /* set session for authorization of the primary key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
TPMA_SESSION_continueSession));
if (rc != 0) goto exit; if (rc != 0) goto exit;
} }
if (endorseKey) { if (endorseKey) {
/* Endorsement Key requires authorization with Policy */ /* Endorsement Key requires authorization with Policy */
wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession); rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
if (rc != 0) goto exit;
printf("EK Policy Session: Handle 0x%x\n",
(word32)tpmSession.handle.hndl);
/* Set the created Policy Session for use in next operation */ /* Set the created Policy Session for use in next operation */
wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0); rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
if (rc != 0) goto exit;
} }
/* Create new key */ /* Create new key */
@ -285,6 +290,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
else { else {
rc = BAD_FUNC_ARG; rc = BAD_FUNC_ARG;
} }
if (rc != 0) goto exit;
/* set session for authorization key */ /* set session for authorization key */
auth.size = (int)sizeof(gAiKeyAuth)-1; auth.size = (int)sizeof(gAiKeyAuth)-1;
@ -341,11 +347,25 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
printf("wolfTPM2_CreateKey failed\n"); printf("wolfTPM2_CreateKey failed\n");
goto exit; goto exit;
} }
if (endorseKey) {
/* Endorsement policy session is closed after use, so start another */
rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
if (rc == 0) {
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
}
if (rc != 0) goto exit;
}
rc = wolfTPM2_LoadKey(&dev, &newKeyBlob, &primary->handle); rc = wolfTPM2_LoadKey(&dev, &newKeyBlob, &primary->handle);
if (rc != TPM_RC_SUCCESS) { if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_LoadKey failed\n"); printf("wolfTPM2_LoadKey failed\n");
goto exit; goto exit;
} }
if (endorseKey) {
/* The policy session is closed after use.
* Reset handle, so we don't try and free it */
tpmSession.handle.hndl = TPM_RH_NULL;
}
printf("New key created and loaded (pub %d, priv %d bytes)\n", printf("New key created and loaded (pub %d, priv %d bytes)\n",
newKeyBlob.pub.size, newKeyBlob.priv.size); newKeyBlob.pub.size, newKeyBlob.priv.size);
@ -420,10 +440,7 @@ exit:
/* Close handles */ /* Close handles */
wolfTPM2_UnloadHandle(&dev, &primary->handle); wolfTPM2_UnloadHandle(&dev, &primary->handle);
wolfTPM2_UnloadHandle(&dev, &newKeyBlob.handle); wolfTPM2_UnloadHandle(&dev, &newKeyBlob.handle);
/* EK policy is destroyed after use, flush parameter encryption session */
if (paramEncAlg != TPM_ALG_NULL && !endorseKey) {
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
}
wolfTPM2_Cleanup(&dev); wolfTPM2_Cleanup(&dev);
return rc; return rc;

50
examples/run_examples.sh
View File

@ -99,9 +99,22 @@ RESULT=$?
rm -f keyedhashblob.bin rm -f keyedhashblob.bin
[ $RESULT -ne 0 ] && echo -e "keygen keyed hash load failed! $RESULT" && exit 1 [ $RESULT -ne 0 ] && echo -e "keygen keyed hash load failed! $RESULT" && exit 1
# KeyGen Endorsement with Policy Secret if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
# TODO Fix: (TPM2_Create TPM_RC_AUTH_UNAVAILABLE) # KeyGen under Endorsement
#./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> run.out ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1
./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1
./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1
./examples/keygen/keyload ecckeyblobeh.bin -ecc -eh >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1
fi
# NV Tests # NV Tests
@ -190,12 +203,14 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
echo -e "TLS test (TPM as client) $1 $2" echo -e "TLS test (TPM as client) $1 $2"
generate_port generate_port
pushd $WOLFSSL_PATH >> run.out pushd $WOLFSSL_PATH >> run.out
echo -e "./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out & ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1 [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
popd >> run.out popd >> run.out
sleep 0.1 sleep 0.1
echo -e "./examples/tls/tls_client -p=$port -$1 $2"
./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1 [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
@ -268,15 +283,33 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
[ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1 [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1
fi fi
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/keygen/keygen keyblob.bin -rsa >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1
./examples/attestation/make_credential >> run.out ./examples/attestation/make_credential >> run.out
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "make_credential failed! $RESULT" && exit 1 [ $RESULT -ne 0 ] && echo -e "make_credential failed! $RESULT" && exit 1
# TODO: Requires keygen -ek to be working ./examples/attestation/activate_credential >> run.out
#./examples/attestation/make_credential -eh >> run.out RESULT=$?
# TODO: Test broken (TPM2_ActivateCredentials TPM_RC_INTEGRITY) [ $RESULT -ne 0 ] && echo -e "activate_credential failed! $RESULT" && exit 1
#./examples/attestation/activate_credential >> run.out
#./examples/attestation/activate_credential -eh >> run.out
# Endorsement hierarchy
./examples/keygen/keygen keyblob.bin -rsa -eh >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen rsa endorsement failed! $RESULT" && exit 1
./examples/attestation/make_credential -eh >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "make_credential endorsement failed! $RESULT" && exit 1
./examples/attestation/activate_credential -eh >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "activate_credential endorsement failed! $RESULT" && exit 1
rm -f cred.blob
rm -f ek.pub
rm -f srk.pub
rm -f ak.name
fi
# PCR Quote Tests # PCR Quote Tests
echo -e "PCR Quote tests" echo -e "PCR Quote tests"
@ -457,6 +490,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
rm -f aaa.bin rm -f aaa.bin
fi fi
rm -f keyblob.bin
echo -e "Success!" echo -e "Success!"
exit 0 exit 0

6
src/tpm2_packet.c
View File

@ -330,6 +330,12 @@ int TPM2_GetCmdAuthCount(TPM2_CTX* ctx, const CmdInfo_t* info)
(sessionAttributes & TPMA_SESSION_audit)) (sessionAttributes & TPMA_SESSION_audit))
authSessCount++; authSessCount++;
} }
/* Allow policy auth */
else if (authReq && TPM2_IS_POLICY_SESSION(sessionHandle) &&
sessionAttributes == 0) {
authSessCount++;
}
else if (!authReq) { else if (!authReq) {
/* we cannot accept further authentications */ /* we cannot accept further authentications */
break; break;

21
src/tpm2_wrap.c
View File

@ -822,11 +822,18 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
{ {
const TPM2B_AUTH* auth = NULL; const TPM2B_AUTH* auth = NULL;
const TPM2B_NAME* name = NULL; const TPM2B_NAME* name = NULL;
/* don't set auth for policy session */ if (dev == NULL || index >= MAX_SESSION_NUM) {
if (dev->ctx.session == NULL || handle->policyAuth) { return BAD_FUNC_ARG;
return 0;
} }
if (handle) { if (handle) {
/* don't set auth for policy session, just name */
if (handle->policyAuth) {
TPM2_AUTH_SESSION* session = &dev->session[index];
session->name.size = handle->name.size;
XMEMCPY(session->name.name, handle->name.name, handle->name.size);
return TPM_RC_SUCCESS;
}
auth = &handle->auth; auth = &handle->auth;
name = &handle->name; name = &handle->name;
} }
@ -892,12 +899,14 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
XMEMCPY(session->nonceTPM.buffer, tpmSession->nonceTPM.buffer, XMEMCPY(session->nonceTPM.buffer, tpmSession->nonceTPM.buffer,
session->nonceTPM.size); session->nonceTPM.size);
/* Parameter Encryption session will have an hmac added later. /* Parameter Encryption or Policy session will have an HMAC added later.
* Reserve space, the same way it was done for nonceCaller above. * Reserve space, the same way it was done for nonceCaller above.
*/ */
if (session->sessionHandle != TPM_RS_PW && if ((session->sessionHandle != TPM_RS_PW &&
((session->sessionAttributes & TPMA_SESSION_encrypt) || ((session->sessionAttributes & TPMA_SESSION_encrypt) ||
(session->sessionAttributes & TPMA_SESSION_decrypt))) { (session->sessionAttributes & TPMA_SESSION_decrypt)))
|| TPM2_IS_POLICY_SESSION(session->sessionHandle))
{
session->auth.size = TPM2_GetHashDigestSize(session->authHash); session->auth.size = TPM2_GetHashDigestSize(session->authHash);
} }
} }

2
wolftpm/tpm2.h
View File

@ -1640,7 +1640,7 @@ typedef struct TPM2_AUTH_SESSION {
#define TPM_20_NV_INDEX_EK_NONCE (TPM_20_PLATFORM_MFG_NV_SPACE + 3) #define TPM_20_NV_INDEX_EK_NONCE (TPM_20_PLATFORM_MFG_NV_SPACE + 3)
#define TPM_20_NV_INDEX_EK_TEMPLATE (TPM_20_PLATFORM_MFG_NV_SPACE + 4) #define TPM_20_NV_INDEX_EK_TEMPLATE (TPM_20_PLATFORM_MFG_NV_SPACE + 4)
/* Predetermined TPM 2.0 Endorsement policy auth template */ /* Predetermined TPM 2.0 Endorsement policy auth template for SHA2-256 */
static const BYTE TPM_20_EK_AUTH_POLICY[] = { static const BYTE TPM_20_EK_AUTH_POLICY[] = {
0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc, 0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc,
0x8d, 0x46, 0xa5, 0xd7, 0x24, 0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52, 0x8d, 0x46, 0xa5, 0xd7, 0x24, 0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52,