WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Improvements/fixes to NV auth and session auth set/unset: 

* Fix bug with NV name after first write (only appears when using HMAC session).
* Add new API `wolfTPM2_UnsetAuthSession` to unset auth index for a session and save off the nonce from the TPM. This allows auth to be unset/set again with the same session.
* Cleanup in the NV API's for unsetting of the auth to be handled by caller, not in API.
pull/299/head
David Garske 2023-09-15 12:19:17 -07:00
parent 312f104850
commit 96cd17af1d
9 changed files with 67 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
examples/boot/secure_rot.c
View File

@ -228,6 +228,7 @@ int TPM2_Boot_SecureROT_Example(void* userCtx, int argc, char *argv[])
printf("Warning: NV Index 0x%x already exists!\n", nvIndex);
rc = 0;
}
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
}
if (rc == 0) {
/* Write digest to NV */

4
examples/gpio/gpio_config.c
View File

@ -240,6 +240,7 @@ int TPM2_GPIO_Config_Example(void* userCtx, int argc, char *argv[])
printf("Creating NV Index for GPIO acccess failed\n");
goto exit;
}
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
printf("NV Index for GPIO access created\n");
/* GPIO configured as an input, requires an extra configuration step */
@ -413,9 +414,10 @@ int TPM2_GPIO_Config_Example(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex, nvAttributes,
sizeof(BYTE), (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) {
printf("Creating NV Index for GPIO acccess failed\n");
printf("Creating NV Index for GPIO access failed\n");
goto exit;
}
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
printf("NV Index for GPIO access created\n");
(void)gpioInput; /* not used */

2
examples/nvram/counter.c
View File

@ -156,6 +156,8 @@ int TPM2_NVRAM_Counter_Example(void* userCtx, int argc, char *argv[])
nvAttributes, 8, (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0) goto exit;
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic);
}
if (rc != TPM_RC_SUCCESS) {

2
examples/nvram/policy_nv.c
View File

@ -186,6 +186,8 @@ int TPM2_NVRAM_PolicyNV_Example(void* userCtx, int argc, char *argv[])
nvAttributes, (word32)bufLen, auth.buffer, auth.size);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
printf("Storing data at TPM NV index 0x%x with password protection\n\n",
nvIndex);

4
examples/nvram/read.c
View File

@ -216,6 +216,10 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
printf("Successfully read private key part from NV\n\n");
}
/* auth 0 is owner, no auth */
wolfTPM2_SetAuthPassword(&dev, 0, NULL);
wolfTPM2_UnsetAuth(&dev, 1);
parent.hndl = authHandle;
rc = wolfTPM2_NVDeleteAuth(&dev, &parent, nvIndex);
if (rc != 0) goto exit;

2
examples/nvram/store.c
View File

@ -169,6 +169,8 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
printf("Storing key at TPM NV index 0x%x with password protection\n\n",
nvIndex);

2
examples/wrap/wrap_test.c
View File

@ -710,6 +710,8 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
message.size = TPM2_DEMO_NV_TEST_SIZE; /* test message 0x11,0x11,etc */
XMEMSET(message.buffer, 0x11, message.size);
rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX,

45
src/tpm2_wrap.c
View File

@ -752,6 +752,26 @@ int wolfTPM2_UnsetAuth(WOLFTPM2_DEV* dev, int index)
return TPM2_SetSessionAuth(dev->session);
}
int wolfTPM2_UnsetAuthSession(WOLFTPM2_DEV* dev, int index,
WOLFTPM2_SESSION* tpmSession)
{
TPM2_AUTH_SESSION* devSession;
if (dev == NULL || tpmSession == NULL ||
index >= MAX_SESSION_NUM || index < 0) {
return BAD_FUNC_ARG;
}
devSession = &dev->session[index];
/* save off nonce from TPM to support continued use of session */
XMEMCPY(&tpmSession->nonceTPM, &devSession->nonceTPM, sizeof(TPM2B_NONCE));
XMEMSET(devSession, 0, sizeof(TPM2_AUTH_SESSION));
return TPM2_SetSessionAuth(dev->session);
}
int wolfTPM2_SetAuth(WOLFTPM2_DEV* dev, int index,
TPM_HANDLE sessionHandle, const TPM2B_AUTH* auth,
TPMA_SESSION sessionAttributes, const TPM2B_NAME* name)
@ -4056,9 +4076,6 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
if (rctmp != TPM_RC_SUCCESS)
rc = rctmp;
/* make sure auth not set */
wolfTPM2_UnsetAuth(dev, 1);
#ifdef DEBUG_WOLFTPM
printf("TPM2_NV_DefineSpace: Auth 0x%x, Idx 0x%x, Attribs 0x%d, Size %d\n",
(word32)in.authHandle,
@ -4137,6 +4154,14 @@ int wolfTPM2_NVWriteAuth(WOLFTPM2_DEV* dev, WOLFTPM2_NV* nv,
return rc;
}
/* if this is the first write to NV then the NV_WRITTEN bit will get set
* and name needs re-computed */
if (pos == 0) {
/* read public and re-compute name */
rc = wolfTPM2_NVOpen(dev, nv, nv->handle.hndl, NULL, 0);
if (rc != 0) break;
}
#ifdef DEBUG_WOLFTPM
printf("TPM2_NV_Write: Auth 0x%x, Idx 0x%x, Offset %d, Size %d\n",
(word32)in.authHandle, (word32)in.nvIndex,
@ -4341,10 +4366,9 @@ int wolfTPM2_NVIncrement(WOLFTPM2_DEV* dev, WOLFTPM2_NV* nv)
if (rc != TPM_RC_SUCCESS) { return rc; }
}
/* make sure auth not set */
wolfTPM2_UnsetAuth(dev, 1);
/* Necessary, because NVRead has two handles, second is NV Index */
rc = wolfTPM2_SetAuthHandleName(dev, 0, &nv->handle);
rc |= wolfTPM2_SetAuthHandleName(dev, 1, &nv->handle);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Setting NV index name failed\n");
@ -4390,10 +4414,9 @@ int wolfTPM2_NVWriteLock(WOLFTPM2_DEV* dev, WOLFTPM2_NV* nv)
}
}
/* make sure auth not set */
wolfTPM2_UnsetAuth(dev, 1);
/* Necessary, because NVRead has two handles, second is NV Index */
rc = wolfTPM2_SetAuthHandleName(dev, 0, &nv->handle);
rc |= wolfTPM2_SetAuthHandleName(dev, 1, &nv->handle);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Setting NV index name failed\n");
@ -4421,10 +4444,6 @@ int wolfTPM2_NVDeleteAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
if (dev->ctx.session) {
rc = wolfTPM2_SetAuthHandle(dev, 0, parent);
if (rc != TPM_RC_SUCCESS) { return rc; }
/* Make sure no other auth sessions exist */
(void)wolfTPM2_UnsetAuth(dev, 1);
(void)wolfTPM2_UnsetAuth(dev, 2);
}
XMEMSET(&in, 0, sizeof(in));

19
wolftpm/tpm2_wrap.h
View File

@ -367,6 +367,25 @@ WOLFTPM_API int wolfTPM2_GetCapabilities(WOLFTPM2_DEV* dev, WOLFTPM2_CAPS* caps)
*/
WOLFTPM_API int wolfTPM2_UnsetAuth(WOLFTPM2_DEV* dev, int index);
/*!
\ingroup wolfTPM2_Wrappers
\brief Clears one of the TPM Authorization session slots, pointed by its index
number and saves the nonce from the TPM so the session can continue to be used
again with wolfTPM2_SetAuthSession
\return TPM_RC_SUCCESS: successful
\return TPM_RC_FAILURE: unable to get lock on the TPM2 Context
\return BAD_FUNC_ARG: check the provided arguments
\param dev pointer to a TPM2_DEV struct
\param index integer value, specifying the TPM Authorization slot, between zero and three
\param session pointer to a WOLFTPM2_SESSION struct used with wolfTPM2_StartSession and wolfTPM2_SetAuthSession
\sa wolfTPM2_StartSession
\sa wolfTPM2_SetAuthSession
*/
WOLFTPM_API int wolfTPM2_UnsetAuthSession(WOLFTPM2_DEV* dev, int index, WOLFTPM2_SESSION* session);
/*!
\ingroup wolfTPM2_Wrappers
\brief Sets a TPM Authorization slot using the provided index, session handle, attributes and auth