WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #296 from dgarske/secret_seal2 

Seal with RSA fix, PCR extend auth and improvements to NVRAM examples
pull/298/head
JacobBarthelmeh 2023-09-08 15:27:14 -06:00 committed by GitHub
parent 50bfac48a9 cb66597154
commit acdbc446d2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 102 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
examples/boot/secure_rot.c
View File

@ -44,8 +44,7 @@ static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/boot/secure_rot [-nvindex] [-write=/-hash=] [-authhex=/-authstr=] [-sha384] [-lock]\n");
printf("* -nvindex=[handle] (default 0x%x)\n",
TPM2_DEMO_NV_SECURE_ROT_INDEX);
printf("* -nvindex=[handle] (default 0x%x)\n", TPM2_DEMO_NV_SECURE_ROT_INDEX);
printf("* -hash=hash: Hex string digest to write\n");
printf("* -write=filename: DER formatted public key to write\n");
printf("* -authstr=password/-authhex=hexstring: Optional password for NV\n");

2
examples/keygen/keygen.c
View File

@ -202,7 +202,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
else if (XSTRNCMP(argv[argc-1], "-unique=", XSTRLEN("-unique=")) == 0) {
uniqueStr = argv[argc-1] + XSTRLEN("-unique=");
}
else {
else if (argv[argc-1][0] == '-') {
printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
}

2
examples/keygen/keyimport.c
View File

@ -110,7 +110,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
else if (XSTRNCMP(argv[argc-1], "-key=", XSTRLEN("-key=")) == 0) {
impFile = (const char*)(argv[argc-1] + XSTRLEN("-key="));
}
else {
else if (argv[argc-1][0] == '-') {
printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
}

37
examples/nvram/counter.c
View File

@ -43,7 +43,7 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/nvram/counter [-nvindex=0x0] [-aes/-xor]\n");
printf("./examples/nvram/counter [-nvindex=] [-aes/-xor]\n");
printf("* -nvindex=[handle] (default 0x%x)\n", TPM2_DEMO_NV_COUNTER_INDEX);
printf("* -aes/xor: Use Parameter Encryption\n");
}
@ -57,6 +57,7 @@ int TPM2_NVRAM_Counter_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_HANDLE parent;
WOLFTPM2_NV nv;
TPMS_NV_PUBLIC nvPublic;
TPMI_RH_NV_AUTH authHandle = TPM_RH_OWNER; /* or TPM_RH_PLATFORM */
int paramEncAlg = TPM_ALG_NULL;
word32 nvIndex = TPM2_DEMO_NV_COUNTER_INDEX;
@ -73,22 +74,32 @@ int TPM2_NVRAM_Counter_Example(void* userCtx, int argc, char *argv[])
return 0;
}
}
while (argc) {
if (XSTRCMP(argv[argc-1], "-aes") == 0) {
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-nvindex=", XSTRLEN("-nvindex=")) == 0) {
const char* nvIndexStr = argv[argc-1] + XSTRLEN("-nvindex=");
nvIndex = (word32)XSTRTOL(nvIndexStr, NULL, 0);
if (!(authHandle == TPM_RH_PLATFORM && (
nvIndex > TPM_20_PLATFORM_MFG_NV_SPACE &&
nvIndex < TPM_20_OWNER_NV_SPACE)) &&
!(authHandle == TPM_RH_OWNER && (
nvIndex > TPM_20_OWNER_NV_SPACE &&
nvIndex < TPM_20_TCG_NV_SPACE)))
{
fprintf(stderr, "Invalid NV Index %s\n", nvIndexStr);
fprintf(stderr, "\tPlatform Range: 0x%x -> 0x%x\n",
TPM_20_PLATFORM_MFG_NV_SPACE, TPM_20_OWNER_NV_SPACE);
fprintf(stderr, "\tOwner Range: 0x%x -> 0x%x\n",
TPM_20_OWNER_NV_SPACE, TPM_20_TCG_NV_SPACE);
usage();
return -1;
}
}
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
paramEncAlg = TPM_ALG_XOR;
}
else if (XSTRNCMP(argv[argc-1], "-nvindex=", XSTRLEN("-nvindex=")) == 0) {
nvIndex = (word32)XSTRTOL(argv[argc-1] + XSTRLEN("-nvindex="),
NULL, 0);
if (nvIndex > TPM_20_OWNER_NV_SPACE &&
nvIndex < TPM_20_TCG_NV_SPACE) {
printf("Invalid NV Index %s\n", argv[argc-1] + 8);
nvIndex = 0;
}
}
else {
printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
}
@ -133,7 +144,7 @@ int TPM2_NVRAM_Counter_Example(void* userCtx, int argc, char *argv[])
word32 nvAttributes;
/* create new NV counter under owner hierarchy */
parent.hndl = TPM_RH_OWNER;
parent.hndl = authHandle;
rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes);
if (rc != 0) goto exit;

46
examples/nvram/read.c
View File

@ -46,7 +46,8 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/nvram/read [-priv] [-pub] [-aes/-xor]\n");
printf("./examples/nvram/read [-nvindex] [-priv] [-pub] [-aes/-xor]\n");
printf("* -nvindex=[handle] (default 0x%x)\n", TPM2_DEMO_NVRAM_STORE_INDEX);
printf("* -priv: Read ony the private part\n");
printf("* -pub: Read only the public part\n");
printf("* -aes/xor: Use Parameter Encryption\n");
@ -63,12 +64,14 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_NV nv;
TPM2B_AUTH auth;
word32 readSize;
TPMI_RH_NV_AUTH authHandle = TPM_RH_OWNER; /* or TPM_RH_PLATFORM */
int paramEncAlg = TPM_ALG_NULL;
int partialRead = 0;
int offset = 0;
/* Needed for TPM2_ParsePublic */
byte pubAreaBuffer[sizeof(TPM2B_PUBLIC)];
int pubAreaSize;
word32 nvIndex = TPM2_DEMO_NVRAM_STORE_INDEX;
if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
@ -78,8 +81,27 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
return 0;
}
}
while(argc) {
if (XSTRCMP(argv[argc-1], "-aes") == 0) {
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-nvindex=", XSTRLEN("-nvindex=")) == 0) {
const char* nvIndexStr = argv[argc-1] + XSTRLEN("-nvindex=");
nvIndex = (word32)XSTRTOL(nvIndexStr, NULL, 0);
if (!(authHandle == TPM_RH_PLATFORM && (
nvIndex > TPM_20_PLATFORM_MFG_NV_SPACE &&
nvIndex < TPM_20_OWNER_NV_SPACE)) &&
!(authHandle == TPM_RH_OWNER && (
nvIndex > TPM_20_OWNER_NV_SPACE &&
nvIndex < TPM_20_TCG_NV_SPACE)))
{
fprintf(stderr, "Invalid NV Index %s\n", nvIndexStr);
fprintf(stderr, "\tPlatform Range: 0x%x -> 0x%x\n",
TPM_20_PLATFORM_MFG_NV_SPACE, TPM_20_OWNER_NV_SPACE);
fprintf(stderr, "\tOwner Range: 0x%x -> 0x%x\n",
TPM_20_OWNER_NV_SPACE, TPM_20_TCG_NV_SPACE);
usage();
return -1;
}
}
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
@ -137,14 +159,14 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
/* Prepare auth for NV Index */
XMEMSET(&nv, 0, sizeof(nv));
nv.handle.hndl = TPM2_DEMO_NVRAM_STORE_INDEX;
nv.handle.hndl = nvIndex;
nv.handle.auth.size = auth.size;
XMEMCPY(nv.handle.auth.buffer, auth.buffer, auth.size);
if (partialRead != PRIVATE_PART_ONLY) {
readSize = sizeof(keyBlob.pub.size);
printf("Trying to read %d bytes of public key size marker\n", readSize);
rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex,
(byte*)&keyBlob.pub.size, &readSize, 0);
if (rc != 0) {
printf("Was a public key part written? (see nvram/store)\n");
@ -155,7 +177,7 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
readSize = sizeof(UINT16) + keyBlob.pub.size; /* account for TPM2B size marker */
printf("Trying to read %d bytes of public key part from NV\n", keyBlob.pub.size);
rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex,
pubAreaBuffer, &readSize, offset);
if (rc != 0) goto exit;
printf("Successfully read public key part from NV\n\n");
@ -177,7 +199,7 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
if (partialRead != PUBLIC_PART_ONLY) {
printf("Trying to read size marker of the private key part from NV\n");
readSize = sizeof(keyBlob.priv.size);
rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex,
(byte*)&keyBlob.priv.size, &readSize, offset);
if (rc != 0) {
printf("Was a private key part written? (see nvram/store)\n");
@ -188,18 +210,18 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
readSize = keyBlob.priv.size;
printf("Trying to read %d bytes of private key part from NV\n", readSize);
rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex,
(byte*)&keyBlob.priv.buffer, &readSize, offset);
if (rc != 0) goto exit;
printf("Successfully read private key part from NV\n\n");
}
parent.hndl = TPM_RH_OWNER;
rc = wolfTPM2_NVDeleteAuth(&dev, &parent, TPM2_DEMO_NVRAM_STORE_INDEX);
parent.hndl = authHandle;
rc = wolfTPM2_NVDeleteAuth(&dev, &parent, nvIndex);
if (rc != 0) goto exit;
printf("Extraction of key from NVRAM at index 0x%x succeeded\n" ,
TPM2_DEMO_NVRAM_STORE_INDEX);
printf("Extraction of key from NVRAM at index 0x%x succeeded\n",
nvIndex);
if (!partialRead) {
/* get SRK */

40
examples/nvram/store.c
View File

@ -46,9 +46,10 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/nvram/store [filename] [-priv] [-pub] [-aes/-xor]\n");
printf("./examples/nvram/store [filename] [-nvindex] [-priv] [-pub] [-aes/-xor]\n");
printf("* filename: point to a file containing a TPM key\n");
printf("\tDefault filename is \"keyblob.bin\"\n");
printf("* -nvindex=[handle] (default 0x%x)\n", TPM2_DEMO_NVRAM_STORE_INDEX);
printf("* -priv: Store only the private part of the key\n");
printf("* -pub: Store only the public part of the key\n");
printf("* -aes/xor: Use Parameter Encryption\n");
@ -63,6 +64,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_HANDLE parent;
WOLFTPM2_NV nv;
word32 nvAttributes;
TPMI_RH_NV_AUTH authHandle = TPM_RH_OWNER; /* or TPM_RH_PLATFORM */
const char* filename = "keyblob.bin";
int paramEncAlg = TPM_ALG_NULL;
int partialStore = 0;
@ -70,6 +72,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
/* Needed for TPM2_AppendPublic */
byte pubAreaBuffer[sizeof(TPM2B_PUBLIC)];
int pubAreaSize;
word32 nvIndex = TPM2_DEMO_NVRAM_STORE_INDEX;
if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
@ -83,7 +86,26 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
}
}
while (argc > 1) {
if (XSTRCMP(argv[argc-1], "-aes") == 0) {
if (XSTRNCMP(argv[argc-1], "-nvindex=", XSTRLEN("-nvindex=")) == 0) {
const char* nvIndexStr = argv[argc-1] + XSTRLEN("-nvindex=");
nvIndex = (word32)XSTRTOL(nvIndexStr, NULL, 0);
if (!(authHandle == TPM_RH_PLATFORM && (
nvIndex > TPM_20_PLATFORM_MFG_NV_SPACE &&
nvIndex < TPM_20_OWNER_NV_SPACE)) &&
!(authHandle == TPM_RH_OWNER && (
nvIndex > TPM_20_OWNER_NV_SPACE &&
nvIndex < TPM_20_TCG_NV_SPACE)))
{
fprintf(stderr, "Invalid NV Index %s\n", nvIndexStr);
fprintf(stderr, "\tPlatform Range: 0x%x -> 0x%x\n",
TPM_20_PLATFORM_MFG_NV_SPACE, TPM_20_OWNER_NV_SPACE);
fprintf(stderr, "\tOwner Range: 0x%x -> 0x%x\n",
TPM_20_OWNER_NV_SPACE, TPM_20_TCG_NV_SPACE);
usage();
return -1;
}
}
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
@ -138,21 +160,21 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit;
/* Prepare NV_AUTHWRITE and NV_AUTHREAD attributes necessary for password */
parent.hndl = TPM_RH_OWNER;
parent.hndl = authHandle;
rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes);
if (rc != 0) goto exit;
/* Our wolfTPM2 wrapper for NV_Define */
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex,
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
printf("Storing key at TPM NV index 0x%x with password protection\n\n",
TPM2_DEMO_NVRAM_STORE_INDEX);
nvIndex);
if (partialStore != PRIVATE_PART_ONLY) {
printf("Public part = %hu bytes\n", keyBlob.pub.size);
rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVWriteAuth(&dev, &nv, nvIndex,
(byte*)&keyBlob.pub.size, sizeof(keyBlob.pub.size), 0);
if (rc != 0) goto exit;
printf("Stored 2-byte size marker before the private part\n");
@ -172,7 +194,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
}
/* The buffer holds pub.publicArea and also pub.size(UINT16) */
rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVWriteAuth(&dev, &nv, nvIndex,
pubAreaBuffer, sizeof(UINT16) + keyBlob.pub.size, offset);
if (rc != 0) goto exit;
printf("NV write of public part succeeded\n\n");
@ -184,13 +206,13 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
}
if (partialStore != PUBLIC_PART_ONLY) {
printf("Private part = %d bytes\n", keyBlob.priv.size);
rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVWriteAuth(&dev, &nv, nvIndex,
(byte*)&keyBlob.priv.size, sizeof(keyBlob.priv.size), offset);
if (rc != 0) goto exit;
printf("Stored 2-byte size marker before the private part\n");
offset += sizeof(keyBlob.priv.size);
rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NVRAM_STORE_INDEX,
rc = wolfTPM2_NVWriteAuth(&dev, &nv, nvIndex,
keyBlob.priv.buffer, keyBlob.priv.size, offset);
if (rc != 0) goto exit;
printf("NV write of private part succeeded\n\n");

2
examples/seal/seal.c
View File

@ -82,7 +82,7 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
paramEncAlg = TPM_ALG_XOR;
}
else {
else if (argv[argc-1][0] == '-') {
printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
}
argc--;

1
src/tpm2.c
View File

@ -5587,7 +5587,6 @@ void TPM2_SetupPCRSelArray(TPML_PCR_SELECTION* pcr, TPM_ALG_ID alg,
byte* pcrArray, word32 pcrArraySz)
{
int i;
for (i = 0; i < (int)pcrArraySz; i++) {
TPM2_SetupPCRSel(pcr, alg, (int)pcrArray[i]);
}

10
src/tpm2_wrap.c
View File

@ -2156,7 +2156,8 @@ int wolfTPM2_LoadRsaPublicKey_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
XMEMSET(&pub, 0, sizeof(pub));
pub.publicArea.type = TPM_ALG_RSA;
pub.publicArea.nameAlg = TPM_ALG_NULL;
/* make sure nameAlg is set for ticket */
pub.publicArea.nameAlg = WOLFTPM2_WRAP_DIGEST;
pub.publicArea.objectAttributes = (TPMA_OBJECT_sign | TPMA_OBJECT_decrypt |
TPMA_OBJECT_userWithAuth | TPMA_OBJECT_noDA | TPMA_OBJECT_stClear);
pub.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
@ -2311,6 +2312,7 @@ int wolfTPM2_LoadEccPublicKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int curveId,
XMEMSET(&pub, 0, sizeof(pub));
pub.publicArea.type = TPM_ALG_ECC;
/* make sure nameAlg is set for ticket */
pub.publicArea.nameAlg = WOLFTPM2_WRAP_DIGEST;
pub.publicArea.objectAttributes = TPMA_OBJECT_sign | TPMA_OBJECT_noDA;
pub.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
@ -3890,6 +3892,7 @@ int wolfTPM2_ResetPCR(WOLFTPM2_DEV* dev, int pcrIndex)
return rc;
}
/* TODO: Version that can read up to 8 PCR's at a time */
int wolfTPM2_ReadPCR(WOLFTPM2_DEV* dev, int pcrIndex, int hashAlg, byte* digest,
int* pDigestLen)
{
@ -3942,6 +3945,11 @@ int wolfTPM2_ExtendPCR(WOLFTPM2_DEV* dev, int pcrIndex, int hashAlg,
return BAD_FUNC_ARG;
}
/* set session auth to blank */
if (dev->ctx.session) {
wolfTPM2_SetAuthPassword(dev, 0, NULL);
}
XMEMSET(&pcrExtend, 0, sizeof(pcrExtend));
pcrExtend.pcrHandle = pcrIndex;
pcrExtend.digests.count = 1;