WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Documentation and code cleanups. Enhanced pcr/quote example to use the existing SRK. Added "-?" help usage on PCR examples. Switched to atoi. Fixed .am issue in TLS example cause make dist to break. Added include of new files for make dist.

pull/107/head
David Garske 2020-07-23 09:46:06 -07:00
parent ebbb158959
commit b78e93f9ca
11 changed files with 193 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -25,7 +25,7 @@ Portable TPM 2.0 project designed for embedded use.
* TLS Server
* Benchmarking TPM algorithms and TLS
Note: See `examples/README.md` for details on using the examples.
Note: See [examples/README.md](examples/README.md) for details on using the examples.
## TPM 2.0 Overview

15
examples/README.md
View File

@ -24,9 +24,9 @@ Demonstrates calling the wolfTPM2_* wrapper API's.
### TPM signed timestamp, TPM2.0 GetTime
Demonstrates creation of Attestation Identity Keys(AIK) and the generation of TPM signed timestamp that can be later used as protected report of the current system uptime.
Demonstrates creation of Attestation Identity Keys (AIK) and the generation of TPM signed timestamp that can be later used as protected report of the current system uptime.
This example demonstrates the use of authSession(authorization Session) and policySession(Policy authorization) to enable the Endorsement Hierarchy necessary for creating AIK. Then, the AIK is used to issue a TPM2_GetTime command using the wolfTPM2 native API. This provides us with TPM generated and signed timestamp that can be used as a system report of its uptime.
This example demonstrates the use of `authSession` (authorization Session) and `policySession` (Policy authorization) to enable the Endorsement Hierarchy necessary for creating AIK. The AIK is used to issue a `TPM2_GetTime` command using the TPM 2.0 native API. This provides a TPM generated and signed timestamp that can be used as a system report of its uptime.
`./examples/timestamp/signed_timestamp`
@ -34,12 +34,13 @@ This example demonstrates the use of authSession(authorization Session) and poli
Demonstrates the generation of TPM2.0 Quote used for attestation of the system state by putting PCR value(s) in a TPM signed structure.
More information about how to test and use PCR attestation can be found in the in README file located in the `pcr` folder of the example.
More information about how to test and use PCR attestation can be found in the in [examples/pcr/README.md](./examples/pcr/README.md).
`./examples/pcr/quote`
`./examples/pcr/extend`
`./examples/pcr/reset`
## CSR
Generates a Certificate Signing Request for building a certificate based on a TPM key pair.
@ -84,7 +85,7 @@ The TLS example uses TPM based ECDHE (ECC Ephemeral key) support. It can be disa
To force ECC use with wolfSSL when RSA is enabled define `TLS_USE_ECC`.
To use symmetric AES/Hashing/Hmac with the TPM define `WOLFTPM_USE_SYMMETRIC`.
To use symmetric AES/Hashing/HMAC with the TPM define `WOLFTPM_USE_SYMMETRIC`.
Generation of the Client and Server Certificates requires running:
1. `./examples/csr/csr`
@ -98,7 +99,7 @@ Generation of the Client and Server Certificates requires running:
Examples show using a TPM key and certificate for TLS mutual authentication (client authentication).
This example client connects to localhost on on port 11111 by default. These can be overriden using `TLS_HOST` and `TLS_PORT`.
This example client connects to localhost on on port 11111 by default. These can be overridden using `TLS_HOST` and `TLS_PORT`.
You can validate using the wolfSSL example server this like:
`./examples/server/server -b -p 11111 -g -d`
@ -109,7 +110,7 @@ or
`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem`
Then run the wolfTPM TLS client example:
`./examples/tls/tls_client`.
`./examples/tls/tls_client`
### TLS Server
@ -133,7 +134,7 @@ or
Or using your browser: `https://localhost:11111`
With browsers you will get certificate warnings until you load the test CA's `./certs/ca-rsa-cert.pem` and `./certs/ca-ecc-cert.pem` into your OS key store.
For testing most browsers have a way to continue to the site anyways to bypass the warning.
For testing most browsers have a way to continue to the site anyways to bypass the warning.
## Benchmark

115
examples/pcr/README.md
View File

@ -1,47 +1,96 @@
# Quote & Attestation Demo
This folder contains examples for performing local attestation. You will learn how to measure a system file using wolfTPM and then generate a TPM2.0 Quote as proof for that measurement. Find technology introduction below.
This folder contains examples for performing local attestation. You will learn how to measure a system file using wolfTPM and then generate a TPM 2.0 Quote as proof for that measurement. See [Technology Introduction](## Technology introduction) below.
## List of examples
The `./examples/pcr/` folder contains three tools for working with Platform Configuration Registers(PCR) and a demo script. It is recommended to build wolfTPM with debug output enabled using `./configure --enable-devtpm --enable-debug` before `make`. After sucesssfully building wolfTPM, simply launch the `./examples/pcr/demo.sh` script.
The `./examples/pcr/` folder contains tools for working with Platform Configuration Registers (PCR). It is recommended to build wolfTPM with debug output enabled using `./configure --enable-debug` before `make` to see more logging output. There are example scripts to show using these PCR examples.
Examples:
* `./examples/pcr/reset`: Used to clear the content of a PCR (restrictions apply, see below)
* `./examples/pcr/extend`: Used to modify the content of a PCR (extend is a cryptographic operation, see below)
* `./examples/pcr/quote`: Used to generate a TPM2.0 Quote structure containing the PCR digest and TPM-generated signature
Scripts:
* `./examples/pcr/reset` - use to clear the content of a PCR (restrictions apply, see below)
* `./examples/pcr/extend` - use to modify the content of a PCR (extend is a cryptographic operation, see below)
* `./examples/pcr/quote` - use to generate a TPM2.0 Quote structure containing the PCR digest and TPM-generated signature
* `./examples/pcr/demo.sh` - script demonstrating the tools above
* `./examples/pcr/demo-quote-zip.sh` - script demonstrating how using the tools above a system file can be measured and a TPM-signed proof with that measurement generated
## Technology introduction
### Platform Configuration Registers(PCR)
### Platform Configuration Registers (PCR)
PCRs in TPM2.0 are special registers that allow only one type of write operations to be performed on them. This is the `TPM2_Extend` cryptographic operation that preserves the old value of the PCR and combines it with newly provided hash digest. Doing so the PCR does not allow tampering of its content and provides reproducibility.
PCRs in TPM2.0 are special registers that allow only one type of write operations to be performed on them. A TPM 2.0 extend operation is the only way to update a PCR.
At power-up, the TPM resets all PCRs to their default state(all zeros or all ones, depending on the PCR). From this state, the TPM could generate the same PCR value only if the PCR is extended with the same hash digest. In case of multiple values(multiple extend operations), the values must be supplied in the correct order, otherwise the final PCR value would differ.
At power-up, the TPM resets all PCRs to their default state (all zeros or all ones, depending on the PCR). From this state, the TPM can generate the same PCR value only if the PCR is extended with the same hash digest. In case of multiple values(multiple extend operations), the values must be supplied in the correct order, otherwise the final PCR value would differ.
For example, doing a measured boot under Linux would generate the same PCR digest, if the kernel is the same at every boot. However, loading the same (A)Linux kernel, (B)initrd image and (C)configuration file would generate the same PCR digest only when the order of extend operations is consistent(for example, A-B-C). It does not matter which extend operation is first or last as long as the order is kept the same(for example, C-B-A would result in a reproducible digest, but it would differ from the A-B-C digest).
### Quote
Quote is a standard TPM2.0 operation that encapsulates the PCR digest in a TCG defined structure called TPMS_ATTEST together with TPM signature. The signature is produced from a TPM generated key called Attestation Identity Key(AIK) that only the TPM can use. This provides guarantee for the source of the Quote and PCR digest. Together, the Quote and PCR provide the means for system measurement and integrity.
For example, doing a measured boot under Linux would generate the same PCR digest, if the kernel is the same at every boot. However, loading the same (A) Linux kernel, (B) initrd image and (C) configuration file would generate the same PCR digest only when the order of extend operations is consistent (for example, A-B-C). It does not matter which extend operation is first or last as long as the order is kept the same. For example, C-B-A would result in a reproducible digest, but it would differ from the A-B-C digest.
### Reset
Not all PCRs are equal. The user can perform `extend` operation on all PCRs, but the user can `reset` only on one of them during normal runtime. This is what makes PCRs so useful.
* PCR0-15 are reset at boot and can be cleared again(reset) only from reboot cycle.
* PCR16 is a PCR for debug purposes. This is the PCR used by all tools above by default. It is safe to test and work with PCR16.
* PCR17-22 are reserved for Dynamic Root of Trust Measurement (DRTM), an advanced topic that is to be covered separately.
* PCR17-22 are reserved for Dynamic Root of Trust Measurement(DRTM), an advanced topic that is to be covered separately.
### Extend
The TPM 2.0 `TPM2_Extend` API uses a SHA1 or SHA256 cryptographic operation to combine the current value of the PCR and with newly provided hash digest.
### Quote
The TPM 2.0 `TPM2_Quote` API is a standard operation that encapsulates the PCR digest in a TCG defined structure called `TPMS_ATTEST` together with TPM signature. The signature is produced from a TPM generated key called Attestation Identity Key (AIK) that only the TPM can use. This provides guarantee for the source of the Quote and PCR digest. Together, the Quote and PCR provide the means for system measurement and integrity.
## Example Usage
### Reset Example Usage
```sh
$ ./examples/pcr/reset -?
PCR index is out of range (0-23)
Expected usage:
./examples/pcr/reset [pcr]
* pcr is a PCR index between 0-23 (default 16)
Demo usage without parameters, resets PCR16.
```
### Extend Example Usage
```sh
$ ./examples/pcr/extend -?
Incorrect arguments
Expected usage:
./examples/pcr/extend [pcr] [filename]
* pcr is a PCR index between 0-23 (default 16)
* filename points to file(data) to measure
If wolfTPM is built with --disable-wolfcrypt the file
must contain SHA256 digest ready for extend operation.
Otherwise, the extend tool computes the hash using wolfcrypt.
Demo usage without parameters, extends PCR16 with known hash.
```
### Quote Example Usage
```sh
$ ./examples/pcr/quote -?
Incorrect arguments
Expected usage:
./examples/pcr/quote [pcr] [filename]
* pcr is a PCR index between 0-23 (default 16)
* filename for saving the TPMS_ATTEST structure to a file
Demo usage without parameters, generates quote over PCR16 and
saves the output TPMS_ATTEST structure to "quote.blob" file.
```
## Typical demo output
All pcr examples can be used without arguments. This is the output of the `demo.sh` script:
All PCR examples can be used without arguments. This is the output of the `./examples/pcr/demo.sh` script:
```
~/wolfTPM$ sudo ./examples/pcr/reset
```sh
$ ./examples/pcr/reset
Demo how to reset a PCR (clear the PCR value)
wolfTPM2_Init: success
Trying to reset PCR16...
@ -53,8 +102,8 @@ PCR16 digest:
As expected, the PCR16 content is now set back to all zeroes. From this moment on we can generate predictable PCR digests(values) for system measurement. Similar to using PCR7 after boot, because PCR7 is reset at system boot. Using PCR16 allows us to skip system reboots and test safely.
```
~/wolfTPM$ sudo ./examples/pcr/extend
```sh
$ ./examples/pcr/extend
Demo how to extend data into a PCR (TPM2.0 measurement)
wolfTPM2_Init: success
Hash to be used for measurement:
@ -65,10 +114,10 @@ PCR16 digest:
8c 7a 3b a2 6f 97 6e 8e cb be 7a 53 69 18 dc 73 | .z;.o.n...zSi..s
```
Based on the old content of the PCR(all zeros) and the provided hash(SHA256 32-byte digest), the PCR gets its new value printed at the end of the `extend` example. This value will always be the same, if `reset` is launched before `extend`. To pass custom hash digest, the `extend` tool accepts PCR index as first argument(recommended to use 16 for PCR16) and user file as second argument.
Based on the old content of the PCR (all zeros) and the provided hash (SHA256 32-byte digest), the PCR gets its new value printed at the end of the `extend` example. This value will always be the same, if `reset` is launched before `extend`. To pass custom hash digest, the `extend` tool accepts PCR index as first argument(recommended to use 16 for PCR16) and user file as second argument.
```
~/wolfTPM$ sudo ./examples/pcr/quote
```sh
$ ./examples/pcr/quote
Demo of generating signed PCR measurement (TPM2.0 Quote)
wolfTPM2_Init: success
TPM2_CreatePrimary: 0x80000000 (314 bytes)
@ -108,21 +157,22 @@ Before producing a TPM-signed structure containing the PCR measurement, the quot
## Steps for measuring a system file (performing local attestation)
A system administrator wants to make sure the zip tool of an user is geniune(legitimate software, correct version and has not been tampred with). To do this, the SysAdmin resets PCR16 and can afterwards generate a PCR digest based on the zip binary that can be used for future references if the file has been modified.
A system administrator wants to make sure the zip tool of an user is genuine (legitimate software, correct version and has not been tampered with). To do this, the SysAdmin resets PCR16 and can afterwards generate a PCR digest based on the zip binary that can be used for future references if the file has been modified.
This is the output from `./examples/pcr/demo-quote-zip.sh` script.
```
~/wolfTPM$ sudo ./examples/pcr/reset
```sh
$ ./examples/pcr/reset 16
...
Trying to reset PCR16...
TPM2_PCR_Reset success
...
```
This is a good known initial state of the PCR. By using the `extend` tool the SysAdmin feeds the `/usr/bin/zip` binary to Wolfcrypt for SHA256 hash computation, which then is used by wolfTPM to issue a TPM2_Extend operation in PCR16.
This is a good known initial state of the PCR. By using the `extend` tool the SysAdmin feeds the `/usr/bin/zip` binary to wolfCrypt for SHA256 hash computation, which then is used by wolfTPM to issue a `TPM2_Extend` operation in PCR16.
```
~/wolfTPM$ sudo ./examples/pcr/extend 16 /usr/bin/zip
```sh
$ ./examples/pcr/extend 16 /usr/bin/zip
...
TPM2_PCR_Extend success
PCR16 digest:
@ -132,8 +182,8 @@ PCR16 digest:
Once the extend operation is finished, the SysAdmin wants to create a TPM2.0 Quote as proof of the measurement in PCR16.
```
~/wolfTPM$ sudo ./examples/pcr/quote 16 zip.quote
```sh
$ ./examples/pcr/quote 16 zip.quote
...
TPM2_Quote: success
TPM with signature attests (type 0x8018):
@ -141,5 +191,4 @@ TPM with signature attests (type 0x8018):
...
```
The result of the TPM2.0 Quote operation is saved in the `zip.quote` binary file. The TPMS_ATTEST structure of TPM2.0 Quote contains also useful clock and time information. For more about the TPM time attestation please check the `./examples/timestamp/signed_timestamp` example.
The result of the TPM2.0 Quote operation is saved in the `zip.quote` binary file. The `TPMS_ATTEST` structure of TPM 2.0 Quote contains also useful clock and time information. For more about the TPM time attestation please check the `./examples/timestamp/signed_timestamp` example.

2
examples/pcr/demo-quote-zip.sh
View File

@ -4,7 +4,7 @@ echo "wolfTPM Quote & Attestation demo"
echo
echo "Starting from a known PCR state"
./examples/pcr/reset
./examples/pcr/reset 16
echo
echo "Extending with precalculated hash value"

41
examples/pcr/extend.c 100644 → 100755
View File

@ -32,7 +32,7 @@
#include <examples/tpm_test.h>
#include <stdio.h>
#include <stdlib.h> /* strtol */
#include <stdlib.h> /* atoi */
/******************************************************************************/
@ -43,17 +43,19 @@ static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/pcr/extend [pcr] [filename]\n");
printf("* pcr is a PCR index between 0-23 (default 16)\n");
printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
printf("* filename points to file(data) to measure\n");
printf("\tIf wolfTPM is built with --disable-wolfcrypt the file\n"
"\tmust contain SHA256 digest ready for extend operation.\n"
"\tOtherwise, the extend tool computes the hash using wolfcrypt.\n");
printf("Demo usage without parameters, extends PCR16 with known hash.\n");
printf("Demo usage without parameters, extends PCR%d with known hash.\n",
TPM2_TEST_PCR);
}
int TPM2_Extend_Test(void* userCtx, int argc, char *argv[])
{
int i, pcrIndex, len, rc = -1;
int i, pcrIndex, rc = -1;
size_t len;
WOLFTPM2_DEV dev;
/* Arbitrary user data provided through a file */
const char *filename = NULL;
@ -64,6 +66,8 @@ int TPM2_Extend_Test(void* userCtx, int argc, char *argv[])
BYTE dataBuffer[1024];
Sha256 sha256;
#endif
TPM_HANDLE sessionHandle = TPM_RH_NULL;
TPMS_AUTH_COMMAND session[MAX_SESSION_NUM];
union {
#ifdef DEBUG_WOLFTPM
@ -80,27 +84,24 @@ int TPM2_Extend_Test(void* userCtx, int argc, char *argv[])
} cmdOut;
#endif
TPM_HANDLE sessionHandle = TPM_RH_NULL;
TPMS_AUTH_COMMAND session[MAX_SESSION_NUM];
if(argc == 3) {
pcrIndex = strtol(argv[1], NULL, 10);
if(pcrIndex < 0 || pcrIndex > 23) {
printf("PCR index is out of range(0-23)\n");
if (argc == 3) {
pcrIndex = atoi(argv[1]);
if (pcrIndex < 0 || pcrIndex > 23 || *argv[1] < '0' || *argv[1] > '9') {
printf("PCR index is out of range (0-23)\n");
usage();
goto exit_badargs;
}
filename = argv[2];
dataFile = fopen(filename, "rb");
if(dataFile == NULL) {
if (dataFile == NULL) {
printf("Error opening file %s\n", filename);
usage();
goto exit_badargs;
}
}
else if(argc == 1) {
pcrIndex = 16; /* PCR16 is for DEBUG purposes, thus safe to use */
else if (argc == 1) {
pcrIndex = TPM2_TEST_PCR;
}
else {
printf("Incorrect arguments\n");
@ -129,7 +130,7 @@ int TPM2_Extend_Test(void* userCtx, int argc, char *argv[])
cmdIn.pcrExtend.digests.count = 1;
cmdIn.pcrExtend.digests.digests[0].hashAlg = TPM_ALG_SHA256;
/* Prepare the hash from user file or predefined value */
if(dataFile == NULL) {
if (dataFile == NULL) {
for (i=0; i<TPM_SHA256_DIGEST_SIZE; i++) {
cmdIn.pcrExtend.digests.digests[0].digest.H[i] = i;
}
@ -137,10 +138,10 @@ int TPM2_Extend_Test(void* userCtx, int argc, char *argv[])
else {
#ifndef WOLFTPM2_NO_WOLFCRYPT
wc_InitSha256(&sha256);
while(!feof(dataFile)) {
while (!feof(dataFile)) {
len = fread(dataBuffer, 1, sizeof(dataBuffer), dataFile);
if(len) {
wc_Sha256Update(&sha256, dataBuffer, len);
if (len) {
wc_Sha256Update(&sha256, dataBuffer, (int)len);
}
}
wc_Sha256Final(&sha256, hash);
@ -155,7 +156,7 @@ int TPM2_Extend_Test(void* userCtx, int argc, char *argv[])
hash, TPM_SHA256_DIGEST_SIZE);
}
printf("Hash to be used for measurement:\n");
for(i=0; i < TPM_SHA256_DIGEST_SIZE; i++)
for (i=0; i < TPM_SHA256_DIGEST_SIZE; i++)
printf("%02X", cmdIn.pcrExtend.digests.digests[0].digest.H[i]);
printf("\n");

6
examples/pcr/include.am
View File

@ -6,7 +6,6 @@ noinst_PROGRAMS += examples/pcr/quote \
examples/pcr/extend \
examples/pcr/reset
noinst_HEADERS += examples/pcr/quote.h \
examples/pcr/extend.h \
examples/pcr/reset.h
@ -30,6 +29,11 @@ endif
dist_example_DATA+= examples/pcr/quote.c \
examples/pcr/extend.c \
examples/pcr/reset.c
DISTCLEANFILES+= examples/pcr/.libs/quote \
examples/pcr/.libs/extend \
examples/pcr/.libs/reset
EXTRA_DIST+= examples/pcr/README.md \
examples/pcr/demo.sh \
examples/pcr/demo-quote-zip.sh

83
examples/pcr/quote.c 100644 → 100755
View File

@ -30,7 +30,7 @@
#include <examples/tpm_test.h>
#include <stdio.h>
#include <stdlib.h> /* strtol */
#include <stdlib.h> /* atoi */
const char defaultFilename[] = "quote.blob\0";
@ -42,10 +42,11 @@ static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/pcr/quote [pcr] [filename]\n");
printf("* pcr is a PCR index between 0-23 (default 16)\n");
printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
printf("* filename for saving the TPMS_ATTEST structure to a file\n");
printf("Demo usage without parameters, generates quote over PCR16 and\n"
"saves the output TPMS_ATTEST structure to \"quote.blob\" file.\n");
printf("Demo usage without parameters, generates quote over PCR%d and\n"
"saves the output TPMS_ATTEST structure to \"quote.blob\" file.\n",
TPM2_TEST_PCR);
}
int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
@ -56,6 +57,14 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
FILE *quoteBlob = NULL;
WOLFTPM2_DEV dev;
TPMS_ATTEST attestedData;
TPM_HANDLE sessionHandle = TPM_RH_NULL;
WOLFTPM2_KEY endorse; /* EK */
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEY rsaKey; /* AIK */
TPMS_AUTH_COMMAND session[MAX_SESSION_NUM];
union {
Quote_In quoteAsk;
@ -74,31 +83,21 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
byte maxOutput[MAX_RESPONSE_SIZE];
} cmdOut;
TPM_HANDLE sessionHandle = TPM_RH_NULL;
WOLFTPM2_KEY endorse; /* EK */
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEY rsaKey; /* AIK */
const byte storagePwd[] = "WolfTPMpassword";
const byte usageAuth[] = "ThisIsASecretUsageAuth";
TPMS_AUTH_COMMAND session[MAX_SESSION_NUM];
XMEMSET(&endorse, 0, sizeof(endorse));
XMEMSET(&storage, 0, sizeof(storage));
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
if (argc == 1) {
/* Demo usage */
pcrIndex = 16; /* PCR16 is for DEBUG purposes, thus safe to use */
pcrIndex = TPM2_TEST_PCR;
filename = defaultFilename;
}
else if (argc == 3) {
/* Advanced usage */
pcrIndex = strtol(argv[1], NULL, 10);
if (pcrIndex < 0 || pcrIndex > 23) {
printf("PCR index is out of range(0-23)\n");
pcrIndex = atoi(argv[1]);
if (pcrIndex < 0 || pcrIndex > 23 || *argv[1] < '0' || *argv[1] > '9') {
printf("PCR index is out of range (0-23)\n");
usage();
goto exit_badargs;
}
@ -144,9 +143,39 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
(word32)endorse.handle.hndl, endorse.pub.size);
/* Create Storage Key, also called SRK */
rc = wolfTPM2_CreateSRK(&dev, &storage, TPM_ALG_RSA, storagePwd,
sizeof(storagePwd)-1);
/* Create RSA Storage Key, also called SRK */
/* See if SRK already exists */
rc = wolfTPM2_ReadPublicKey(&dev, &storage, TPM2_DEMO_STORAGE_KEY_HANDLE);
#ifdef TEST_WRAP_DELETE_KEY
if (rc == 0) {
storage.handle.hndl = TPM2_DEMO_STORAGE_KEY_HANDLE;
rc = wolfTPM2_NVDeleteKey(&dev, TPM_RH_OWNER, &storage);
if (rc != 0) goto exit;
rc = TPM_RC_HANDLE; /* mark handle as missing */
}
#endif
if (rc != 0) {
/* Create primary storage key (RSA) */
rc = wolfTPM2_CreateSRK(&dev, &storage, TPM_ALG_RSA,
(byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
/* Move storage key into persistent NV */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storage,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) {
wolfTPM2_UnloadHandle(&dev, &storage.handle);
goto exit;
}
printf("Created new RSA Primary Storage Key at 0x%x\n",
TPM2_DEMO_STORAGE_KEY_HANDLE);
}
else {
/* specify auth password for storage key */
storage.handle.auth.size = sizeof(gStorageKeyAuth)-1;
XMEMCPY(storage.handle.auth.buffer, gStorageKeyAuth,
storage.handle.auth.size);
}
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_CreateSRK: Storage failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
@ -182,13 +211,13 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
/* set session auth for storage key */
session[0].auth.size = sizeof(storagePwd)-1;
XMEMCPY(session[0].auth.buffer, storagePwd, session[0].auth.size);
session[0].auth.size = sizeof(gStorageKeyAuth)-1;
XMEMCPY(session[0].auth.buffer, gStorageKeyAuth, session[0].auth.size);
/* Create an RSA key for Attestation purposes */
rc = wolfTPM2_CreateAndLoadAIK(&dev, &rsaKey, TPM_ALG_RSA, &storage,
usageAuth, sizeof(usageAuth)-1);
(const byte*)gUsageAuth, sizeof(gUsageAuth)-1);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_CreateAndLoadAIK failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
@ -199,8 +228,8 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
/* set auth for using the AIK */
session[0].auth.size = sizeof(usageAuth)-1;
XMEMCPY(session[0].auth.buffer, usageAuth, session[0].auth.size);
session[0].auth.size = sizeof(gUsageAuth)-1;
XMEMCPY(session[0].auth.buffer, gUsageAuth, session[0].auth.size);
/* Prepare Quote request */
XMEMSET(&cmdIn.quoteAsk, 0, sizeof(cmdIn.quoteAsk));

25
examples/pcr/reset.c 100644 → 100755
View File

@ -28,7 +28,7 @@
#include <examples/tpm_test.h>
#include <stdio.h>
#include <stdlib.h> /* strtol */
#include <stdlib.h> /* atoi */
/******************************************************************************/
@ -39,14 +39,16 @@ static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/pcr/reset [pcr]\n");
printf("* pcr is a PCR index between 0-23 (default 16)\n");
printf("Demo usage without parameters, resets PCR16.\n");
printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
printf("Demo usage without parameters, resets PCR%d.\n", TPM2_TEST_PCR);
}
int TPM2_Reset_Test(void* userCtx, int argc, char *argv[])
{
int pcrIndex, rc = -1;
WOLFTPM2_DEV dev;
TPM_HANDLE sessionHandle = TPM_RH_NULL;
TPMS_AUTH_COMMAND session[MAX_SESSION_NUM];
union {
#ifdef DEBUG_WOLFTPM
@ -63,19 +65,16 @@ int TPM2_Reset_Test(void* userCtx, int argc, char *argv[])
} cmdOut;
#endif
TPM_HANDLE sessionHandle = TPM_RH_NULL;
TPMS_AUTH_COMMAND session[MAX_SESSION_NUM];
if(argc == 2) {
pcrIndex = strtol(argv[1], NULL, 10);
if(pcrIndex < 0 || pcrIndex > 23) {
printf("PCR index is out of range(0-23)\n");
if (argc == 2) {
pcrIndex = atoi(argv[1]);
if (pcrIndex < 0 || pcrIndex > 23 || *argv[1] < '0' || *argv[1] > '9') {
printf("PCR index is out of range (0-23)\n");
usage();
goto exit_badargs;
}
}
else if(argc == 1) {
pcrIndex = 16; /* PCR16 is for DEBUG purposes, thus safe to use */
else if (argc == 1) {
pcrIndex = TPM2_TEST_PCR;
}
else {
printf("Incorrect arguments\n");

2
examples/pcr/reset.h
View File

@ -1,4 +1,4 @@
/* clear.h
/* reset.h
*
* Copyright (C) 2006-2020 wolfSSL Inc.
*

4
examples/tls/include.am
View File

@ -6,7 +6,7 @@ noinst_PROGRAMS += examples/tls/tls_client
noinst_HEADERS += examples/tls/tls_client.h \
examples/tls/tls_common.h
examples_tls_tls_client_SOURCES = examples/tls/tls_client.c \
= examples/tpm_io.c
examples/tpm_io.c
examples_tls_tls_client_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
examples_tls_tls_client_DEPENDENCIES = src/libwolftpm.la
@ -22,7 +22,7 @@ noinst_PROGRAMS += examples/tls/tls_server
noinst_HEADERS += examples/tls/tls_server.h \
examples/tls/tls_common.h
examples_tls_tls_server_SOURCES = examples/tls/tls_server.c \
= examples/tpm_io.c
examples/tpm_io.c
examples_tls_tls_server_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
examples_tls_tls_server_DEPENDENCIES = src/libwolftpm.la

4
examples/tpm_test.h
View File

@ -49,6 +49,10 @@ static const char gKeyAuthAlt[] = "ThisIsMyKeyAltAuth";
static const char gUsageAuth[] = "ThisIsASecretUsageAuth";
static const char gNvAuth[] = "ThisIsMyNvAuth";
/* Default Test PCR */
/* PCR16 is for DEBUG purposes, thus safe to use */
#define TPM2_TEST_PCR 16
#ifndef WOLFTPM_ST33
#define TEST_AES_MODE TPM_ALG_CFB
#else