From 4d21e5491e7563f740451ccf0558e4e25ae7f73d Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 5 Jul 2023 14:52:30 -0700 Subject: [PATCH 1/2] Fix for TPM2 create with decrypt or restricted flag set (must use symmetric algorithm). --- src/tpm2_wrap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index f5147fc..5f79d25 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -4514,7 +4514,8 @@ static int GetKeyTemplateRSA(TPMT_PUBLIC* publicTemplate, publicTemplate->parameters.rsaDetail.exponent = exponent; publicTemplate->parameters.rsaDetail.scheme.scheme = sigScheme; publicTemplate->parameters.rsaDetail.scheme.details.anySig.hashAlg = sigHash; - if (objectAttributes & TPMA_OBJECT_fixedTPM) { + if (objectAttributes & (TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | + TPMA_OBJECT_fixedParent)) { publicTemplate->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES; publicTemplate->parameters.rsaDetail.symmetric.keyBits.aes = 128; publicTemplate->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB; @@ -4541,7 +4542,8 @@ static int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate, publicTemplate->unique.ecc.x.size = curveSz; publicTemplate->unique.ecc.y.size = curveSz; publicTemplate->objectAttributes = objectAttributes; - if (objectAttributes & TPMA_OBJECT_fixedTPM) { + if (objectAttributes & (TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | + TPMA_OBJECT_fixedParent)) { publicTemplate->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; publicTemplate->parameters.eccDetail.symmetric.keyBits.aes = 128; publicTemplate->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; From c1909ce0ab38b3dbed79f705482c2a9001d51bba Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 5 Jul 2023 15:52:09 -0700 Subject: [PATCH 2/2] Fix logic so fixedParent or (decrypt and restricted). --- src/tpm2_wrap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 5f79d25..05a39c7 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -4514,8 +4514,10 @@ static int GetKeyTemplateRSA(TPMT_PUBLIC* publicTemplate, publicTemplate->parameters.rsaDetail.exponent = exponent; publicTemplate->parameters.rsaDetail.scheme.scheme = sigScheme; publicTemplate->parameters.rsaDetail.scheme.details.anySig.hashAlg = sigHash; - if (objectAttributes & (TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | - TPMA_OBJECT_fixedParent)) { + /* For fixedParent or (decrypt and restricted) enable symmetric */ + if ((objectAttributes & TPMA_OBJECT_fixedParent) || + ((objectAttributes & TPMA_OBJECT_decrypt) && + (objectAttributes & TPMA_OBJECT_restricted))) { publicTemplate->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES; publicTemplate->parameters.rsaDetail.symmetric.keyBits.aes = 128; publicTemplate->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB; @@ -4542,8 +4544,10 @@ static int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate, publicTemplate->unique.ecc.x.size = curveSz; publicTemplate->unique.ecc.y.size = curveSz; publicTemplate->objectAttributes = objectAttributes; - if (objectAttributes & (TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | - TPMA_OBJECT_fixedParent)) { + /* For fixedParent or (decrypt and restricted) enable symmetric */ + if ((objectAttributes & TPMA_OBJECT_fixedParent) || + ((objectAttributes & TPMA_OBJECT_decrypt) && + (objectAttributes & TPMA_OBJECT_restricted))) { publicTemplate->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; publicTemplate->parameters.eccDetail.symmetric.keyBits.aes = 128; publicTemplate->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;