mirror of https://github.com/wolfSSL/wolfTPM.git
259 lines
7.9 KiB
C
259 lines
7.9 KiB
C
/* keyload.c
|
|
*
|
|
* Copyright (C) 2006-2025 wolfSSL Inc.
|
|
*
|
|
* This file is part of wolfTPM.
|
|
*
|
|
* wolfTPM is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* wolfTPM is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
|
*/
|
|
|
|
/* Tool and example for creating, storing and loading keys using TPM2.0 */
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include <config.h>
|
|
#endif
|
|
|
|
/* use ANSI stdio for support of format strings, must be set before
|
|
* including stdio.h
|
|
*/
|
|
#if defined(__MINGW32__) || defined(__MINGW64__)
|
|
#define __USE_MINGW_ANSI_STDIO 1
|
|
#endif
|
|
|
|
#include <wolftpm/tpm2_wrap.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#ifndef WOLFTPM2_NO_WRAPPER
|
|
|
|
#include <examples/keygen/keygen.h>
|
|
#include <hal/tpm_io.h>
|
|
#include <examples/tpm_test.h>
|
|
#include <examples/tpm_test_keys.h>
|
|
|
|
/******************************************************************************/
|
|
/* --- BEGIN TPM Key Load Example -- */
|
|
/******************************************************************************/
|
|
|
|
static void usage(void)
|
|
{
|
|
printf("Expected usage:\n");
|
|
printf("./examples/keygen/keyload [keyblob.bin] [-aes/xor] [-persistent]"
|
|
" [-eh]\n");
|
|
printf("* -eh: Key is from the Endorsement Hierarchy, requires EK\n");
|
|
printf("* -aes/xor: Use Parameter Encryption\n");
|
|
printf("* -persistent: Load the TPM key as persistent\n");
|
|
}
|
|
|
|
int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
|
|
{
|
|
int rc;
|
|
WOLFTPM2_DEV dev;
|
|
WOLFTPM2_KEY endorse; /* EK */
|
|
WOLFTPM2_KEY storage; /* SRK */
|
|
WOLFTPM2_KEY *primary = NULL;
|
|
WOLFTPM2_KEYBLOB newKey;
|
|
WOLFTPM2_KEY persistKey;
|
|
TPM_ALG_ID alg;
|
|
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
|
|
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
|
|
WOLFTPM2_SESSION tpmSession;
|
|
const char* inputFile = "keyblob.bin";
|
|
int persistent = 0;
|
|
int endorseKey = 0;
|
|
|
|
|
|
if (argc >= 2) {
|
|
if (XSTRCMP(argv[1], "-?") == 0 ||
|
|
XSTRCMP(argv[1], "-h") == 0 ||
|
|
XSTRCMP(argv[1], "--help") == 0) {
|
|
usage();
|
|
return 0;
|
|
}
|
|
|
|
if (argv[1][0] != '-') {
|
|
inputFile = argv[1];
|
|
}
|
|
}
|
|
while (argc > 1) {
|
|
if (XSTRCMP(argv[argc-1], "-eh") == 0) {
|
|
endorseKey = 1;
|
|
}
|
|
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
|
|
paramEncAlg = TPM_ALG_CFB;
|
|
}
|
|
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
|
|
paramEncAlg = TPM_ALG_XOR;
|
|
}
|
|
else if (XSTRCMP(argv[argc-1], "-persistent") == 0) {
|
|
persistent = 1;
|
|
}
|
|
else {
|
|
printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
|
|
}
|
|
argc--;
|
|
}
|
|
|
|
XMEMSET(&endorse, 0, sizeof(endorse));
|
|
XMEMSET(&storage, 0, sizeof(storage));
|
|
XMEMSET(&newKey, 0, sizeof(newKey));
|
|
XMEMSET(&persistKey, 0, sizeof(persistKey));
|
|
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
|
|
|
|
printf("TPM2.0 Key load example\n");
|
|
printf("\tKey Blob: %s\n", inputFile);
|
|
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
|
|
|
|
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
|
|
if (rc != TPM_RC_SUCCESS) {
|
|
printf("\nwolfTPM2_Init failed\n");
|
|
goto exit;
|
|
}
|
|
|
|
/* Load encrypted key from the disk */
|
|
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
|
|
rc = readKeyBlob(inputFile, &newKey);
|
|
if (rc != 0) goto exit;
|
|
#else
|
|
/* TODO: Option to load hex blob */
|
|
printf("Loading blob from disk not supported. Enable wolfcrypt support.\n");
|
|
goto exit;
|
|
#endif
|
|
|
|
alg = newKey.pub.publicArea.type;
|
|
if (alg == TPM_ALG_RSA)
|
|
srkAlg = TPM_ALG_RSA;
|
|
printf("Loading %s key\n", TPM2_GetAlgName(alg));
|
|
|
|
if (endorseKey) {
|
|
/* endorsement key (EK) */
|
|
rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
|
|
if (rc != 0) goto exit;
|
|
endorse.handle.policyAuth = 1;
|
|
primary = &endorse;
|
|
}
|
|
else {
|
|
/* storage root key (SRK) */
|
|
rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
|
|
if (rc != 0) goto exit;
|
|
primary = &storage;
|
|
}
|
|
|
|
if (endorseKey) {
|
|
/* Fresh policy session for EK auth */
|
|
rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
|
|
if (rc != 0) goto exit;
|
|
/* Set the created Policy Session for use in next operation */
|
|
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
|
|
if (rc != 0) goto exit;
|
|
}
|
|
else if (paramEncAlg != TPM_ALG_NULL) {
|
|
WOLFTPM2_KEY* bindKey = &storage;
|
|
#ifndef HAVE_ECC
|
|
if (srkAlg == TPM_ALG_ECC)
|
|
bindKey = NULL; /* cannot bind to key without ECC enabled */
|
|
#endif
|
|
#ifdef NO_RSA
|
|
if (srkAlg == TPM_ALG_RSA)
|
|
bindKey = NULL; /* cannot bind to key without RSA enabled */
|
|
#endif
|
|
/* Start an authenticated session (salted / unbound) with parameter
|
|
* encryption */
|
|
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
|
|
TPM_SE_HMAC, paramEncAlg);
|
|
if (rc != 0) goto exit;
|
|
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
|
|
(word32)tpmSession.handle.hndl);
|
|
|
|
/* set session for authorization of the storage key */
|
|
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
|
|
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
|
|
TPMA_SESSION_continueSession));
|
|
if (rc != 0) goto exit;
|
|
}
|
|
|
|
|
|
if (newKey.priv.size == 0) {
|
|
rc = wolfTPM2_LoadPublicKey(&dev, (WOLFTPM2_KEY*)&newKey, &newKey.pub);
|
|
}
|
|
else {
|
|
rc = wolfTPM2_LoadKey(&dev, &newKey, &primary->handle);
|
|
}
|
|
if (rc != TPM_RC_SUCCESS) {
|
|
printf("Load Key failed!\n");
|
|
goto exit;
|
|
}
|
|
printf("Loaded key to 0x%x\n",
|
|
(word32)newKey.handle.hndl);
|
|
|
|
/* Make the TPM key persistent, so it remains loaded after example exit */
|
|
if (persistent) {
|
|
/* Prepare key in the format expected by the wolfTPM wrapper */
|
|
persistKey.handle.hndl = newKey.handle.hndl;
|
|
XMEMCPY((BYTE*)&persistKey.pub, (BYTE*)&newKey.pub,
|
|
sizeof(persistKey.pub));
|
|
/* Make key persistent */
|
|
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &persistKey,
|
|
TPM2_DEMO_PERSISTENT_KEY_HANDLE);
|
|
if (rc != TPM_RC_SUCCESS) {
|
|
printf("wolfTPM2_NVStoreKey failed\n");
|
|
goto exit;
|
|
}
|
|
printf("Key was made persistent at 0x%X\n", persistKey.handle.hndl);
|
|
}
|
|
|
|
exit:
|
|
|
|
if (rc != 0) {
|
|
printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc));
|
|
}
|
|
|
|
/* Close key handles */
|
|
wolfTPM2_UnloadHandle(&dev, &primary->handle);
|
|
/* newKey.handle is already flushed by wolfTPM2_NVStoreKey */
|
|
if (!persistent) {
|
|
wolfTPM2_UnloadHandle(&dev, &newKey.handle);
|
|
}
|
|
/* EK policy is destroyed after use, flush parameter encryption session */
|
|
if (!endorseKey) {
|
|
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
|
|
}
|
|
|
|
wolfTPM2_Cleanup(&dev);
|
|
return rc;
|
|
}
|
|
|
|
/******************************************************************************/
|
|
/* --- END TPM Key Load Example -- */
|
|
/******************************************************************************/
|
|
#endif /* !WOLFTPM2_NO_WRAPPER */
|
|
|
|
#ifndef NO_MAIN_DRIVER
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int rc = NOT_COMPILED_IN;
|
|
|
|
#ifndef WOLFTPM2_NO_WRAPPER
|
|
rc = TPM2_Keyload_Example(NULL, argc, argv);
|
|
#else
|
|
printf("KeyImport code not compiled in\n");
|
|
(void)argc;
|
|
(void)argv;
|
|
#endif
|
|
|
|
return rc;
|
|
}
|
|
#endif
|