From 1b92b86951ab64bc9f53469d715e38d08269094c Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Fri, 19 Jan 2024 19:34:04 +0530 Subject: [PATCH] Update TPM code as per specs Signed-off-by: Shrikant Temburwar --- app/blob.c | 24 +- app/main.c | 16 +- crypto/common/fdo_crypto_common.c | 4 - crypto/common/fdo_hmac.c | 44 +-- crypto/include/tpm20_Utils.h | 10 +- crypto/openssl/tpm20_ECDSA_sign_routines.c | 8 +- crypto/openssl/tpm20_Utils.c | 340 +++++++-------------- lib/credentials_from_file.c | 18 +- lib/include/load_credentials.h | 6 +- lib/m-string.c | 4 +- storage/include/storage_al.h | 12 +- storage/include/tpm2_nv_storage.h | 27 +- storage/linux/storage_if_linux.c | 241 ++------------- storage/linux/tpm2_nv_storage.c | 26 +- utils/clear_tpm_nv.sh | 4 +- utils/tpm_make_ready_ecdsa.sh | 12 +- 16 files changed, 186 insertions(+), 610 deletions(-) diff --git a/app/blob.c b/app/blob.c index 7e12e434..269c680d 100644 --- a/app/blob.c +++ b/app/blob.c @@ -59,7 +59,6 @@ static int32_t gen_rdm_bytestream(uint8_t *random_buffer, size_t num_bytes) } return 0; } -#endif int32_t configure_normal_blob(void) { @@ -72,19 +71,6 @@ int32_t configure_normal_blob(void) uint8_t *signed_normal_blob = NULL; size_t signed_normal_blob_size = 0; int32_t ret = -1; - -#if defined(DEVICE_TPM20_ENABLED) - if (0 == is_valid_tpm_data_protection_key_present()) { - if (0 != fdo_generate_storage_hmac_key()) { - LOG(LOG_ERROR, "Failed to generate TPM data protection" - " key.\n"); - goto err; - } - - LOG(LOG_DEBUG, - "TPM data protection key generated successfully.\n"); - } -#else uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0}; size_t key_size_stored = @@ -115,7 +101,6 @@ int32_t configure_normal_blob(void) LOG(LOG_ERROR, "Failed to read plain Normal blob!\n"); goto err; } -#endif raw_normal_blob_size = fdo_blob_size((char *)FDO_CRED_NORMAL, FDO_SDK_RAW_DATA); @@ -159,13 +144,6 @@ int32_t configure_normal_blob(void) "Malloc Failed for sealed Normal Blob buffer!\n"); goto err; } -#if defined(DEVICE_TPM20_ENABLED) - if (0 != fdo_compute_storage_hmac(raw_normal_blob, raw_normal_blob_size, - signed_normal_blob, - PLATFORM_HMAC_SIZE)) { - goto err; - } -#else #if defined(USE_MBEDTLS) if (0 != mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), (const uint8_t *)hmac_key, @@ -179,7 +157,6 @@ int32_t configure_normal_blob(void) signed_normal_blob, NULL)) { goto err; } -#endif #endif // copy plain-text size signed_normal_blob[PLATFORM_HMAC_SIZE + 3] = raw_normal_blob_size >> 0; @@ -215,3 +192,4 @@ int32_t configure_normal_blob(void) } return ret; } +#endif \ No newline at end of file diff --git a/app/main.c b/app/main.c index 29ae2043..c457494e 100644 --- a/app/main.c +++ b/app/main.c @@ -276,20 +276,7 @@ int app_main(bool is_resale) } #endif /* SECURE_ELEMENT */ -#if !defined(DEVICE_CSE_ENABLED) -#if defined(DEVICE_TPM20_ENABLED) - if (0 == is_valid_tpm_data_protection_key_present()) { - if (0 != fdo_generate_storage_hmac_key()) { - LOG(LOG_ERROR, "Failed to generate TPM data protection" - " key.\n"); - ret = -1; - goto end; - } - - LOG(LOG_DEBUG, - "TPM data protection key generated successfully.\n"); - } -#else +#if !defined(DEVICE_CSE_ENABLED) && !defined(DEVICE_TPM20_ENABLED) LOG(LOG_DEBUG, "CSE and TPM not enabled, Normal Blob Modules loaded!\n"); if (-1 == configure_normal_blob()) { @@ -298,7 +285,6 @@ int app_main(bool is_resale) ret = -1; goto end; } -#endif #endif /* List and Init all Sv_info modules */ diff --git a/crypto/common/fdo_crypto_common.c b/crypto/common/fdo_crypto_common.c index edab0c43..9f357db8 100644 --- a/crypto/common/fdo_crypto_common.c +++ b/crypto/common/fdo_crypto_common.c @@ -114,10 +114,6 @@ int32_t fdo_crypto_close(void) ret = crypto_close(); /* CLeanup of context structs */ cleanup_ctx(); -#if defined(DEVICE_TPM20_ENABLED) - /* clear the replacement hmac key objects */ - fdo_tpm_clear_replacement_hmac_key(); -#endif return ret; } diff --git a/crypto/common/fdo_hmac.c b/crypto/common/fdo_hmac.c index daee3e41..56c4828c 100644 --- a/crypto/common/fdo_hmac.c +++ b/crypto/common/fdo_hmac.c @@ -152,16 +152,14 @@ int32_t fdo_device_ov_hmac(uint8_t *OVHdr, size_t OVHdr_len, uint8_t *hmac, if (is_replacement_hmac) { #if defined(DEVICE_TPM20_ENABLED) return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len, - TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX, - TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX); + TPM_PRIMARY_KEY_PERSISTANT_HANDLE); #else keyset = get_replacement_OV_key(); #endif } else { #if defined(DEVICE_TPM20_ENABLED) return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len, - TPM_HMAC_PUB_KEY_NV_IDX, - TPM_HMAC_PRIV_KEY_NV_IDX); + TPM_PRIMARY_KEY_PERSISTANT_HANDLE); #else keyset = get_OV_key(); #endif @@ -227,8 +225,7 @@ int32_t fdo_generate_ov_hmac_key(void) int32_t ret = -1; #if defined(DEVICE_TPM20_ENABLED) - if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_PUB_KEY_NV_IDX, - TPM_HMAC_PRIV_KEY_NV_IDX)) { + if (0 != fdo_tpm_generate_hmac_key(TPM_PRIMARY_KEY_PERSISTANT_HANDLE)) { LOG(LOG_ERROR, "Failed to generate device HMAC key" " from TPM.\n"); return ret; @@ -272,9 +269,7 @@ int32_t fdo_generate_ov_replacement_hmac_key(void) int32_t ret = -1; #if defined(DEVICE_TPM20_ENABLED) - if (0 != - fdo_tpm_generate_hmac_key(TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX, - TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX)) { + if (0 != fdo_tpm_generate_hmac_key(TPM_PRIMARY_KEY_PERSISTANT_HANDLE)) { LOG(LOG_ERROR, "Failed to generate device replacement HMAC key" " from TPM.\n"); return ret; @@ -319,12 +314,6 @@ int32_t fdo_commit_ov_replacement_hmac_key(void) int32_t ret = -1; #if defined(DEVICE_TPM20_ENABLED) - if (0 != fdo_tpm_commit_replacement_hmac_key()) { - LOG(LOG_ERROR, "Failed to commit device replacement HMAC key" - " for TPM.\n"); - return ret; - } - ret = 0; #else fdo_byte_array_t **secret = get_replacement_OV_key(); @@ -368,18 +357,6 @@ int32_t fdo_compute_storage_hmac(const uint8_t *data, uint32_t data_length, goto error; } -#if defined(DEVICE_TPM20_ENABLED) - if (0 != fdo_tpm_get_hmac(data, data_length, computed_hmac, - computed_hmac_size, - TPM_HMAC_DATA_PUB_KEY_NV_IDX, - TPM_HMAC_DATA_PRIV_KEY_NV_IDX)) { - LOG(LOG_ERROR, "TPM HMAC Computation failed!\n"); - goto error; - } - - LOG(LOG_DEBUG, "TPM HMAC computed successfully!\n"); - -#else uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0}; if (!get_platform_hmac_key(hmac_key, PLATFORM_HMAC_KEY_DEFAULT_LEN)) { @@ -407,7 +384,6 @@ int32_t fdo_compute_storage_hmac(const uint8_t *data, uint32_t data_length, #endif return ret; } -#endif /** * fdo_generate_storage_hmac_key function generates Storage HMAC key @@ -422,18 +398,6 @@ int32_t fdo_generate_storage_hmac_key(void) #if defined(TARGET_OS_OPTEE) return 0; - -#elif defined(DEVICE_TPM20_ENABLED) - if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_DATA_PUB_KEY_NV_IDX, - TPM_HMAC_DATA_PRIV_KEY_NV_IDX)) { - LOG(LOG_ERROR, "Failed to generate TPM data protection " - "key.\n"); - return ret; - } - - ret = 0; - LOG(LOG_DEBUG, "TPM data protection key generated successfully.\n"); - #else uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0}; diff --git a/crypto/include/tpm20_Utils.h b/crypto/include/tpm20_Utils.h index 889b1bb8..54032b35 100644 --- a/crypto/include/tpm20_Utils.h +++ b/crypto/include/tpm20_Utils.h @@ -103,12 +103,8 @@ static const TPM2B_PUBLIC in_publicHMACKey_template = { }; int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, - size_t hmac_length, uint32_t tpmHMACPub_key_nv, - uint32_t tpmHMACPriv_key_nv); -int32_t fdo_tpm_generate_hmac_key(uint32_t tpmHMACPub_key_nv, - uint32_t tpmHMACPriv_key_nv); -int32_t fdo_tpm_commit_replacement_hmac_key(void); -void fdo_tpm_clear_replacement_hmac_key(void); -int32_t is_valid_tpm_data_protection_key_present(void); + size_t hmac_length, + TPMI_DH_PERSISTENT persistent_handle); +int32_t fdo_tpm_generate_hmac_key(TPMI_DH_PERSISTENT persistent_handle); #endif /* #ifndef __TPM20_UTILS_H__ */ diff --git a/crypto/openssl/tpm20_ECDSA_sign_routines.c b/crypto/openssl/tpm20_ECDSA_sign_routines.c index 169499b1..4ac0025d 100644 --- a/crypto/openssl/tpm20_ECDSA_sign_routines.c +++ b/crypto/openssl/tpm20_ECDSA_sign_routines.c @@ -63,22 +63,22 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len, } // Read the key - size_t file_size = fdo_tpm_nvread_size(TPM_ECDSA_DEVICE_KEY_NV_IDX); + size_t key_size = fdo_tpm_nvread_size(TPM_ECDSA_DEVICE_KEY_NV_IDX); - pri_key = fdo_alloc(file_size); + pri_key = fdo_alloc(key_size); if (!pri_key) { LOG(LOG_ERROR, "Failed to allocate memory for private key.\n"); goto error; } - if (fdo_tpm_nvread(TPM_ECDSA_DEVICE_KEY_NV_IDX, file_size, &pri_key) == + if (fdo_tpm_nvread(TPM_ECDSA_DEVICE_KEY_NV_IDX, key_size, &pri_key) == -1) { LOG(LOG_ERROR, "Failed to load TPM HMAC Private Key into buffer.\n"); goto error; } - mem = BIO_new_mem_buf(pri_key, file_size); + mem = BIO_new_mem_buf(pri_key, key_size); if (mem == NULL) { LOG(LOG_ERROR, "Failed to create memory BIO\n"); goto error; diff --git a/crypto/openssl/tpm20_Utils.c b/crypto/openssl/tpm20_Utils.c index 461324c4..ee911cc5 100644 --- a/crypto/openssl/tpm20_Utils.c +++ b/crypto/openssl/tpm20_Utils.c @@ -33,29 +33,23 @@ static int32_t fdoTPMGenerate_primary_key_context(ESYS_CONTEXT **esys_context, * @param hmac: output buffer to save the HMAC * @param hmac_length: length of the output HMAC buffer *hash length - * @param tpmHMACPub_key: File name of the TPM HMAC public key - * @param tpmHMACPriv_key: File name of the TPM HMAC private key + * @param persistent_handle: Persistent handle of the TPM HMAC public key * @return * 0, on success * -1, on failure */ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, - size_t hmac_length, uint32_t tpmHMACPub_key_nv, - uint32_t tpmHMACPriv_key_nv) + size_t hmac_length, + TPMI_DH_PERSISTENT persistent_handle) { - int32_t ret = -1, ret_val = -1, file_size = 0; + int32_t ret = -1, ret_val = -1; size_t hashed_length = 0; - size_t offset = 0; - uint8_t bufferTPMHMACPriv_key[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE] = {0}; - uint8_t bufferTPMHMACPub_key[TPM_HMAC_PUB_KEY_CONTEXT_SIZE] = {0}; ESYS_CONTEXT *esys_context = NULL; ESYS_TR primary_key_handle = ESYS_TR_NONE; ESYS_TR auth_session_handle = ESYS_TR_NONE; ESYS_TR hmac_key_handle = ESYS_TR_NONE; ESYS_TR sequence_handle = ESYS_TR_NONE; TPMT_TK_HASHCHECK *validation = NULL; - TPM2B_PUBLIC unmarshalHMACPub_key = {0}; - TPM2B_PRIVATE unmarshalHMACPriv_key = {0}; TPM2B_DIGEST *outHMAC = NULL; TPM2B_MAX_BUFFER block = {0}; TPM2B_AUTH null_auth = {0}; @@ -64,8 +58,7 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, /* Validating all input parameters are passed in the function call*/ - if (!data || !data_length || !tpmHMACPub_key_nv || - !tpmHMACPriv_key_nv || !hmac || + if (!data || !data_length || !persistent_handle || !hmac || (hmac_length != PLATFORM_HMAC_SIZE)) { LOG(LOG_ERROR, "Failed to generate HMAC from TPM, invalid parameter" @@ -87,82 +80,12 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, LOG(LOG_DEBUG, "TPM Primary Key Context created successfully.\n"); - /* Unmarshalling the HMAC Private key from the HMAC Private key file*/ - - file_size = fdo_tpm_nvread_size(tpmHMACPriv_key_nv); - - if (file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_128 && - file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE) { - LOG(LOG_ERROR, "TPM HMAC Private Key file size incorrect.\n"); - goto err; - } - - LOG(LOG_DEBUG, - "TPM HMAC Private Key file size retreived successfully.\n"); - - if (fdo_tpm_read_nv(tpmHMACPriv_key_nv, FDO_SDK_RAW_DATA, - bufferTPMHMACPriv_key, file_size) == -1) { - LOG(LOG_ERROR, - "Failed to load TPM HMAC Private Key into buffer.\n"); - goto err; - } - - LOG(LOG_DEBUG, "TPM HMAC Private Key file content copied successfully" - " to buffer.\n"); - - ret_val = Tss2_MU_TPM2B_PRIVATE_Unmarshal( - bufferTPMHMACPriv_key, file_size, &offset, &unmarshalHMACPriv_key); - - if (ret_val != TSS2_RC_SUCCESS) { - LOG(LOG_ERROR, "Failed to unmarshal TPM HMAC Private Key.\n"); - goto err; - } - - LOG(LOG_DEBUG, - "TPM HMAC Private Key Unmarshal complete successfully.\n"); - - /* Unmarshalling the HMAC Public key from the HMAC public key file*/ - - file_size = fdo_tpm_nvread_size(tpmHMACPub_key_nv); - - if (file_size != TPM_HMAC_PUB_KEY_CONTEXT_SIZE) { - LOG(LOG_ERROR, "TPM HMAC Private Key file size incorrect.\n"); - goto err; - } - - LOG(LOG_DEBUG, - "TPM HMAC Public Key file size retreived successfully.\n"); - - if (fdo_tpm_read_nv(tpmHMACPub_key_nv, FDO_SDK_RAW_DATA, - bufferTPMHMACPub_key, file_size) == -1) { - LOG(LOG_ERROR, - "Failed to load TPM HMAC Public Key into buffer.\n"); - goto err; - } - - LOG(LOG_DEBUG, "TPM HMAC Public Key file content copied successfully" - " to buffer.\n"); - - offset = 0; - - ret_val = Tss2_MU_TPM2B_PUBLIC_Unmarshal( - bufferTPMHMACPub_key, file_size, &offset, &unmarshalHMACPub_key); - - if (ret_val != TSS2_RC_SUCCESS) { - LOG(LOG_ERROR, "Failed to unmarshal TPM HMAC Public Key.\n"); - goto err; - } - - LOG(LOG_DEBUG, - "TPM HMAC Public Key Unmarshal complete successfully.\n"); - /* Loading the TPM Primary key, HMAC public key and HMAC Private Key to * generate the HMAC Key Context */ ret_val = - Esys_Load(esys_context, primary_key_handle, auth_session_handle, - ESYS_TR_NONE, ESYS_TR_NONE, &unmarshalHMACPriv_key, - &unmarshalHMACPub_key, &hmac_key_handle); + Esys_TR_FromTPMPublic(esys_context, persistent_handle, ESYS_TR_NONE, + ESYS_TR_NONE, ESYS_TR_NONE, &hmac_key_handle); if (ret_val != TSS2_RC_SUCCESS) { LOG(LOG_ERROR, "Failed to load HMAC Key Context.\n"); @@ -311,7 +234,7 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, err: if (esys_context) { if (hmac_key_handle != ESYS_TR_NONE) { - if (Esys_FlushContext(esys_context, hmac_key_handle) != + if (Esys_TR_Close(esys_context, &hmac_key_handle) != TSS2_RC_SUCCESS) { LOG(LOG_ERROR, "Failed to flush HMAC key handle.\n"); @@ -334,10 +257,6 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, } TPM2_ZEROISE_FREE(validation); TPM2_ZEROISE_FREE(outHMAC); - memset_s(&unmarshalHMACPriv_key, sizeof(unmarshalHMACPriv_key), 0); - memset_s(&unmarshalHMACPub_key, sizeof(unmarshalHMACPub_key), 0); - memset_s(bufferTPMHMACPriv_key, sizeof(bufferTPMHMACPriv_key), 0); - memset_s(bufferTPMHMACPub_key, sizeof(bufferTPMHMACPub_key), 0); return ret; } @@ -345,20 +264,21 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, /** * Generates HMAC Key inside TPM * - * @param tpmHMACPub_key: File name of the TPM HMAC public key - * @param tpmHMACPriv_key: File name of the TPM HMAC private key + * @param persistent_handle: Persistent handle of the TPM HMAC key * @return * 0, on success * -1, on failure */ -int32_t fdo_tpm_generate_hmac_key(uint32_t tpmHMACPub_key_nv, - uint32_t tpmHMACPriv_key_nv) +int32_t fdo_tpm_generate_hmac_key(TPMI_DH_PERSISTENT persistent_handle) { int32_t ret = -1; TSS2_RC ret_val = TPM2_RC_FAILURE; ESYS_CONTEXT *esys_context = NULL; ESYS_TR primary_key_handle = ESYS_TR_NONE; ESYS_TR auth_session_handle = ESYS_TR_NONE; + ESYS_TR object_handle = ESYS_TR_NONE; + ESYS_TR pub_object_handle = ESYS_TR_NONE; + ESYS_TR persistentHandle = ESYS_TR_NONE; TPM2B_PUBLIC *out_public = NULL; TPM2B_PRIVATE *out_private = NULL; TPM2B_CREATION_DATA *creation_data = NULL; @@ -370,10 +290,8 @@ int32_t fdo_tpm_generate_hmac_key(uint32_t tpmHMACPub_key_nv, TPML_PCR_SELECTION creationPCR = {0}; /* Using same buffer for both public and private context, private context size > public context size */ - uint8_t buffer[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE] = {0}; - size_t offset = 0; - if (!tpmHMACPub_key_nv || !tpmHMACPriv_key_nv) { + if (!persistent_handle) { LOG(LOG_ERROR, "Failed to generate HMAC Key," "invalid parameters received.\n"); goto err; @@ -398,40 +316,62 @@ int32_t fdo_tpm_generate_hmac_key(uint32_t tpmHMACPub_key_nv, goto err; } - ret_val = Tss2_MU_TPM2B_PUBLIC_Marshal(out_public, buffer, - sizeof(buffer), &offset); + ret_val = Esys_Load(esys_context, primary_key_handle, + auth_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, + out_private, out_public, &object_handle); if (ret_val != TSS2_RC_SUCCESS) { - LOG(LOG_ERROR, - "Failed to serialize the public HMAC key context.\n"); + LOG(LOG_ERROR, "Esys_Load failed: 0x%x\n", ret_val); + Esys_Finalize(&esys_context); goto err; } - if ((int32_t)offset != fdo_tpm_write_nv(tpmHMACPub_key_nv, - FDO_SDK_RAW_DATA, buffer, - offset)) { - LOG(LOG_ERROR, "Failed to save the public HMAC key context.\n"); + // Search the persistent Handle + TPMS_CAPABILITY_DATA *capability_data = NULL; + ret_val = Esys_GetCapability( + esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + TPM2_CAP_HANDLES, persistent_handle, 1, NULL, &capability_data); + if (ret_val != TSS2_RC_SUCCESS) { + LOG(LOG_ERROR, "Esys_GetCapability failed!\n"); goto err; } - LOG(LOG_DEBUG, "Saved HMAC public key context of size %zu.\n", offset); - offset = 0; - ret_val = Tss2_MU_TPM2B_PRIVATE_Marshal(out_private, buffer, - sizeof(buffer), &offset); - if (ret_val != TSS2_RC_SUCCESS) { - LOG(LOG_ERROR, - "Failed to serialize the private HMAC key context.\n"); - goto err; + int exists = + (capability_data->data.handles.count > 0 && + capability_data->data.handles.handle[0] == persistent_handle); + if (exists == 1) { + ret_val = Esys_TR_FromTPMPublic( + esys_context, persistent_handle, ESYS_TR_NONE, ESYS_TR_NONE, + ESYS_TR_NONE, &persistentHandle); + + if (ret_val != TSS2_RC_SUCCESS) { + LOG(LOG_ERROR, "Failed to load HMAC Key Context.\n"); + goto err; + } + + ret_val = Esys_EvictControl(esys_context, ESYS_TR_RH_OWNER, + persistentHandle, ESYS_TR_PASSWORD, + ESYS_TR_NONE, ESYS_TR_NONE, 0, + &pub_object_handle); + if (ret_val != TSS2_RC_SUCCESS) { + LOG(LOG_ERROR, "Esys_EvictControl failed: 0x%x\n", + ret_val); + Esys_Finalize(&esys_context); + goto err; + } } - if ((int32_t)offset != fdo_tpm_write_nv(tpmHMACPriv_key_nv, - FDO_SDK_RAW_DATA, buffer, - offset)) { - LOG(LOG_ERROR, - "Failed to save the private HMAC key context.\n"); + ret_val = Esys_EvictControl( + esys_context, ESYS_TR_RH_OWNER, object_handle, ESYS_TR_PASSWORD, + ESYS_TR_NONE, ESYS_TR_NONE, persistent_handle, &pub_object_handle); + if (ret_val != TSS2_RC_SUCCESS) { + LOG(LOG_ERROR, "Esys_EvictControl failed: 0x%x\n", ret_val); goto err; } - LOG(LOG_DEBUG, "Saved HMAC private key context of size %zu.\n", offset); + LOG(LOG_DEBUG, + "Saved HMAC private key context inside persistance memory at " + "%d.\n", + persistent_handle); LOG(LOG_DEBUG, "HMAC Key generated successfully!.\n"); ret = 0; @@ -443,10 +383,54 @@ int32_t fdo_tpm_generate_hmac_key(uint32_t tpmHMACPub_key_nv, TPM2_ZEROISE_FREE(creation_hash); TPM2_ZEROISE_FREE(creation_ticket); - if (esys_context && - (0 != fdoTPMTSSContext_clean_up(&esys_context, &auth_session_handle, - &primary_key_handle))) { - LOG(LOG_ERROR, "Failed to tear down all the TSS context.\n"); + if (esys_context) { + if (object_handle != ESYS_TR_NONE) { + if (Esys_TR_Close(esys_context, &object_handle) != + TSS2_RC_SUCCESS) { + LOG(LOG_ERROR, + "Failed to flush object_handle.\n"); + ret = -1; + } else { + LOG(LOG_DEBUG, + "object_handle flushed successfully.\n"); + object_handle = ESYS_TR_NONE; + } + } + + if (pub_object_handle != ESYS_TR_NONE) { + if (Esys_TR_Close(esys_context, &pub_object_handle) != + TSS2_RC_SUCCESS) { + LOG(LOG_ERROR, + "Failed to flush pub_object_handle.\n"); + ret = -1; + } else { + LOG(LOG_DEBUG, "pub_object_handle flushed " + "successfully.\n"); + pub_object_handle = ESYS_TR_NONE; + } + } + + if (persistentHandle != ESYS_TR_NONE) { + if (Esys_TR_Close(esys_context, &persistentHandle) != + TSS2_RC_SUCCESS) { + LOG(LOG_ERROR, + "Failed to flush persistent handle.\n"); + ret = -1; + } else { + LOG(LOG_DEBUG, "persistent handle flushed " + "successfully.\n"); + persistentHandle = ESYS_TR_NONE; + } + } + if (0 != fdoTPMTSSContext_clean_up(&esys_context, + &auth_session_handle, + &primary_key_handle)) { + LOG(LOG_ERROR, + "Failed to tear down all the TSS context.\n"); + ret = -1; + } else { + LOG(LOG_DEBUG, "TSS context flushed successfully.\n"); + } } return ret; @@ -668,115 +652,3 @@ static int32_t fdoTPMTSSContext_clean_up(ESYS_CONTEXT **esys_context, return 0; } - -/** - * Replace the TPM_HMAC_PRIV_KEY with TPM_HMAC_REPLACEMENT_PRIV_KEY and - * TPM_HMAC_PUB_KEY with TPM_HMAC_REPLACEMENT_PUB_KEY. - * - * @return - * -1, error - * 0, success - */ -int32_t fdo_tpm_commit_replacement_hmac_key(void) -{ - size_t file_size = 0; - // function return value - int32_t ret = -1; - uint8_t bufferTPMHMACPriv_key[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE] = {0}; - uint8_t bufferTPMHMACPub_key[TPM_HMAC_PUB_KEY_CONTEXT_SIZE] = {0}; - - // read TPM_HMAC_REPLACEMENT_PRIV_KEY contents and write it into - // TPM_HMAC_PRIV_KEY - file_size = fdo_tpm_nvread_size(TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX); - - if (file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_128 && - file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE) { - LOG(LOG_ERROR, - "TPM HMAC Replacement Private Key file size incorrect.\n"); - goto err; - } - - LOG(LOG_DEBUG, "TPM HMAC Replacement Private Key file size retreived " - "successfully.\n"); - - if (fdo_tpm_read_nv(TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX, - FDO_SDK_RAW_DATA, bufferTPMHMACPriv_key, - file_size) == -1) { - LOG(LOG_ERROR, "Failed to load TPM HMAC Replacement Private " - "Key into buffer.\n"); - goto err; - } - - if ((int32_t)file_size != - fdo_tpm_write_nv(TPM_HMAC_PRIV_KEY_NV_IDX, FDO_SDK_RAW_DATA, - bufferTPMHMACPriv_key, file_size)) { - LOG(LOG_ERROR, - "Failed to save the private HMAC key context.\n"); - goto err; - } - - // now, read TPM_HMAC_REPLACEMENT_PUB_KEY contents and write it into - // TPM_HMAC_PUB_KEY - file_size = fdo_tpm_nvread_size(TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX); - - if (file_size != TPM_HMAC_PUB_KEY_CONTEXT_SIZE) { - LOG(LOG_ERROR, - "TPM HMAC Replacement Public Key file size incorrect.\n"); - goto err; - } - - LOG(LOG_DEBUG, "TPM HMAC Replacement Public Key file size retreived " - "successfully.\n"); - - if (fdo_tpm_read_nv(TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX, - FDO_SDK_RAW_DATA, bufferTPMHMACPub_key, - file_size) == -1) { - LOG(LOG_ERROR, "Failed to load TPM HMAC Replacement Public key " - "into buffer.\n"); - goto err; - } - - if ((int32_t)file_size != - fdo_tpm_write_nv(TPM_HMAC_PUB_KEY_NV_IDX, FDO_SDK_RAW_DATA, - bufferTPMHMACPub_key, file_size)) { - LOG(LOG_ERROR, "Failed to save the public HMAC key context.\n"); - goto err; - } - ret = 0; -err: - return ret; -} - -/** - * Clear the Replacement TPM HMAC key objects, if they exist. - * - */ -void fdo_tpm_clear_replacement_hmac_key(void) -{ - // remove the files if they exist, else return - - if (0 != fdo_tpm_nvdel(TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX)) { - LOG(LOG_ERROR, "Failed to cleanup private object\n"); - } - - if (0 != fdo_tpm_nvdel(TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX)) { - LOG(LOG_ERROR, "Failed to cleanup public object\n"); - } -} - -/** - * Check whether valid data integrity protection HMAC key is present or not. - * - * @return - * 1, present - * 0, not present - */ -int32_t is_valid_tpm_data_protection_key_present(void) -{ - return ((TPM_HMAC_PUB_KEY_CONTEXT_SIZE == - fdo_tpm_nvread_size(TPM_HMAC_DATA_PUB_KEY_NV_IDX)) && - (TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_128 == - fdo_tpm_nvread_size(TPM_HMAC_DATA_PRIV_KEY_NV_IDX) || - TPM_HMAC_PRIV_KEY_CONTEXT_SIZE == - fdo_tpm_nvread_size(TPM_HMAC_DATA_PRIV_KEY_NV_IDX))); -} diff --git a/lib/credentials_from_file.c b/lib/credentials_from_file.c index 2866e112..a7efa881 100644 --- a/lib/credentials_from_file.c +++ b/lib/credentials_from_file.c @@ -480,8 +480,7 @@ int store_credential(fdo_dev_cred_t *ocred) * @return true if write and parsed correctly, otherwise false */ -bool write_tpm_device_credentials(uint32_t nv, fdo_sdk_blob_flags flags, - fdo_dev_cred_t *ocred) +bool write_tpm_device_credentials(uint32_t nv, fdo_dev_cred_t *ocred) { bool ret = true; @@ -559,8 +558,7 @@ bool write_tpm_device_credentials(uint32_t nv, fdo_sdk_blob_flags flags, } fdow->b.block_size = encoded_cred_length; - if (fdo_tpm_write_nv(nv, flags, fdow->b.block, fdow->b.block_size) == - -1) { + if (fdo_tpm_write_nv(nv, fdow->b.block, fdow->b.block_size) == -1) { LOG(LOG_ERROR, "Failed to write DeviceCredential blob\n"); ret = false; goto end; @@ -582,8 +580,7 @@ bool write_tpm_device_credentials(uint32_t nv, fdo_sdk_blob_flags flags, * @param our_dev_cred - pointer to the device credentials block, * @return true if read and parsed correctly, otherwise false. */ -bool read_tpm_device_credentials(uint32_t nv, fdo_sdk_blob_flags flags, - fdo_dev_cred_t *our_dev_cred) +bool read_tpm_device_credentials(uint32_t nv, fdo_dev_cred_t *our_dev_cred) { bool ret = false; size_t dev_cred_len = 0; @@ -627,8 +624,7 @@ bool read_tpm_device_credentials(uint32_t nv, fdo_sdk_blob_flags flags, goto end; } - if (fdo_tpm_read_nv(nv, flags, fdor->b.block, fdor->b.block_size) == - -1) { + if (fdo_tpm_read_nv(nv, fdor->b.block, fdor->b.block_size) == -1) { LOG(LOG_ERROR, "Failed to read DeviceCredential blob : Normal.blob\n"); goto end; @@ -744,8 +740,7 @@ int store_tpm_credential(fdo_dev_cred_t *ocred) { /* Write in the file and save the Normal device credentials */ LOG(LOG_DEBUG, "Writing to TPm NV storage\n"); - if (!write_tpm_device_credentials(FDO_CRED_NV_IDX, FDO_SDK_NORMAL_DATA, - ocred)) { + if (!write_tpm_device_credentials(FDO_CRED_NV_IDX, ocred)) { LOG(LOG_ERROR, "Could not write to Normal Credentials blob\n"); return -1; } @@ -914,8 +909,7 @@ int load_credential(fdo_dev_cred_t *ocred) } #elif defined(DEVICE_TPM20_ENABLED) /* Read and save the device credentials */ - if (!read_tpm_device_credentials(FDO_CRED_NV_IDX, FDO_SDK_NORMAL_DATA, - ocred)) { + if (!read_tpm_device_credentials(FDO_CRED_NV_IDX, ocred)) { LOG(LOG_ERROR, "Could not parse the Device Credentials blob\n"); return -1; } diff --git a/lib/include/load_credentials.h b/lib/include/load_credentials.h index 78877652..2b21d2aa 100644 --- a/lib/include/load_credentials.h +++ b/lib/include/load_credentials.h @@ -33,10 +33,8 @@ bool load_device_status(fdo_sdk_device_status *state); bool store_device_status(fdo_sdk_device_status *state); #if defined(DEVICE_TPM20_ENABLED) -bool read_tpm_device_credentials(uint32_t nv, fdo_sdk_blob_flags flags, - fdo_dev_cred_t *our_dev_cred); -bool write_tpm_device_credentials(uint32_t nv, fdo_sdk_blob_flags flags, - fdo_dev_cred_t *our_dev_cred); +bool read_tpm_device_credentials(uint32_t nv, fdo_dev_cred_t *our_dev_cred); +bool write_tpm_device_credentials(uint32_t nv, fdo_dev_cred_t *our_dev_cred); int store_tpm_credential(fdo_dev_cred_t *ocred); #endif diff --git a/lib/m-string.c b/lib/m-string.c index df0f2338..e8e2a1a0 100644 --- a/lib/m-string.c +++ b/lib/m-string.c @@ -261,8 +261,8 @@ int ps_get_m_string(fdo_prot_t *ps) goto err; } - if (fdo_tpm_read_nv(TPM_DEVICE_CSR_NV_IDX, FDO_SDK_RAW_DATA, csr->bytes, - csr->byte_sz) == -1) { + if (fdo_tpm_read_nv(TPM_DEVICE_CSR_NV_IDX, csr->bytes, csr->byte_sz) == + -1) { LOG(LOG_ERROR, "Failed to load TPM DEVICE CSR into buffer.\n"); goto err; } diff --git a/storage/include/storage_al.h b/storage/include/storage_al.h index 70ca04fc..f6c7e699 100644 --- a/storage/include/storage_al.h +++ b/storage/include/storage_al.h @@ -17,6 +17,9 @@ #include #include #include +#if defined(DEVICE_TPM20_ENABLED) +#include "tpm2_nv_storage.h" +#endif // platform HMAC and blob size #if defined(DEVICE_TPM20_ENABLED) && defined(ECDSA384_DA) @@ -47,13 +50,12 @@ size_t fdo_blob_size(const char *blob_name, fdo_sdk_blob_flags flags); int32_t create_hmac_normal_blob(void); #if defined(DEVICE_TPM20_ENABLED) -int32_t fdo_tpm_read_nv(uint32_t nv, fdo_sdk_blob_flags flags, uint8_t *buffer, - uint32_t length); +int32_t fdo_tpm_read_nv(TPMI_RH_NV_INDEX nv, uint8_t *buffer, uint32_t length); -int32_t fdo_tpm_write_nv(uint32_t nv, fdo_sdk_blob_flags flags, - const uint8_t *buffer, uint32_t length); +int32_t fdo_tpm_write_nv(TPMI_RH_NV_INDEX nv, const uint8_t *buffer, + uint32_t length); -size_t fdo_tpm_size_nv(uint32_t nv); +size_t fdo_tpm_size_nv(TPMI_RH_NV_INDEX nv); #endif #ifdef __cplusplus } // endof externc (CPP code) diff --git a/storage/include/tpm2_nv_storage.h b/storage/include/tpm2_nv_storage.h index e0f59694..c84cfb5b 100644 --- a/storage/include/tpm2_nv_storage.h +++ b/storage/include/tpm2_nv_storage.h @@ -5,19 +5,10 @@ #include #include -#define FDO_CRED_NV_IDX 0x1000001 - -#define TPM_HMAC_PUB_KEY_NV_IDX 0x1000002 -#define TPM_HMAC_PRIV_KEY_NV_IDX 0x1000003 - -#define TPM_HMAC_DATA_PUB_KEY_NV_IDX 0x1000004 -#define TPM_HMAC_DATA_PRIV_KEY_NV_IDX 0x1000005 - -#define TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX 0x1000006 -#define TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX 0x1000007 - -#define TPM_ECDSA_DEVICE_KEY_NV_IDX 0x1000008 -#define TPM_DEVICE_CSR_NV_IDX 0x1000009 +#define FDO_CRED_NV_IDX 0x01D10001 +#define TPM_PRIMARY_KEY_PERSISTANT_HANDLE 0x81020003 +#define TPM_ECDSA_DEVICE_KEY_NV_IDX 0x01D10004 +#define TPM_DEVICE_CSR_NV_IDX 0x01D10005 #if defined(ECDSA256_DA) #define FDO_TPM2_ALG_SHA TPM2_ALG_SHA256 @@ -32,7 +23,7 @@ * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvdefine(uint32_t nv, size_t data_size); +int fdo_tpm_nvdefine(TPMI_RH_NV_INDEX nv, size_t data_size); /** Store a data in a NV index. * @@ -43,7 +34,7 @@ int fdo_tpm_nvdefine(uint32_t nv, size_t data_size); * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, uint32_t nv); +int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, TPMI_RH_NV_INDEX nv); /** Load data size from a NV index. * @@ -52,7 +43,7 @@ int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, uint32_t nv); * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -size_t fdo_tpm_nvread_size(uint32_t nv); +size_t fdo_tpm_nvread_size(TPMI_RH_NV_INDEX nv); /** Load a data from a NV index. * @@ -63,7 +54,7 @@ size_t fdo_tpm_nvread_size(uint32_t nv); * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvread(uint32_t nv, size_t data_size, uint8_t **data); +int fdo_tpm_nvread(TPMI_RH_NV_INDEX nv, size_t data_size, uint8_t **data); /** Delete data from a NV index. * @@ -72,4 +63,4 @@ int fdo_tpm_nvread(uint32_t nv, size_t data_size, uint8_t **data); * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvdel(uint32_t nv); \ No newline at end of file +int fdo_tpm_nvdel(TPMI_RH_NV_INDEX nv); \ No newline at end of file diff --git a/storage/linux/storage_if_linux.c b/storage/linux/storage_if_linux.c index 75c7a1d7..fde1345a 100644 --- a/storage/linux/storage_if_linux.c +++ b/storage/linux/storage_if_linux.c @@ -21,7 +21,7 @@ #include "crypto_utils.h" #include "platform_utils.h" #if defined(DEVICE_TPM20_ENABLED) -#include "tpm2_nv_storage.h" +#include "tpm20_Utils.h" #endif /**************************************************** @@ -573,7 +573,7 @@ int32_t fdo_blob_write(const char *name, fdo_sdk_blob_flags flags, * @return file size on success, 0 if file does not exist or on other failure */ -size_t fdo_tpm_size_nv(uint32_t nv) +size_t fdo_tpm_size_nv(TPMI_RH_NV_INDEX nv) { size_t retval = 0; const size_t NORMAL_NV_OVERHEAD = @@ -623,23 +623,16 @@ size_t fdo_tpm_size_nv(uint32_t nv) * @param n_bytes - length of data(in bytes) to be read * @return num of bytes read if success, -1 on error */ -int32_t fdo_tpm_read_nv(uint32_t nv, fdo_sdk_blob_flags flags, uint8_t *buf, - uint32_t n_bytes) +int32_t fdo_tpm_read_nv(TPMI_RH_NV_INDEX nv, uint8_t *buf, uint32_t n_bytes) { int retval = -1; uint8_t *data = NULL; uint32_t data_length = 0; uint8_t *sealed_data = NULL; uint32_t sealed_data_len = 0; - uint8_t *encrypted_data = NULL; - uint32_t encrypted_data_len = 0; uint8_t stored_hmac[PLATFORM_HMAC_SIZE] = {0}; uint8_t computed_hmac[PLATFORM_HMAC_SIZE] = {0}; - uint8_t stored_tag[AES_TAG_LEN] = {0}; int strcmp_result = -1; - uint8_t iv[PLATFORM_IV_DEFAULT_LEN] = {0}; - uint8_t aes_key[PLATFORM_AES_KEY_DEFAULT_LEN] = {0}; - size_t dat_len_offst = 0; if (!nv || !buf || n_bytes == 0) { LOG(LOG_ERROR, "Invalid parameters in %s!\n", __func__); @@ -654,15 +647,7 @@ int32_t fdo_tpm_read_nv(uint32_t nv, fdo_sdk_blob_flags flags, uint8_t *buf, goto exit; } - switch (flags) { - case FDO_SDK_RAW_DATA: - if (0 != fdo_tpm_nvread(nv, n_bytes, &buf)) { - LOG(LOG_ERROR, "Failed to read file!\n"); - goto exit; - } - break; - - case FDO_SDK_NORMAL_DATA: + if (nv == FDO_CRED_NV_IDX) { /* HMAC-256 is being used to store files under * FDO_SDK_NORMAL_DATA flag. * File content to be stored as: @@ -711,9 +696,9 @@ int32_t fdo_tpm_read_nv(uint32_t nv, fdo_sdk_blob_flags flags, uint8_t *buf, data = sealed_data + PLATFORM_HMAC_SIZE + BLOB_CONTENT_SIZE; - if (0 != fdo_compute_storage_hmac(data, data_length, - computed_hmac, - PLATFORM_HMAC_SIZE)) { + if (0 != fdo_tpm_get_hmac(data, data_length, computed_hmac, + PLATFORM_HMAC_SIZE, + TPM_PRIMARY_KEY_PERSISTANT_HANDLE)) { LOG(LOG_ERROR, "HMAC computation dailed during" " %s!\n", @@ -740,104 +725,16 @@ int32_t fdo_tpm_read_nv(uint32_t nv, fdo_sdk_blob_flags flags, uint8_t *buf, __func__); goto exit; } - break; - - case FDO_SDK_SECURE_DATA: - /* AES GCM authenticated encryption is being used to store files - * under - * FDO_SDK_SECURE_DATA flag. File content to be stored as: - * [IV_data(12byte)||[AuthenticatedTAG(16 bytes)|| - * Sizeof_ciphertext(8 * bytes)||Ciphertet(n_bytes bytes)] - */ - - encrypted_data_len = PLATFORM_IV_DEFAULT_LEN + AES_TAG_LEN + - BLOB_CONTENT_SIZE + n_bytes; - - encrypted_data = fdo_alloc(encrypted_data_len); - if (NULL == encrypted_data) { - LOG(LOG_ERROR, "Malloc Failed in %s!\n", __func__); - goto exit; - } - - if (fdo_tpm_nvread(nv, encrypted_data_len, &encrypted_data)) { + } else { + if (0 != fdo_tpm_nvread(nv, n_bytes, &buf)) { LOG(LOG_ERROR, "Failed to read file!\n"); goto exit; } - - dat_len_offst = AES_TAG_LEN + PLATFORM_IV_DEFAULT_LEN; - // get actual data length - data_length |= encrypted_data[dat_len_offst] << 24; - data_length |= encrypted_data[dat_len_offst + 1] << 16; - data_length |= encrypted_data[dat_len_offst + 2] << 8; - data_length |= (encrypted_data[dat_len_offst + 3] & 0x000000FF); - - // check if input buffer is sufficient ? - if (n_bytes < data_length) { - LOG(LOG_ERROR, - "Failed to read data, Buffer is not enough, " - "buf_len:%d,\t Lengthstoredinfilesystem:%d\n", - n_bytes, data_length); - goto exit; - } - /* read the iv from blob */ - if (memcpy_s(iv, PLATFORM_IV_DEFAULT_LEN, encrypted_data, - PLATFORM_IV_DEFAULT_LEN) != 0) { - LOG(LOG_ERROR, - "Copying stored IV failed during " - "%s!\n", - __func__); - goto exit; - } - - if (memcpy_s(stored_tag, AES_TAG_LEN, - encrypted_data + PLATFORM_IV_DEFAULT_LEN, - AES_TAG_LEN) != 0) { - LOG(LOG_ERROR, - "Copying stored TAG failed during " - "%s!\n", - __func__); - goto exit; - } - - data = encrypted_data + PLATFORM_IV_DEFAULT_LEN + AES_TAG_LEN + - BLOB_CONTENT_SIZE; - - if (!get_platform_aes_key(aes_key, - PLATFORM_AES_KEY_DEFAULT_LEN)) { - LOG(LOG_ERROR, "Could not get platform AES Key!\n"); - goto exit; - } - - // decrypt and authenticate cipher-text content and fill the - // given buffer with clear-text - if (crypto_hal_aes_decrypt( - buf, &n_bytes, data, data_length, 16, iv, aes_key, - PLATFORM_AES_KEY_DEFAULT_LEN, stored_tag, AES_TAG_LEN, - NULL, 0) < 0) { - LOG(LOG_ERROR, "Decryption failed during Secure " - "Blob Read!\n"); - goto exit; - } - break; - - default: - LOG(LOG_ERROR, "Invalid FDO blob flag!!\n"); - goto exit; } retval = (int32_t)n_bytes; exit: - if (sealed_data) { - fdo_free(sealed_data); - } - if (encrypted_data) { - fdo_free(encrypted_data); - } - if (memset_s(aes_key, PLATFORM_AES_KEY_DEFAULT_LEN, 0)) { - LOG(LOG_ERROR, "Failed to clear AES key\n"); - retval = -1; - } return retval; } @@ -853,18 +750,12 @@ int32_t fdo_tpm_read_nv(uint32_t nv, fdo_sdk_blob_flags flags, uint8_t *buf, * @return num of bytes write if success, -1 on error */ -int32_t fdo_tpm_write_nv(uint32_t nv, fdo_sdk_blob_flags flags, - const uint8_t *buf, uint32_t n_bytes) +int32_t fdo_tpm_write_nv(TPMI_RH_NV_INDEX nv, const uint8_t *buf, + uint32_t n_bytes) { int retval = -1; - FILE *f = NULL; uint32_t write_context_len = 0; - uint32_t write_context_len_temp = 0; uint8_t *write_context = NULL; - uint8_t tag[AES_TAG_LEN] = {0}; - uint8_t iv[PLATFORM_IV_DEFAULT_LEN] = {0}; - uint8_t aes_key[PLATFORM_AES_KEY_DEFAULT_LEN] = {0}; - size_t dat_len_offst = 0; if (!buf || !nv || n_bytes == 0) { LOG(LOG_ERROR, "Invalid parameters in %s!\n", __func__); @@ -879,26 +770,7 @@ int32_t fdo_tpm_write_nv(uint32_t nv, fdo_sdk_blob_flags flags, goto exit; } - switch (flags) { - case FDO_SDK_RAW_DATA: - // Raw Files are stored as plain files - write_context_len = n_bytes; - - write_context = fdo_alloc(write_context_len); - if (NULL == write_context) { - LOG(LOG_ERROR, "Malloc Failed in %s!\n", __func__); - goto exit; - } - - if (memcpy_s(write_context, write_context_len, buf, n_bytes) != - 0) { - LOG(LOG_ERROR, - "Copying data failed during RAW Blob write!\n"); - goto exit; - } - break; - - case FDO_SDK_NORMAL_DATA: + if (nv == FDO_CRED_NV_IDX) { /* HMAC-256 is being used to store files under * FDO_SDK_NORMAL_DATA flag. * File content to be stored as: @@ -914,10 +786,10 @@ int32_t fdo_tpm_write_nv(uint32_t nv, fdo_sdk_blob_flags flags, goto exit; } - if (0 != fdo_compute_storage_hmac(buf, n_bytes, write_context, - PLATFORM_HMAC_SIZE)) { - LOG(LOG_ERROR, "Computing HMAC failed during Normal " - "Blob write!\n"); + if (0 != fdo_tpm_get_hmac(buf, n_bytes, write_context, + PLATFORM_HMAC_SIZE, + TPM_PRIMARY_KEY_PERSISTANT_HANDLE)) { + LOG(LOG_ERROR, "Computing HMAC failed!\n"); goto exit; } @@ -937,18 +809,8 @@ int32_t fdo_tpm_write_nv(uint32_t nv, fdo_sdk_blob_flags flags, "Copying data failed during Normal Blob write!\n"); goto exit; } - break; - - case FDO_SDK_SECURE_DATA: - /* AES GCM authenticated encryption is being used to store files - * under - * FDO_SDK_SECURE_DATA flag. File content to be stored as: - * [IV_data(12byte)||[AuthenticatedTAG(16 bytes)|| - * Sizeof_ciphertext(8 * bytes)||Ciphertet(n_bytes bytes)] - */ - - write_context_len = PLATFORM_IV_DEFAULT_LEN + AES_TAG_LEN + - BLOB_CONTENT_SIZE + n_bytes; + } else { + write_context_len = n_bytes; write_context = fdo_alloc(write_context_len); if (NULL == write_context) { @@ -956,62 +818,12 @@ int32_t fdo_tpm_write_nv(uint32_t nv, fdo_sdk_blob_flags flags, goto exit; } - if (!get_platform_iv(iv, PLATFORM_IV_DEFAULT_LEN, n_bytes)) { - LOG(LOG_ERROR, "Could not get platform IV!\n"); - goto exit; - } - - if (!get_platform_aes_key(aes_key, - PLATFORM_AES_KEY_DEFAULT_LEN)) { - LOG(LOG_ERROR, "Could not get platform AES Key!\n"); - goto exit; - } - - write_context_len_temp = - write_context_len - - (PLATFORM_IV_DEFAULT_LEN + AES_TAG_LEN + BLOB_CONTENT_SIZE); - // encrypt plain-text and copy cipher-text content - if (crypto_hal_aes_encrypt( - buf, n_bytes, - &write_context[PLATFORM_IV_DEFAULT_LEN + AES_TAG_LEN + - BLOB_CONTENT_SIZE], - &write_context_len_temp, 16, iv, aes_key, - PLATFORM_AES_KEY_DEFAULT_LEN, tag, AES_TAG_LEN, NULL, - 0) < 0) { - LOG(LOG_ERROR, "Encypting data failed during Secure " - "Blob write!\n"); - goto exit; - } - // copy used IV for encryption - if (memcpy_s(write_context, PLATFORM_IV_DEFAULT_LEN, iv, - PLATFORM_IV_DEFAULT_LEN) != 0) { - LOG(LOG_ERROR, "Copying TAG value failed during Secure " - "Blob write!\n"); - goto exit; - } - - // copy Authenticated TAG value - if (memcpy_s(write_context + PLATFORM_IV_DEFAULT_LEN, - write_context_len - PLATFORM_IV_DEFAULT_LEN, tag, - AES_TAG_LEN) != 0) { - LOG(LOG_ERROR, "Copying TAG value failed during Secure " - "Blob write!\n"); + if (memcpy_s(write_context, write_context_len, buf, n_bytes) != + 0) { + LOG(LOG_ERROR, + "Copying data failed during RAW Blob write!\n"); goto exit; } - - dat_len_offst = AES_TAG_LEN + PLATFORM_IV_DEFAULT_LEN; - /* copy cipher-text size; CT size= PT size (AES GCM uses AES CTR - * mode internally for encryption) - */ - write_context[dat_len_offst + 3] = n_bytes >> 0; - write_context[dat_len_offst + 2] = n_bytes >> 8; - write_context[dat_len_offst + 1] = n_bytes >> 16; - write_context[dat_len_offst + 0] = n_bytes >> 24; - break; - - default: - LOG(LOG_ERROR, "Invalid FDO blob flag!!\n"); - goto exit; } if (fdo_tpm_nvwrite(write_context, write_context_len, nv)) { @@ -1025,15 +837,6 @@ int32_t fdo_tpm_write_nv(uint32_t nv, fdo_sdk_blob_flags flags, if (write_context) { fdo_free(write_context); } - if (f) { - if (fclose(f) == EOF) { - LOG(LOG_ERROR, "fclose() Failed in %s\n", __func__); - } - } - if (memset_s(aes_key, PLATFORM_AES_KEY_DEFAULT_LEN, 0)) { - LOG(LOG_ERROR, "Failed to clear AES key\n"); - retval = -1; - } return retval; } #endif \ No newline at end of file diff --git a/storage/linux/tpm2_nv_storage.c b/storage/linux/tpm2_nv_storage.c index 7fef660f..4cb4c47e 100644 --- a/storage/linux/tpm2_nv_storage.c +++ b/storage/linux/tpm2_nv_storage.c @@ -157,7 +157,7 @@ static int32_t fdo_tpm_context_clean_up(ESYS_CONTEXT **esys_context, * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvdefine(uint32_t nv, size_t data_size) +int fdo_tpm_nvdefine(TPMI_RH_NV_INDEX nv, size_t data_size) { if (!nv) { @@ -178,9 +178,9 @@ int fdo_tpm_nvdefine(uint32_t nv, size_t data_size) .nvPublic = { .nvIndex = nv, .nameAlg = FDO_TPM2_ALG_SHA, - .attributes = (TPMA_NV_OWNERWRITE | TPMA_NV_AUTHWRITE | - TPMA_NV_WRITE_STCLEAR | TPMA_NV_READ_STCLEAR | - TPMA_NV_AUTHREAD | TPMA_NV_OWNERREAD), + .attributes = + (TPMA_NV_OWNERWRITE | TPMA_NV_AUTHWRITE | TPMA_NV_AUTHREAD | + TPMA_NV_OWNERREAD | TPMA_NV_NO_DA), .authPolicy = { .size = 0, @@ -255,7 +255,7 @@ int fdo_tpm_nvdefine(uint32_t nv, size_t data_size) * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, uint32_t nv) +int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, TPMI_RH_NV_INDEX nv) { if (!data || !nv) { return -1; @@ -275,9 +275,9 @@ int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, uint32_t nv) .nvPublic = { .nvIndex = nv, .nameAlg = FDO_TPM2_ALG_SHA, - .attributes = (TPMA_NV_OWNERWRITE | TPMA_NV_AUTHWRITE | - TPMA_NV_WRITE_STCLEAR | TPMA_NV_READ_STCLEAR | - TPMA_NV_AUTHREAD | TPMA_NV_OWNERREAD), + .attributes = + (TPMA_NV_OWNERWRITE | TPMA_NV_AUTHWRITE | TPMA_NV_AUTHREAD | + TPMA_NV_OWNERREAD | TPMA_NV_NO_DA), .authPolicy = { .size = 0, @@ -291,7 +291,6 @@ int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, uint32_t nv) LOG(LOG_ERROR, "Data too large.\n"); return -1; } - // memcpy(&blob.buffer[0], data, blob.size); if (memcpy_s(&blob.buffer[0], blob.size, data, data_size) != 0) { LOG(LOG_ERROR, "Failed to copy data to blob!\n"); @@ -380,7 +379,7 @@ int fdo_tpm_nvwrite(const uint8_t *data, size_t data_size, uint32_t nv) * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -size_t fdo_tpm_nvread_size(uint32_t nv) +size_t fdo_tpm_nvread_size(TPMI_RH_NV_INDEX nv) { int ret = -1; TSS2_RC rc; @@ -471,7 +470,7 @@ size_t fdo_tpm_nvread_size(uint32_t nv) * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvread(uint32_t nv, size_t data_size, uint8_t **data) +int fdo_tpm_nvread(TPMI_RH_NV_INDEX nv, size_t data_size, uint8_t **data) { int ret = -1; TSS2_RC rc; @@ -525,9 +524,6 @@ int fdo_tpm_nvread(uint32_t nv, size_t data_size, uint8_t **data) goto err; } - // *data_size = blob->size; - // *data = malloc(blob->size); - // memcpy(*data, &blob->buffer[0], blob->size); if (memcpy_s(*data, data_size, &blob->buffer[0], blob->size) != 0) { LOG(LOG_ERROR, "Failed to copy data to blob!\n"); goto err; @@ -556,7 +552,7 @@ int fdo_tpm_nvread(uint32_t nv, size_t data_size, uint8_t **data) * @retval -1 on undefined/general failure. * @retval TSS2_RC response code for failures relayed from the TSS library. */ -int fdo_tpm_nvdel(uint32_t nv) +int fdo_tpm_nvdel(TPMI_RH_NV_INDEX nv) { int ret = -1; TSS2_RC rc; diff --git a/utils/clear_tpm_nv.sh b/utils/clear_tpm_nv.sh index 7e8d93ed..83c250e5 100644 --- a/utils/clear_tpm_nv.sh +++ b/utils/clear_tpm_nv.sh @@ -17,10 +17,10 @@ execute_cmd_on_failure_exit() return 0 } -for n in {1..9}; +for n in {1,4,5}; do task="Deleting a Non-Volatile (NV) index at 0x100000$n" - cmd="tpm2_nvundefine 0x100000$n" + cmd="tpm2_nvundefine 0x01D1000$n" success_string="$task completed successfully!!" failure_string="Non-Volatile (NV) index at 0x100000$n is not defined!!" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" diff --git a/utils/tpm_make_ready_ecdsa.sh b/utils/tpm_make_ready_ecdsa.sh index a0ca2839..dc5ecf97 100644 --- a/utils/tpm_make_ready_ecdsa.sh +++ b/utils/tpm_make_ready_ecdsa.sh @@ -6,7 +6,7 @@ DEVICE_CSR_FILE_INSIDE_DATA_DIR="tpm_device_csr" PARENT_DIR="" TPM_ENDORSEMENT_PRIMARY_KEY_CTX=tpm_primary_key.ctx -TPM_ENDORSEMENT_PRIMARY_KEY_PERSISTANT_HANDLE=0x81000001 +TPM_ENDORSEMENT_PRIMARY_KEY_PERSISTANT_HANDLE=0x81020002 found_path=0 verbose=0 @@ -106,7 +106,7 @@ execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 task="Load primary key inside persistance memory at $TPM_ENDORSEMENT_PRIMARY_KEY_PERSISTANT_HANDLE" cmd="tpm2_evictcontrol -C o $TPM_ENDORSEMENT_PRIMARY_KEY_PERSISTANT_HANDLE -c $tpm_endorsement_primary_key_ctx -V" -success_string="$task completed successfully at!!" +success_string="$task completed successfully!!" failure_string="$task failed" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 @@ -125,26 +125,26 @@ execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 # write tpm device key and device csr inside tpm task="Define a TPM Non-Volatile (NV) index for TPM KEY" key_size=$(wc -c < $tpm_device_key_file) -cmd="tpm2_nvdefine -Q 0x1000008 -C o -s $key_size -a \"ownerwrite|authwrite|write_stclear|ownerread|authread|read_stclear\"" +cmd="tpm2_nvdefine -Q 0x01D10004 -C o -s $key_size -a \"ownerwrite|authwrite|ownerread|authread|no_da\"" success_string="$task completed successfully!!" failure_string="$task failed" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 task="Define a TPM Non-Volatile (NV) index for TPM Device CSR" csr_size=$(wc -c < $device_csr_file) -cmd="tpm2_nvdefine -Q 0x1000009 -C o -s $csr_size -a \"ownerwrite|authwrite|write_stclear|ownerread|authread|read_stclear\"" +cmd="tpm2_nvdefine -Q 0x01D10005 -C o -s $csr_size -a \"ownerwrite|authwrite|ownerread|authread|no_da\"" success_string="$task completed successfully!!" failure_string="$task failed" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 task="Write TPM ECDSA KEY to a Non-Volatile (NV) index" -cmd="tpm2_nvwrite -Q 0x1000008 -C o -i $tpm_device_key_file" +cmd="tpm2_nvwrite -Q 0x01D10004 -C o -i $tpm_device_key_file" success_string="$task completed successfully!!" failure_string="$task failed" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 task="Write TPM Device CSR to a Non-Volatile (NV) index" -cmd="tpm2_nvwrite -Q 0x1000009 -C o -i $device_csr_file" +cmd="tpm2_nvwrite -Q 0x01D10005 -C o -i $device_csr_file" success_string="$task completed successfully!!" failure_string="$task failed" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1