Add support to store device credentials and device status inside TPM …

…NV storage Signed-off-by: Shrikant Temburwar <shrikant.temburwar@intel.com>
fido-device-onboard · Nov 13, 2023 · 906307b · 906307b
1 parent e1dc9d0
commit 906307b
Show file tree

Hide file tree

Showing 14 changed files with 1,579 additions and 30 deletions.
diff --git a/app/blob.c b/app/blob.c
@@ -36,6 +36,7 @@
 #if defined(DEVICE_TPM20_ENABLED)
 #include "tpm20_Utils.h"
 #include "fdo_crypto.h"
+#include "tpm2_nv_storage.h"
 #endif
 
 #if !defined(DEVICE_TPM20_ENABLED)

diff --git a/app/main.c b/app/main.c
@@ -28,6 +28,10 @@
 #include "cse_utils.h"
 #include "cse_tools.h"
 #endif
+#if defined(DEVICE_TPM20_ENABLED)
+#include "tpm20_Utils.h"
+#include "fdo_crypto.h"
+#endif
 
 #define STORAGE_NAMESPACE "storage"
 #define OWNERSHIP_TRANSFER_FILE "data/owner_transfer"
@@ -273,13 +277,28 @@ int app_main(bool is_resale)
 #endif /* SECURE_ELEMENT */
 
 #if !defined(DEVICE_CSE_ENABLED)
-	LOG(LOG_DEBUG, "CSE not enabled, Normal Blob Modules loaded!\n");
+#if defined(DEVICE_TPM20_ENABLED)
+	if (0 == is_valid_tpm_data_protection_key_present()) {
+		if (0 != fdo_generate_storage_hmac_key()) {
+			LOG(LOG_ERROR, "Failed to generate TPM data protection"
+				       " key.\n");
+			ret = -1;
+			goto end;
+		}
+
+		LOG(LOG_DEBUG,
+		    "TPM data protection key generated successfully.\n");
+	}
+#else
+	LOG(LOG_DEBUG,
+	    "CSE and TPM not enabled, Normal Blob Modules loaded!\n");
 	if (-1 == configure_normal_blob()) {
 		LOG(LOG_ERROR,
 		    "Provisioning Normal blob for the 1st time failed!\n");
 		ret = -1;
 		goto end;
 	}
+#endif
 #endif
 
 	/* List and Init all Sv_info modules */

diff --git a/cmake/blob_path.cmake b/cmake/blob_path.cmake
@@ -24,7 +24,7 @@ if(TARGET_OS MATCHES linux)
       -DDEVICE_CSE_ENABLED
     )
     endif()
-    
+
   if (${MTLS} MATCHES true)
     client_sdk_compile_definitions(
       -DSSL_CERT=\"${BLOB_PATH}/data/apiUser.pem\"
@@ -176,9 +176,11 @@ if(TARGET_OS MATCHES linux)
 # Configure if needed at a later point
 # configure_file(${BLOB_PATH}/data/Normal.blob NEWLINE_STYLE DOS)
 
-file(WRITE ${BLOB_PATH}/data/platform_iv.bin "")
-file(WRITE ${BLOB_PATH}/data/platform_hmac_key.bin "")
-file(WRITE ${BLOB_PATH}/data/platform_aes_key.bin "")
-file(WRITE ${BLOB_PATH}/data/Normal.blob "")
-file(WRITE ${BLOB_PATH}/data/Secure.blob "")
-file(WRITE ${BLOB_PATH}/data/raw.blob "")
+if (NOT ${DA} MATCHES tpm)
+  file(WRITE ${BLOB_PATH}/data/platform_iv.bin "")
+  file(WRITE ${BLOB_PATH}/data/platform_hmac_key.bin "")
+  file(WRITE ${BLOB_PATH}/data/platform_aes_key.bin "")
+  file(WRITE ${BLOB_PATH}/data/Normal.blob "")
+  file(WRITE ${BLOB_PATH}/data/Secure.blob "")
+  file(WRITE ${BLOB_PATH}/data/raw.blob "")
+endif()