Update TPM code as per specs

Signed-off-by: Shrikant Temburwar <shrikant.temburwar@intel.com>

app/blob.c

@@ -59,7 +59,6 @@ static int32_t gen_rdm_bytestream(uint8_t *random_buffer, size_t num_bytes)
 	}
 	return 0;
 }
-#endif
 
 int32_t configure_normal_blob(void)
 {
@@ -72,19 +71,6 @@ int32_t configure_normal_blob(void)
 	uint8_t *signed_normal_blob = NULL;
 	size_t signed_normal_blob_size = 0;
 	int32_t ret = -1;
-
-#if defined(DEVICE_TPM20_ENABLED)
-	if (0 == is_valid_tpm_data_protection_key_present()) {
-		if (0 != fdo_generate_storage_hmac_key()) {
-			LOG(LOG_ERROR, "Failed to generate TPM data protection"
-				       " key.\n");
-			goto err;
-		}
-
-		LOG(LOG_DEBUG,
-		    "TPM data protection key generated successfully.\n");
-	}
-#else
 	uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0};
 
 	size_t key_size_stored =
@@ -115,7 +101,6 @@ int32_t configure_normal_blob(void)
 		LOG(LOG_ERROR, "Failed to read plain Normal blob!\n");
 		goto err;
 	}
-#endif
 
 	raw_normal_blob_size =
 	    fdo_blob_size((char *)FDO_CRED_NORMAL, FDO_SDK_RAW_DATA);
@@ -159,13 +144,6 @@ int32_t configure_normal_blob(void)
 		    "Malloc Failed for sealed Normal Blob buffer!\n");
 		goto err;
 	}
-#if defined(DEVICE_TPM20_ENABLED)
-	if (0 != fdo_compute_storage_hmac(raw_normal_blob, raw_normal_blob_size,
-					  signed_normal_blob,
-					  PLATFORM_HMAC_SIZE)) {
-		goto err;
-	}
-#else
 #if defined(USE_MBEDTLS)
 	if (0 != mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
 				 (const uint8_t *)hmac_key,
@@ -179,7 +157,6 @@ int32_t configure_normal_blob(void)
 			 signed_normal_blob, NULL)) {
 		goto err;
 	}
-#endif
 #endif
 	// copy plain-text size
 	signed_normal_blob[PLATFORM_HMAC_SIZE + 3] = raw_normal_blob_size >> 0;
@@ -215,3 +192,4 @@ int32_t configure_normal_blob(void)
 	}
 	return ret;
 }
+#endif

app/main.c

@@ -276,20 +276,7 @@ int app_main(bool is_resale)
 	}
 #endif /* SECURE_ELEMENT */
 
-#if !defined(DEVICE_CSE_ENABLED)
-#if defined(DEVICE_TPM20_ENABLED)
-	if (0 == is_valid_tpm_data_protection_key_present()) {
-		if (0 != fdo_generate_storage_hmac_key()) {
-			LOG(LOG_ERROR, "Failed to generate TPM data protection"
-				       " key.\n");
-			ret = -1;
-			goto end;
-		}
-
-		LOG(LOG_DEBUG,
-		    "TPM data protection key generated successfully.\n");
-	}
-#else
+#if !defined(DEVICE_CSE_ENABLED) && !defined(DEVICE_TPM20_ENABLED)
 	LOG(LOG_DEBUG,
 	    "CSE and TPM not enabled, Normal Blob Modules loaded!\n");
 	if (-1 == configure_normal_blob()) {
@@ -298,7 +285,6 @@ int app_main(bool is_resale)
 		ret = -1;
 		goto end;
 	}
-#endif
 #endif
 
 	/* List and Init all Sv_info modules */

crypto/common/fdo_crypto_common.c

@@ -114,10 +114,6 @@ int32_t fdo_crypto_close(void)
 	ret = crypto_close();
 	/* CLeanup of context structs */
 	cleanup_ctx();
-#if defined(DEVICE_TPM20_ENABLED)
-	/* clear the replacement hmac key objects */
-	fdo_tpm_clear_replacement_hmac_key();
-#endif
 	return ret;
 }
 

crypto/common/fdo_hmac.c

@@ -152,16 +152,14 @@ int32_t fdo_device_ov_hmac(uint8_t *OVHdr, size_t OVHdr_len, uint8_t *hmac,
 	if (is_replacement_hmac) {
 #if defined(DEVICE_TPM20_ENABLED)
 		return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len,
-					TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX,
-					TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX);
+					TPM_PRIMARY_KEY_PERSISTANT_HANDLE);
 #else
 		keyset = get_replacement_OV_key();
 #endif
 	} else {
 #if defined(DEVICE_TPM20_ENABLED)
 		return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len,
-					TPM_HMAC_PUB_KEY_NV_IDX,
-					TPM_HMAC_PRIV_KEY_NV_IDX);
+					TPM_PRIMARY_KEY_PERSISTANT_HANDLE);
 #else
 		keyset = get_OV_key();
 #endif
@@ -227,8 +225,7 @@ int32_t fdo_generate_ov_hmac_key(void)
 
 	int32_t ret = -1;
 #if defined(DEVICE_TPM20_ENABLED)
-	if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_PUB_KEY_NV_IDX,
-					   TPM_HMAC_PRIV_KEY_NV_IDX)) {
+	if (0 != fdo_tpm_generate_hmac_key(TPM_PRIMARY_KEY_PERSISTANT_HANDLE)) {
 		LOG(LOG_ERROR, "Failed to generate device HMAC key"
 			       " from TPM.\n");
 		return ret;
@@ -272,9 +269,7 @@ int32_t fdo_generate_ov_replacement_hmac_key(void)
 
 	int32_t ret = -1;
 #if defined(DEVICE_TPM20_ENABLED)
-	if (0 !=
-	    fdo_tpm_generate_hmac_key(TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX,
-				      TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX)) {
+	if (0 != fdo_tpm_generate_hmac_key(TPM_PRIMARY_KEY_PERSISTANT_HANDLE)) {
 		LOG(LOG_ERROR, "Failed to generate device replacement HMAC key"
 			       " from TPM.\n");
 		return ret;
@@ -319,12 +314,6 @@ int32_t fdo_commit_ov_replacement_hmac_key(void)
 
 	int32_t ret = -1;
 #if defined(DEVICE_TPM20_ENABLED)
-	if (0 != fdo_tpm_commit_replacement_hmac_key()) {
-		LOG(LOG_ERROR, "Failed to commit device replacement HMAC key"
-			       " for TPM.\n");
-		return ret;
-	}
-
 	ret = 0;
 #else
 	fdo_byte_array_t **secret = get_replacement_OV_key();
@@ -368,18 +357,6 @@ int32_t fdo_compute_storage_hmac(const uint8_t *data, uint32_t data_length,
 		goto error;
 	}
 
-#if defined(DEVICE_TPM20_ENABLED)
-	if (0 != fdo_tpm_get_hmac(data, data_length, computed_hmac,
-				  computed_hmac_size,
-				  TPM_HMAC_DATA_PUB_KEY_NV_IDX,
-				  TPM_HMAC_DATA_PRIV_KEY_NV_IDX)) {
-		LOG(LOG_ERROR, "TPM HMAC Computation failed!\n");
-		goto error;
-	}
-
-	LOG(LOG_DEBUG, "TPM HMAC computed successfully!\n");
-
-#else
 	uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0};
 
 	if (!get_platform_hmac_key(hmac_key, PLATFORM_HMAC_KEY_DEFAULT_LEN)) {
@@ -407,7 +384,6 @@ int32_t fdo_compute_storage_hmac(const uint8_t *data, uint32_t data_length,
 #endif
 	return ret;
 }
-#endif
 
 /**
  * fdo_generate_storage_hmac_key function generates Storage HMAC key
@@ -422,18 +398,6 @@ int32_t fdo_generate_storage_hmac_key(void)
 
 #if defined(TARGET_OS_OPTEE)
 	return 0;
-
-#elif defined(DEVICE_TPM20_ENABLED)
-	if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_DATA_PUB_KEY_NV_IDX,
-					   TPM_HMAC_DATA_PRIV_KEY_NV_IDX)) {
-		LOG(LOG_ERROR, "Failed to generate TPM data protection "
-			       "key.\n");
-		return ret;
-	}
-
-	ret = 0;
-	LOG(LOG_DEBUG, "TPM data protection key generated successfully.\n");
-
 #else
 	uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0};
 

crypto/include/tpm20_Utils.h

@@ -103,12 +103,8 @@ static const TPM2B_PUBLIC in_publicHMACKey_template = {
 };
 
 int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac,
-			 size_t hmac_length, uint32_t tpmHMACPub_key_nv,
-			 uint32_t tpmHMACPriv_key_nv);
-int32_t fdo_tpm_generate_hmac_key(uint32_t tpmHMACPub_key_nv,
-				  uint32_t tpmHMACPriv_key_nv);
-int32_t fdo_tpm_commit_replacement_hmac_key(void);
-void fdo_tpm_clear_replacement_hmac_key(void);
-int32_t is_valid_tpm_data_protection_key_present(void);
+			 size_t hmac_length,
+			 TPMI_DH_PERSISTENT persistent_handle);
+int32_t fdo_tpm_generate_hmac_key(TPMI_DH_PERSISTENT persistent_handle);
 
 #endif /* #ifndef __TPM20_UTILS_H__ */

crypto/openssl/tpm20_ECDSA_sign_routines.c

@@ -63,22 +63,22 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len,
 	}
 
 	// Read the key
-	size_t file_size = fdo_tpm_nvread_size(TPM_ECDSA_DEVICE_KEY_NV_IDX);
+	size_t key_size = fdo_tpm_nvread_size(TPM_ECDSA_DEVICE_KEY_NV_IDX);
 
-	pri_key = fdo_alloc(file_size);
+	pri_key = fdo_alloc(key_size);
 	if (!pri_key) {
 		LOG(LOG_ERROR, "Failed to allocate memory for private key.\n");
 		goto error;
 	}
 
-	if (fdo_tpm_nvread(TPM_ECDSA_DEVICE_KEY_NV_IDX, file_size, &pri_key) ==
+	if (fdo_tpm_nvread(TPM_ECDSA_DEVICE_KEY_NV_IDX, key_size, &pri_key) ==
 	    -1) {
 		LOG(LOG_ERROR,
 		    "Failed to load TPM HMAC Private Key into buffer.\n");
 		goto error;
 	}
 
-	mem = BIO_new_mem_buf(pri_key, file_size);
+	mem = BIO_new_mem_buf(pri_key, key_size);
 	if (mem == NULL) {
 		LOG(LOG_ERROR, "Failed to create memory BIO\n");
 		goto error;