Skip to content

Commit

Permalink
Add support to store TPM private keys and device CSR inside TPM NV st…
Browse files Browse the repository at this point in the history
…orage

Signed-off-by: Shrikant Temburwar <shrikant.temburwar@intel.com>
  • Loading branch information
shrikant1407 committed Jan 10, 2024
1 parent 76db49a commit c3ab532
Show file tree
Hide file tree
Showing 14 changed files with 199 additions and 181 deletions.
10 changes: 0 additions & 10 deletions cmake/blob_path.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -35,16 +35,6 @@ if(TARGET_OS MATCHES linux)
if (${DA} MATCHES tpm)
client_sdk_compile_definitions(
-DDEVICE_TPM20_ENABLED
-DTPM_DEVICE_CSR=\"${BLOB_PATH}/data/tpm_device_csr\"
-DTPM_ECDSA_DEVICE_KEY=\"${BLOB_PATH}/data/tpm_ecdsa_priv_pub_blob.key\"
-DTPM_INPUT_DATA_TEMP_FILE=\"${BLOB_PATH}/data/tpm_input_data_temp_file\"
-DTPM_OUTPUT_DATA_TEMP_FILE=\"${BLOB_PATH}/data/tpm_output_data_temp_file\"
-DTPM_HMAC_PUB_KEY=\"${BLOB_PATH}/data/tpm_hmac_pub.key\"
-DTPM_HMAC_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_priv.key\"
-DTPM_HMAC_REPLACEMENT_PUB_KEY=\"${BLOB_PATH}/data/tpm_hmac_replacement_pub.key\"
-DTPM_HMAC_REPLACEMENT_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_replacement_priv.key\"
-DTPM_HMAC_DATA_PUB_KEY=\"${BLOB_PATH}/data/tpm_hmac_data_pub.key\"
-DTPM_HMAC_DATA_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_data_priv.key\"
)
endif()

Expand Down
26 changes: 15 additions & 11 deletions crypto/common/fdo_hmac.c
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@

#if defined(DEVICE_TPM20_ENABLED)
#include "tpm20_Utils.h"
#include "tpm2_nv_storage.h"
#endif

#if defined(DEVICE_CSE_ENABLED)
Expand Down Expand Up @@ -151,15 +152,16 @@ int32_t fdo_device_ov_hmac(uint8_t *OVHdr, size_t OVHdr_len, uint8_t *hmac,
if (is_replacement_hmac) {
#if defined(DEVICE_TPM20_ENABLED)
return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len,
TPM_HMAC_REPLACEMENT_PUB_KEY,
TPM_HMAC_REPLACEMENT_PRIV_KEY);
TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX,
TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX);
#else
keyset = get_replacement_OV_key();
#endif
} else {
#if defined(DEVICE_TPM20_ENABLED)
return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len,
TPM_HMAC_PUB_KEY, TPM_HMAC_PRIV_KEY);
TPM_HMAC_PUB_KEY_NV_IDX,
TPM_HMAC_PRIV_KEY_NV_IDX);
#else
keyset = get_OV_key();
#endif
Expand Down Expand Up @@ -225,8 +227,8 @@ int32_t fdo_generate_ov_hmac_key(void)

int32_t ret = -1;
#if defined(DEVICE_TPM20_ENABLED)
if (0 !=
fdo_tpm_generate_hmac_key(TPM_HMAC_PUB_KEY, TPM_HMAC_PRIV_KEY)) {
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_PUB_KEY_NV_IDX,
TPM_HMAC_PRIV_KEY_NV_IDX)) {
LOG(LOG_ERROR, "Failed to generate device HMAC key"
" from TPM.\n");
return ret;
Expand Down Expand Up @@ -270,8 +272,9 @@ int32_t fdo_generate_ov_replacement_hmac_key(void)

int32_t ret = -1;
#if defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_REPLACEMENT_PUB_KEY,
TPM_HMAC_REPLACEMENT_PRIV_KEY)) {
if (0 !=
fdo_tpm_generate_hmac_key(TPM_HMAC_REPLACEMENT_PUB_KEY_NV_IDX,
TPM_HMAC_REPLACEMENT_PRIV_KEY_NV_IDX)) {
LOG(LOG_ERROR, "Failed to generate device replacement HMAC key"
" from TPM.\n");
return ret;
Expand Down Expand Up @@ -367,8 +370,9 @@ int32_t fdo_compute_storage_hmac(const uint8_t *data, uint32_t data_length,

#if defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_tpm_get_hmac(data, data_length, computed_hmac,
computed_hmac_size, TPM_HMAC_DATA_PUB_KEY,
TPM_HMAC_DATA_PRIV_KEY)) {
computed_hmac_size,
TPM_HMAC_DATA_PUB_KEY_NV_IDX,
TPM_HMAC_DATA_PRIV_KEY_NV_IDX)) {
LOG(LOG_ERROR, "TPM HMAC Computation failed!\n");
goto error;
}
Expand Down Expand Up @@ -420,8 +424,8 @@ int32_t fdo_generate_storage_hmac_key(void)
return 0;

#elif defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_DATA_PUB_KEY,
TPM_HMAC_DATA_PRIV_KEY)) {
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_DATA_PUB_KEY_NV_IDX,
TPM_HMAC_DATA_PRIV_KEY_NV_IDX)) {
LOG(LOG_ERROR, "Failed to generate TPM data protection "
"key.\n");
return ret;
Expand Down
7 changes: 4 additions & 3 deletions crypto/include/tpm20_Utils.h
Original file line number Diff line number Diff line change
Expand Up @@ -103,9 +103,10 @@ static const TPM2B_PUBLIC in_publicHMACKey_template = {
};

int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac,
size_t hmac_length, char *tpmHMACPub_key,
char *tpmHMACPriv_key);
int32_t fdo_tpm_generate_hmac_key(char *tpmHMACPub_key, char *tpmHMACPriv_key);
size_t hmac_length, uint32_t tpmHMACPub_key_nv,
uint32_t tpmHMACPriv_key_nv);
int32_t fdo_tpm_generate_hmac_key(uint32_t tpmHMACPub_key_nv,
uint32_t tpmHMACPriv_key_nv);
int32_t fdo_tpm_commit_replacement_hmac_key(void);
void fdo_tpm_clear_replacement_hmac_key(void);
int32_t is_valid_tpm_data_protection_key_present(void);
Expand Down
41 changes: 30 additions & 11 deletions crypto/openssl/tpm20_ECDSA_sign_routines.c
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,12 @@
#include <openssl/provider.h>
#include <openssl/crypto.h>
#include <openssl/store.h>
#include <openssl/bio.h>
#include "safe_lib.h"
#include "util.h"
#include "fdo_crypto_hal.h"
#include "tpm20_Utils.h"
#include "tpm2_nv_storage.h"

/**
* Sign a message using provided ECDSA Private Keys.
Expand Down Expand Up @@ -45,6 +48,8 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len,
EVP_MD_CTX *mdctx = NULL;
OSSL_STORE_CTX *ctx = NULL;
OSSL_STORE_INFO *info = NULL;
BIO *mem = NULL;
unsigned char *pri_key = NULL;

if (!data || !data_len || !message_signature || !signature_length) {
LOG(LOG_ERROR, "Invalid Parameters received.");
Expand All @@ -58,23 +63,31 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len,
}

// Read the key
if ((ctx = OSSL_STORE_open(TPM_ECDSA_DEVICE_KEY, NULL, NULL, NULL,
NULL)) == NULL) {
LOG(LOG_ERROR, "Error during OSSL_STORE_open\n");
size_t file_size = fdo_tpm_nvread_size(TPM_ECDSA_DEVICE_KEY_NV_IDX);

pri_key = fdo_alloc(file_size);
if (!pri_key) {
LOG(LOG_ERROR, "Failed to allocate memory for private key.\n");
goto error;
}

while (!OSSL_STORE_eof(ctx) && (info = OSSL_STORE_load(ctx)) != NULL) {
if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
pkey = OSSL_STORE_INFO_get1_PKEY(info);
break;
}
OSSL_STORE_INFO_free(info);
info = NULL;
if (fdo_tpm_nvread(TPM_ECDSA_DEVICE_KEY_NV_IDX, file_size, &pri_key) ==
-1) {
LOG(LOG_ERROR,
"Failed to load TPM HMAC Private Key into buffer.\n");
goto error;
}

if (!pkey) {
mem = BIO_new_mem_buf(pri_key, file_size);
if (mem == NULL) {
LOG(LOG_ERROR, "Failed to create memory BIO\n");
goto error;
}

pkey = PEM_read_bio_PrivateKey(mem, NULL, NULL, NULL);
if (pkey == NULL) {
LOG(LOG_ERROR, "Error during reading Private key.\n");
BIO_free(mem);
goto error;
}

Expand Down Expand Up @@ -198,6 +211,12 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len,
ret = 0;

error:
if (pri_key) {
fdo_free(pri_key);
}
if (mem) {
BIO_free(mem);
}
if (pkey) {
EVP_PKEY_free(pkey);
}
Expand Down
Loading

0 comments on commit c3ab532

Please sign in to comment.