Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to store FDO Credentials in the TPM #261

Merged
merged 12 commits into from
Mar 1, 2024
Merged

Add support to store FDO Credentials in the TPM #261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
3002825
Add support to store device credentials and device status inside TPM …
shrikant1407 Nov 13, 2023
76db49a
Merge branch 'master' into tpm-nv-store
shrikant1407 Dec 1, 2023
c3ab532
Add support to store TPM private keys and device CSR inside TPM NV st…
shrikant1407 Jan 10, 2024
936a824
Add execution logs in clear_tpm_nv.sh
shrikant1407 Jan 11, 2024
1b92b86
Update TPM code as per specs
shrikant1407 Jan 19, 2024
b2ba960
Update device key generation according to FDO TPM spec
shrikant1407 Jan 20, 2024
a3ed8fa
Update tpm scripts
shrikant1407 Jan 22, 2024
4d35f2a
Add DCActive flag usecase as per FDO TPM spec
shrikant1407 Jan 23, 2024
dcbd262
- Update DCActive value to bool
shrikant1407 Jan 25, 2024
96650cc
Add command to lock the Device CSR Non-Volatile (NV) index for furthe…
shrikant1407 Jan 29, 2024
2bf0f84
Merge branch 'master' into tpm-nv-store
shrikant1407 Feb 5, 2024
cf00811
Merge branch 'master' into tpm-nv-store
shrikant1407 Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@
*.so
*.so.*
*.a
*.blob
*.bin
*.pem
*.dat
*.ctx
*.key

# Packages #
############
Expand Down Expand Up @@ -51,6 +57,7 @@ Thumbs.db
###############
CMakeCache.txt
CMakeFiles
Makefile
CMakeScripts
cmake_install.cmake
install_manifest.txt
Expand Down Expand Up @@ -92,6 +99,7 @@ buildNumber.properties
.metadata
*.iml
*.ipr
.vscode

# Visual Studio files #
#######################
Expand Down
25 changes: 2 additions & 23 deletions app/blob.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
#if defined(DEVICE_TPM20_ENABLED)
#include "tpm20_Utils.h"
#include "fdo_crypto.h"
#include "tpm2_nv_storage.h"
#endif

#if !defined(DEVICE_TPM20_ENABLED)
Expand All @@ -58,7 +59,6 @@ static int32_t gen_rdm_bytestream(uint8_t *random_buffer, size_t num_bytes)
}
return 0;
}
#endif

int32_t configure_normal_blob(void)
{
Expand All @@ -71,19 +71,6 @@ int32_t configure_normal_blob(void)
uint8_t *signed_normal_blob = NULL;
size_t signed_normal_blob_size = 0;
int32_t ret = -1;

#if defined(DEVICE_TPM20_ENABLED)
if (0 == is_valid_tpm_data_protection_key_present()) {
if (0 != fdo_generate_storage_hmac_key()) {
LOG(LOG_ERROR, "Failed to generate TPM data protection"
" key.\n");
goto err;
}

LOG(LOG_DEBUG,
"TPM data protection key generated successfully.\n");
}
#else
uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0};

size_t key_size_stored =
Expand Down Expand Up @@ -114,7 +101,6 @@ int32_t configure_normal_blob(void)
LOG(LOG_ERROR, "Failed to read plain Normal blob!\n");
goto err;
}
#endif

raw_normal_blob_size =
fdo_blob_size((char *)FDO_CRED_NORMAL, FDO_SDK_RAW_DATA);
Expand Down Expand Up @@ -158,13 +144,6 @@ int32_t configure_normal_blob(void)
"Malloc Failed for sealed Normal Blob buffer!\n");
goto err;
}
#if defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_compute_storage_hmac(raw_normal_blob, raw_normal_blob_size,
signed_normal_blob,
PLATFORM_HMAC_SIZE)) {
goto err;
}
#else
#if defined(USE_MBEDTLS)
if (0 != mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
(const uint8_t *)hmac_key,
Expand All @@ -178,7 +157,6 @@ int32_t configure_normal_blob(void)
signed_normal_blob, NULL)) {
goto err;
}
#endif
#endif
// copy plain-text size
signed_normal_blob[PLATFORM_HMAC_SIZE + 3] = raw_normal_blob_size >> 0;
Expand Down Expand Up @@ -214,3 +192,4 @@ int32_t configure_normal_blob(void)
}
return ret;
}
#endif
19 changes: 12 additions & 7 deletions app/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@
#include "cse_utils.h"
#include "cse_tools.h"
#endif
#if defined(DEVICE_TPM20_ENABLED)
#include "tpm20_Utils.h"
#include "fdo_crypto.h"
#endif

#define STORAGE_NAMESPACE "storage"
#define OWNERSHIP_TRANSFER_FILE "data/owner_transfer"
Expand Down Expand Up @@ -218,19 +222,19 @@ static void print_device_status(void)

status = fdo_sdk_get_status();
if (status == FDO_STATE_PRE_DI) {
LOG(LOG_DEBUG, "Device is ready for DI\n");
LOG(LOG_INFO, "Device is ready for DI\n");
}
if (status == FDO_STATE_PRE_TO1) {
LOG(LOG_DEBUG, "Device is ready for Ownership transfer\n");
LOG(LOG_INFO, "Device is ready for Ownership transfer\n");
}
if (status == FDO_STATE_IDLE) {
LOG(LOG_DEBUG, "Device Ownership transfer Done\n");
LOG(LOG_INFO, "Device Ownership transfer Done\n");
}
if (status == FDO_STATE_RESALE) {
LOG(LOG_DEBUG, "Device is ready for Ownership transfer\n");
LOG(LOG_INFO, "Device is ready for Ownership transfer\n");
}
if (status == FDO_STATE_ERROR) {
LOG(LOG_DEBUG, "Error in getting device status\n");
LOG(LOG_ERROR, "Error in getting device status\n");
}
}

Expand Down Expand Up @@ -292,8 +296,9 @@ int app_main(bool is_resale)
}
#endif /* SECURE_ELEMENT */

#if !defined(DEVICE_CSE_ENABLED)
LOG(LOG_DEBUG, "CSE not enabled, Normal Blob Modules loaded!\n");
#if !defined(DEVICE_CSE_ENABLED) && !defined(DEVICE_TPM20_ENABLED)
LOG(LOG_DEBUG,
"CSE and TPM not enabled, Normal Blob Modules loaded!\n");
if (-1 == configure_normal_blob()) {
LOG(LOG_ERROR,
"Provisioning Normal blob for the 1st time failed!\n");
Expand Down
26 changes: 9 additions & 17 deletions cmake/blob_path.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ if(TARGET_OS MATCHES linux)
-DDEVICE_CSE_ENABLED
)
endif()

if (${MTLS} MATCHES true)
client_sdk_compile_definitions(
-DSSL_CERT=\"${BLOB_PATH}/data/apiUser.pem\"
Expand All @@ -35,16 +35,6 @@ if(TARGET_OS MATCHES linux)
if (${DA} MATCHES tpm)
client_sdk_compile_definitions(
-DDEVICE_TPM20_ENABLED
-DTPM_DEVICE_CSR=\"${BLOB_PATH}/data/tpm_device_csr\"
-DTPM_ECDSA_DEVICE_KEY=\"${BLOB_PATH}/data/tpm_ecdsa_priv_pub_blob.key\"
-DTPM_INPUT_DATA_TEMP_FILE=\"${BLOB_PATH}/data/tpm_input_data_temp_file\"
-DTPM_OUTPUT_DATA_TEMP_FILE=\"${BLOB_PATH}/data/tpm_output_data_temp_file\"
-DTPM_HMAC_PUB_KEY=\"${BLOB_PATH}/data/tpm_hmac_pub.key\"
-DTPM_HMAC_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_priv.key\"
-DTPM_HMAC_REPLACEMENT_PUB_KEY=\"${BLOB_PATH}/data/tpm_hmac_replacement_pub.key\"
-DTPM_HMAC_REPLACEMENT_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_replacement_priv.key\"
-DTPM_HMAC_DATA_PUB_KEY=\"${BLOB_PATH}/data/tpm_hmac_data_pub.key\"
-DTPM_HMAC_DATA_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_data_priv.key\"
)
endif()

Expand Down Expand Up @@ -176,9 +166,11 @@ if(TARGET_OS MATCHES linux)
# Configure if needed at a later point
# configure_file(${BLOB_PATH}/data/Normal.blob NEWLINE_STYLE DOS)

file(WRITE ${BLOB_PATH}/data/platform_iv.bin "")
file(WRITE ${BLOB_PATH}/data/platform_hmac_key.bin "")
file(WRITE ${BLOB_PATH}/data/platform_aes_key.bin "")
file(WRITE ${BLOB_PATH}/data/Normal.blob "")
file(WRITE ${BLOB_PATH}/data/Secure.blob "")
file(WRITE ${BLOB_PATH}/data/raw.blob "")
if (NOT ${DA} MATCHES tpm)
file(WRITE ${BLOB_PATH}/data/platform_iv.bin "")
file(WRITE ${BLOB_PATH}/data/platform_hmac_key.bin "")
file(WRITE ${BLOB_PATH}/data/platform_aes_key.bin "")
file(WRITE ${BLOB_PATH}/data/Normal.blob "")
file(WRITE ${BLOB_PATH}/data/Secure.blob "")
file(WRITE ${BLOB_PATH}/data/raw.blob "")
endif()
29 changes: 29 additions & 0 deletions cmake/cli_input.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ set (RESALE true)
set (REUSE true)
set (MTLS false)
set (GET_DEV_SERIAL false)
set (LOCK_TPM true)

#for CSE
set (CSE_SHUTDOWN true)
Expand Down Expand Up @@ -883,3 +884,31 @@ endif()
set(CACHED_GET_DEV_SERIAL ${GET_DEV_SERIAL} CACHE STRING "Selected GET_DEV_SERIAL")
message("Selected GET_DEV_SERIAL ${GET_DEV_SERIAL}")
###########################################
# FOR LOCK TPM
if (${DA} MATCHES tpm)
get_property(cached_lock_tpm_value CACHE LOCK_TPM PROPERTY VALUE)

set(lock_tpm_cli_arg ${cached_lock_tpm_value})
if(lock_tpm_cli_arg STREQUAL CACHED_LOCK_TPM)
unset(lock_tpm_cli_arg)
endif()

set(lock_tpm_app_cmake_lists ${LOCK_TPM})
if(cached_lock_tpm_value STREQUAL LOCK_TPM)
unset(lock_tpm_app_cmake_lists)
endif()

if(DEFINED CACHED_LOCK_TPM)
if ((DEFINED lock_tpm_cli_arg) AND (NOT(CACHED_LOCK_TPM STREQUAL lock_tpm_cli_arg)))
message(WARNING "Need to do make pristine before cmake args can change.")
endif()
set(LOCK_TPM ${CACHED_LOCK_TPM})
elseif(DEFINED lock_tpm_cli_arg)
set(LOCK_TPM ${lock_tpm_cli_arg})
elseif(DEFINED lock_tpm_app_cmake_lists)
set(LOCK_TPM ${lock_tpm_app_cmake_lists})
endif()

set(CACHED_LOCK_TPM ${LOCK_TPM} CACHE STRING "Selected LOCK_TPM")
message("Selected LOCK_TPM ${LOCK_TPM}")
endif()
4 changes: 4 additions & 0 deletions cmake/extension.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -279,4 +279,8 @@ endif()
if(${GET_DEV_SERIAL} STREQUAL true)
client_sdk_compile_definitions(-DGET_DEV_SERIAL)
endif()

if(${LOCK_TPM} STREQUAL true)
client_sdk_compile_definitions(-DLOCK_TPM)
endif()
############################################################
4 changes: 0 additions & 4 deletions crypto/common/fdo_crypto_common.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,10 +114,6 @@ int32_t fdo_crypto_close(void)
ret = crypto_close();
/* CLeanup of context structs */
cleanup_ctx();
#if defined(DEVICE_TPM20_ENABLED)
/* clear the replacement hmac key objects */
fdo_tpm_clear_replacement_hmac_key();
#endif
return ret;
}

Expand Down
42 changes: 5 additions & 37 deletions crypto/common/fdo_hmac.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@

#if defined(DEVICE_TPM20_ENABLED)
#include "tpm20_Utils.h"
#include "tpm2_nv_storage.h"
#endif

#if defined(DEVICE_CSE_ENABLED)
Expand Down Expand Up @@ -151,15 +152,14 @@ int32_t fdo_device_ov_hmac(uint8_t *OVHdr, size_t OVHdr_len, uint8_t *hmac,
if (is_replacement_hmac) {
#if defined(DEVICE_TPM20_ENABLED)
return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len,
TPM_HMAC_REPLACEMENT_PUB_KEY,
TPM_HMAC_REPLACEMENT_PRIV_KEY);
TPM_HMAC_KEY_PERSISTANT_HANDLE);
#else
keyset = get_replacement_OV_key();
#endif
} else {
#if defined(DEVICE_TPM20_ENABLED)
return fdo_tpm_get_hmac(OVHdr, OVHdr_len, hmac, hmac_len,
TPM_HMAC_PUB_KEY, TPM_HMAC_PRIV_KEY);
TPM_HMAC_KEY_PERSISTANT_HANDLE);
#else
keyset = get_OV_key();
#endif
Expand Down Expand Up @@ -225,8 +225,7 @@ int32_t fdo_generate_ov_hmac_key(void)

int32_t ret = -1;
#if defined(DEVICE_TPM20_ENABLED)
if (0 !=
fdo_tpm_generate_hmac_key(TPM_HMAC_PUB_KEY, TPM_HMAC_PRIV_KEY)) {
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_KEY_PERSISTANT_HANDLE)) {
LOG(LOG_ERROR, "Failed to generate device HMAC key"
" from TPM.\n");
return ret;
Expand Down Expand Up @@ -270,8 +269,7 @@ int32_t fdo_generate_ov_replacement_hmac_key(void)

int32_t ret = -1;
#if defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_REPLACEMENT_PUB_KEY,
TPM_HMAC_REPLACEMENT_PRIV_KEY)) {
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_KEY_PERSISTANT_HANDLE)) {
LOG(LOG_ERROR, "Failed to generate device replacement HMAC key"
" from TPM.\n");
return ret;
Expand Down Expand Up @@ -316,12 +314,6 @@ int32_t fdo_commit_ov_replacement_hmac_key(void)

int32_t ret = -1;
#if defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_tpm_commit_replacement_hmac_key()) {
LOG(LOG_ERROR, "Failed to commit device replacement HMAC key"
" for TPM.\n");
return ret;
}

ret = 0;
#else
fdo_byte_array_t **secret = get_replacement_OV_key();
Expand Down Expand Up @@ -365,17 +357,6 @@ int32_t fdo_compute_storage_hmac(const uint8_t *data, uint32_t data_length,
goto error;
}

#if defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_tpm_get_hmac(data, data_length, computed_hmac,
computed_hmac_size, TPM_HMAC_DATA_PUB_KEY,
TPM_HMAC_DATA_PRIV_KEY)) {
LOG(LOG_ERROR, "TPM HMAC Computation failed!\n");
goto error;
}

LOG(LOG_DEBUG, "TPM HMAC computed successfully!\n");

#else
uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0};

if (!get_platform_hmac_key(hmac_key, PLATFORM_HMAC_KEY_DEFAULT_LEN)) {
Expand Down Expand Up @@ -403,7 +384,6 @@ int32_t fdo_compute_storage_hmac(const uint8_t *data, uint32_t data_length,
#endif
return ret;
}
#endif

/**
* fdo_generate_storage_hmac_key function generates Storage HMAC key
Expand All @@ -418,18 +398,6 @@ int32_t fdo_generate_storage_hmac_key(void)

#if defined(TARGET_OS_OPTEE)
return 0;

#elif defined(DEVICE_TPM20_ENABLED)
if (0 != fdo_tpm_generate_hmac_key(TPM_HMAC_DATA_PUB_KEY,
TPM_HMAC_DATA_PRIV_KEY)) {
LOG(LOG_ERROR, "Failed to generate TPM data protection "
"key.\n");
return ret;
}

ret = 0;
LOG(LOG_DEBUG, "TPM data protection key generated successfully.\n");

#else
uint8_t hmac_key[PLATFORM_HMAC_KEY_DEFAULT_LEN] = {0};

Expand Down
Loading
Loading