Added example for TPM2_Certify. Extended create_primary example to su…

…pport creation of initial device and attestation keys. Added new build option for TPM provisioning.

.github/workflows/make-test-swtpm.yml

@@ -138,6 +138,12 @@ jobs:
     - name: make pedantic
       run: make
 
+# build not provisioning
+    - name: configure not provisioning
+      run: ./configure --disable-provisioning
+    - name: make not provisioning
+      run: make
+
 # capture logs on failure
     - name: Upload failure logs
       if: failure()

configure.ac

@@ -418,6 +418,17 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_FIRMWARE_UPGRADE"
 fi
 
+# Enable support for provisioning identity keys for device and attestation
+AC_ARG_ENABLE([provisioning],
+    [AS_HELP_STRING([--enable-provisioning],[Enable support for Provisioning Initial Device Identity (IDevID) and Attestation Identity Keys (default: enabled)])],
+    [ ENABLED_PROVISIONING=$enableval ],
+    [ ENABLED_PROVISIONING=yes ]
+    )
+if test "x$ENABLED_PROVISIONING" = "xyes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_PROVISIONING"
+fi
+
 
 # HARDEN FLAGS
 AX_HARDEN_CC_COMPILER_FLAGS

examples/attestation/activate_credential.c

@@ -33,7 +33,7 @@
 
 #ifndef WOLFTPM2_NO_WRAPPER
 
-#include <examples/attestation/credential.h>
+#include <examples/attestation/attestation.h>
 #include <hal/tpm_io.h>
 #include <examples/tpm_test.h>
 #include <examples/tpm_test_keys.h>

examples/attestation/credential.h → examples/attestation/attestation.h

@@ -1,4 +1,4 @@
-/* credential.h
+/* attestation.h
  *
  * Copyright (C) 2006-2024 wolfSSL Inc.
  *
@@ -19,8 +19,8 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-#ifndef _CREDENTIAL_H_
-#define _CREDENTIAL_H_
+#ifndef _ATTESTATION_H_
+#define _ATTESTATION_H_
 
 #ifdef __cplusplus
     extern "C" {
@@ -30,9 +30,10 @@
 
 int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[]);
+int TPM2_Certify_Example(void* userCtx, int argc, char *argv[]);
 
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif
 
-#endif /* _CREDENTIAL_H_ */
+#endif /* _ATTESTATION_H_ */

examples/attestation/certify.c

@@ -0,0 +1,203 @@
+/* certify.c
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfTPM.
+ *
+ * wolfTPM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfTPM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* This example shows how to create a attestation for a key (like IAK)
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolftpm/tpm2_wrap.h>
+
+#include <stdio.h>
+
+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT)
+
+#include <examples/attestation/attestation.h>
+#include <hal/tpm_io.h>
+#include <examples/tpm_test.h>
+#include <examples/tpm_test_keys.h>
+
+
+/******************************************************************************/
+/* --- BEGIN TPM2.0 Certify example tool  -- */
+/******************************************************************************/
+
+static void usage(void)
+{
+    printf("Expected usage:\n");
+    printf("./examples/attestation/certify [-rsa/-ecc] [-certify=] [-signer=]\n");
+    printf("\t* -ecc/-rsa: RSA or ECC (default is RSA)\n");
+    printf("\t* -certify=[handle] Key to certify (default 0x%x)\n",  0x80000000U);
+    printf("\t* -signer=[handle] Key to sign with (default 0x%x)\n", 0x80000001U);
+}
+
+int TPM2_Certify_Example(void* userCtx, int argc, char *argv[])
+{
+    int rc = -1;
+    WOLFTPM2_DEV dev;
+    WOLFTPM2_SESSION tpmSession;
+    TPM_HANDLE certifyHandle = 0x80000000;
+    TPM_HANDLE signerHandle  = 0x80000001;
+    WOLFTPM2_KEY certify;
+    WOLFTPM2_KEY signer;
+    TPM_ALG_ID hashAlg = TPM_ALG_SHA256;
+    TPM_ALG_ID alg = TPM_ALG_RSA;
+    Certify_In  certifyIn;
+    Certify_Out certifyOut;
+    const char keyCreationNonce[] = "RandomServerPickedCreationNonce";
+
+    if (argc >= 2) {
+        if (XSTRCMP(argv[1], "-?") == 0 ||
+            XSTRCMP(argv[1], "-h") == 0 ||
+            XSTRCMP(argv[1], "--help") == 0) {
+            usage();
+            return 0;
+        }
+    }
+    while (argc > 1) {
+        if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
+            alg = TPM_ALG_ECC;
+        }
+        else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
+            alg = TPM_ALG_RSA;
+        }
+        else if (XSTRNCMP(argv[argc-1], "-certify=", XSTRLEN("-certify=")) == 0) {
+            const char* certifyStr = argv[argc-1] + XSTRLEN("-certify=");
+            certifyHandle = (word32)XSTRTOL(certifyStr, NULL, 0);
+        }
+        else if (XSTRNCMP(argv[argc-1], "-signer=", XSTRLEN("-signer=")) == 0) {
+            const char* signerStr = argv[argc-1] + XSTRLEN("-signer=");
+            signerHandle = (word32)XSTRTOL(signerStr, NULL, 0);
+        }
+        else {
+            printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
+        }
+        argc--;
+    }
+
+    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
+    XMEMSET(&certify, 0, sizeof(certify));
+    XMEMSET(&signer, 0, sizeof(signer));
+
+    printf("Certify 0x%x with 0x%x to generate TPM-signed attestation info\n",
+        certifyHandle, signerHandle);
+
+    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
+    if (rc != TPM_RC_SUCCESS) {
+        printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
+        goto exit;
+    }
+    printf("wolfTPM2_Init: success\n");
+
+    /* Read public information for each handle */
+    rc = wolfTPM2_ReadPublicKey(&dev, &certify, certifyHandle);
+    if (rc != 0) goto exit;
+    rc = wolfTPM2_ReadPublicKey(&dev, &signer, signerHandle);
+    if (rc != 0) goto exit;
+
+    /* Start a policy session for using endorsement */
+    rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
+    if (rc != 0) goto exit;
+    printf("EK Policy Session: Handle 0x%x\n", (word32)tpmSession.handle.hndl);
+
+    /* satisfy policy for using certify command */
+    rc = wolfTPM2_PolicyCommandCode(&dev, &tpmSession, TPM_CC_Certify);
+    if (rc != 0) goto exit;
+
+    rc = wolfTPM2_SetAuthPassword(&dev, 1, NULL);
+
+    /* Create signed certify structure */
+    XMEMSET(&certifyIn, 0, sizeof(certifyIn));
+    certifyIn.objectHandle = certifyHandle;
+    certifyIn.signHandle = signerHandle;
+    certifyIn.inScheme.scheme =
+        (alg == TPM_ALG_ECC) ? TPM_ALG_ECDSA : TPM_ALG_RSASSA;;
+    certifyIn.inScheme.details.any.hashAlg = hashAlg;
+    /* provide a random nonce from remote server (optional) */
+    certifyIn.qualifyingData.size = sizeof(keyCreationNonce)-1;
+    XMEMCPY(certifyIn.qualifyingData.buffer, keyCreationNonce,
+        certifyIn.qualifyingData.size);
+    rc = TPM2_Certify(&certifyIn, &certifyOut);
+    if (rc != TPM_RC_SUCCESS) {
+        printf("TPM2_Certify RSA key failed 0x%x: %s\n", rc,
+            TPM2_GetRCString(rc));
+        goto exit;
+    }
+    printf("TPM2_Certify complete\n");
+
+    printf("Certify Info %d\n", certifyOut.certifyInfo.size);
+    TPM2_PrintBin(certifyOut.certifyInfo.attestationData,
+        certifyOut.certifyInfo.size);
+
+    if (certifyOut.signature.sigAlg == TPM_ALG_RSASSA) {
+        printf("RSA Signature: %d\n",
+            certifyOut.signature.signature.rsassa.sig.size);
+        TPM2_PrintBin(certifyOut.signature.signature.rsassa.sig.buffer,
+            certifyOut.signature.signature.rsassa.sig.size);
+    }
+    else if (certifyOut.signature.sigAlg == TPM_ALG_ECDSA) {
+        printf("ECDSA Signature R %d / S %d\n",
+            certifyOut.signature.signature.ecdsa.signatureR.size,
+            certifyOut.signature.signature.ecdsa.signatureS.size);
+        TPM2_PrintBin(certifyOut.signature.signature.ecdsa.signatureR.buffer,
+            certifyOut.signature.signature.ecdsa.signatureR.size);
+        TPM2_PrintBin(certifyOut.signature.signature.ecdsa.signatureS.buffer,
+            certifyOut.signature.signature.ecdsa.signatureS.size);
+    }
+
+    /* Perform software verification of signature by hashing the attestation
+     * information and use the signer public key to verify the signature */
+
+exit:
+
+    if (rc != 0) {
+        printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc));
+    }
+
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
+    wolfTPM2_Cleanup(&dev);
+
+    return rc;
+}
+
+/******************************************************************************/
+/* --- END TPM2.0 Certify example tool -- */
+/******************************************************************************/
+#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT */
+
+#ifndef NO_MAIN_DRIVER
+int main(int argc, char *argv[])
+{
+    int rc = -1;
+
+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT)
+    rc = TPM2_Certify_Example(NULL, argc, argv);
+#else
+    printf("Wrapper or wolfCrypt code not compiled in\n");
+    (void)argc;
+    (void)argv;
+#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT */
+
+    return rc;
+}
+#endif

examples/attestation/include.am

@@ -3,27 +3,34 @@
 
 if BUILD_EXAMPLES
 noinst_PROGRAMS += examples/attestation/make_credential \
-                   examples/attestation/activate_credential
+                   examples/attestation/activate_credential \
+                   examples/attestation/certify
 
-noinst_HEADERS  += examples/attestation/credential.h
+noinst_HEADERS  += examples/attestation/attestation.h
 
 examples_attestation_make_credential_SOURCES      = examples/attestation/make_credential.c \
                                                     examples/tpm_test_keys.c
 examples_attestation_make_credential_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_attestation_make_credential_DEPENDENCIES = src/libwolftpm.la
 
-examples_attestation_activate_credential_SOURCES  = examples/attestation/activate_credential.c \
-                                                    examples/tpm_test_keys.c
+examples_attestation_activate_credential_SOURCES      = examples/attestation/activate_credential.c \
+                                                        examples/tpm_test_keys.c
 examples_attestation_activate_credential_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_attestation_activate_credential_DEPENDENCIES = src/libwolftpm.la
 
+examples_attestation_certify_SOURCES      = examples/attestation/certify.c \
+                                            examples/tpm_test_keys.c
+examples_attestation_certify_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
+examples_attestation_certify_DEPENDENCIES = src/libwolftpm.la
 endif
 example_attestationdir = $(exampledir)/attestation
 dist_example_attestation_DATA = \
   examples/attestation/make_credential.c \
-  examples/attestation/activate_credential.c
+  examples/attestation/activate_credential.c \
+  examples/attestation/certify.c
 
 DISTCLEANFILES+= examples/attestation/.libs/make_credential \
-                 examples/attestation/.libs/activate_credential
+                 examples/attestation/.libs/activate_credential \
+                 examples/attestation/.libs/certify
 
 EXTRA_DIST+= examples/attestation/README.md

examples/attestation/make_credential.c

@@ -29,7 +29,7 @@
 
 #ifndef WOLFTPM2_NO_WRAPPER
 
-#include <examples/attestation/credential.h>
+#include <examples/attestation/attestation.h>
 #include <hal/tpm_io.h>
 #include <examples/tpm_test.h>
 #include <examples/tpm_test_keys.h>