Progress with Endorsement key/certs.

wolfSSL · Jul 19, 2024 · d27256a · d27256a
1 parent 7bdfd25
commit d27256a
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 29 deletions.
diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c
@@ -104,7 +104,14 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
 
     for (i=0; i<(int)handles.count; i++) {
         word32 nvIndex = handles.handle[i];
-        printf("TCG Handle 0x%x\n", nvIndex);
+        int highRange = 0;
+
+        if (nvIndex >= TPM2_NV_EK_RSA2048) {
+            highRange = 1;
+        }
+
+        printf("TCG Handle 0x%x (%s range)\n",
+            nvIndex, highRange ? "high" : "low");
 
         /* Read Public portion of NV */
         rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic);
@@ -181,7 +188,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
         }
 
         rc = wolfTPM2_GetKeyTemplate_EK(&publicTemplate, alg, keyBits, curveID,
-            nameAlg);
+            nameAlg, highRange);
         if (rc != 0) {
             printf("Invalid EK algorithm\n");
             rc = BAD_FUNC_ARG;
@@ -197,11 +204,10 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
         #ifdef DEBUG_WOLFTPM
                 TPM2_PrintPublicArea(&endorse.pub);
         #endif
+        }
 
-            /* TODO: Confirm the certificate public key matches this
-             *       public key */
-
-            wolfTPM2_UnloadHandle(&dev, &endorse.handle);
+        if (rc == 0) {
+            /* TODO: Confirm the certificate public key matches */
         }
 
     #ifndef WOLFTPM2_NO_WOLFCRYPT
@@ -212,7 +218,10 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
             printf("Parse Cert result: %d\n", rc);
             wc_FreeDecodedCert(&cert);
         }
+        /* TODO: Validate EK certificate chain */
     #endif
+
+        wolfTPM2_UnloadHandle(&dev, &endorse.handle);
     }
 
 exit:

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -5866,13 +5866,17 @@ int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID name
 }
 
 int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg,
-    int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg)
+    int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange)
 {
     int rc;
     TPMA_OBJECT objectAttributes = (
         TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
         TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_adminWithPolicy |
         TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt);
+    if (highRange) {
+        /* High range requires userWithAuth=1 */
+        objectAttributes |= TPMA_OBJECT_userWithAuth;
+    }
 
     if (alg == TPM_ALG_RSA) {
         rc = GetKeyTemplateRSA(publicTemplate, nameAlg,
@@ -5887,11 +5891,16 @@ int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg,
         rc = BAD_FUNC_ARG; /* not yet supported */
     }
 
-    if (nameAlg == TPM_ALG_SHA256) {
+    if (nameAlg == TPM_ALG_SHA256 && !highRange) {
         publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY);
         XMEMCPY(publicTemplate->authPolicy.buffer,
             TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size);
     }
+    else if (nameAlg == TPM_ALG_SHA256) {
+        publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA256);
+        XMEMCPY(publicTemplate->authPolicy.buffer,
+            TPM_20_EK_AUTH_POLICY_SHA256, publicTemplate->authPolicy.size);
+    }
 #ifdef WOLFSSL_SHA384
     else if (nameAlg == TPM_ALG_SHA384) {
         publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA384);
@@ -5913,13 +5922,13 @@ int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg,
 int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate)
 {
     return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_RSA, 2048,
-        TPM_ALG_NULL, TPM_ALG_SHA256);
+        TPM_ALG_NULL, TPM_ALG_SHA256, 0);
 }
 
 int wolfTPM2_GetKeyTemplate_ECC_EK(TPMT_PUBLIC* publicTemplate)
 {
     return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_ECC, 256,
-        TPM_ECC_NIST_P256, TPM_ALG_SHA256);
+        TPM_ECC_NIST_P256, TPM_ALG_SHA256, 0);
 }
 
 int wolfTPM2_GetKeyTemplate_RSA_SRK(TPMT_PUBLIC* publicTemplate)

diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h
@@ -1671,36 +1671,43 @@ typedef struct TPM2_AUTH_SESSION {
 /* EK Certificate Chains (0x100 - 0x1FF) - Not common */
 #define TPM2_NV_EK_CHAIN               (TPM_20_TCG_NV_SPACE + 0x100)
 
-/* Predetermined TPM 2.0 Endorsement policy auth template for SHA2-256 */
-/* SHA256 (can be read from NV index 0x01C07F01) */
+/* Predetermined TPM 2.0 Endorsement policy auth templates */
+/* SHA256 (Low Range) */
 static const BYTE TPM_20_EK_AUTH_POLICY[] = {
     0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8,
     0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24,
     0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
     0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA
 };
+/* SHA256 (PolicyB - High Range) */
+static const BYTE TPM_20_EK_AUTH_POLICY_SHA256[] = {
+    0xCA, 0x3D, 0x0A, 0x99, 0xA2, 0xB9, 0x39, 0x06,
+    0xF7, 0xA3, 0x34, 0x24, 0x14, 0xEF, 0xCF, 0xB3,
+    0xA3, 0x85, 0xD4, 0x4C, 0xD1, 0xFD, 0x45, 0x90,
+    0x89, 0xD1, 0x9B, 0x50, 0x71, 0xC0, 0xB7, 0xA0
+};
 #ifdef WOLFSSL_SHA384
-/* SHA384 (can be read from NV index 0x01C07F02) */
+/* SHA384 (PolicyB - High Range) */
 static const BYTE TPM_20_EK_AUTH_POLICY_SHA384[] = {
-    0x8B, 0xBF, 0x22, 0x66, 0x53, 0x7C, 0x17, 0x1C,
-    0xB5, 0x6E, 0x40, 0x3C, 0x4D, 0xC1, 0xD4, 0xB6,
-    0x4F, 0x43, 0x26, 0x11, 0xDC, 0x38, 0x6E, 0x6F,
-    0x53, 0x20, 0x50, 0xC3, 0x27, 0x8C, 0x93, 0x0E,
-    0x14, 0x3E, 0x8B, 0xB1, 0x13, 0x38, 0x24, 0xCC,
-    0xB4, 0x31, 0x05, 0x38, 0x71, 0xC6, 0xDB, 0x53
+    0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC,
+    0x53, 0xD8, 0x82, 0xBC, 0xF5, 0xFD, 0x3A, 0x1A,
+    0x07, 0x41, 0x48, 0xBB, 0x35, 0xD3, 0xB4, 0xE4,
+    0xCB, 0x1C, 0x0A, 0xD9, 0xBD, 0xE4, 0x19, 0xCA,
+    0xCB, 0x47, 0xBA, 0x09, 0x69, 0x96, 0x46, 0x15,
+    0x0F, 0x9F, 0xC0, 0x00, 0xF3, 0xF8, 0x0E, 0x12
 };
 #endif
 #ifdef WOLFSSL_SHA512
-/* SHA512 (can be read from NV index 0x01C07F03) */
+/* SHA512 (PolicyB - High Range) */
 static const BYTE TPM_20_EK_AUTH_POLICY_SHA512[] = {
-    0x1E, 0x3B, 0x76, 0x50, 0x2C, 0x8A, 0x14, 0x25,
-    0xAA, 0x0B, 0x7B, 0x3F, 0xC6, 0x46, 0xA1, 0xB0,
-    0xFA, 0xE0, 0x63, 0xB0, 0x3B, 0x53, 0x68, 0xF9,
-    0xC4, 0xCD, 0xDE, 0xCA, 0xFF, 0x08, 0x91, 0xDD,
-    0x68, 0x2B, 0xAC, 0x1A, 0x85, 0xD4, 0xD8, 0x32,
-    0xB7, 0x81, 0xEA, 0x45, 0x19, 0x15, 0xDE, 0x5F,
-    0xC5, 0xBF, 0x0D, 0xC4, 0xA1, 0x91, 0x7C, 0xD4,
-    0x2F, 0xA0, 0x41, 0xE3, 0xF9, 0x98, 0xE0, 0xEE
+    0xB8, 0x22, 0x1C, 0xA6, 0x9E, 0x85, 0x50, 0xA4,
+    0x91, 0x4D, 0xE3, 0xFA, 0xA6, 0xA1, 0x8C, 0x07,
+    0x2C, 0xC0, 0x12, 0x08, 0x07, 0x3A, 0x92, 0x8D,
+    0x5D, 0x66, 0xD5, 0x9E, 0xF7, 0x9E, 0x49, 0xA4,
+    0x29, 0xC4, 0x1A, 0x6B, 0x26, 0x95, 0x71, 0xD5,
+    0x7E, 0xDB, 0x25, 0xFB, 0xDB, 0x18, 0x38, 0x42,
+    0x56, 0x08, 0xB4, 0x13, 0xCD, 0x61, 0x6A, 0x5F,
+    0x6D, 0xB5, 0xB6, 0x07, 0x1A, 0xF9, 0x9B, 0xEA
 };
 #endif
 

diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
@@ -2686,13 +2686,14 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM
     \param keyBits integer value, specifying bits for the key, typically 2048 (RSA) or 256 (ECC)
     \param curveId use one of the accepted TPM_ECC_CURVE values like TPM_ECC_NIST_P256 (only used when alg=TPM_ALG_ECC)
     \param nameAlg integer value of TPMI_ALG_HASH type, specifying a valid TPM2 hashing algorithm (typically TPM_ALG_SHA256)
+    \param highRange integer value: 0=low range, 1=high range
 
     \sa wolfTPM2_GetKeyTemplate_ECC_EK
     \sa wolfTPM2_GetKeyTemplate_RSA_SRK
     \sa wolfTPM2_GetKeyTemplate_RSA_AIK
 */
 WOLFTPM_API int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg,
-    int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg);
+    int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange);
 
 /*!
     \ingroup wolfTPM2_Wrappers