diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c index 6e869cfc..5762094b 100644 --- a/examples/endorsement/get_ek_certs.c +++ b/examples/endorsement/get_ek_certs.c @@ -104,7 +104,14 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) for (i=0; i<(int)handles.count; i++) { word32 nvIndex = handles.handle[i]; - printf("TCG Handle 0x%x\n", nvIndex); + int highRange = 0; + + if (nvIndex >= TPM2_NV_EK_RSA2048) { + highRange = 1; + } + + printf("TCG Handle 0x%x (%s range)\n", + nvIndex, highRange ? "high" : "low"); /* Read Public portion of NV */ rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic); @@ -181,7 +188,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) } rc = wolfTPM2_GetKeyTemplate_EK(&publicTemplate, alg, keyBits, curveID, - nameAlg); + nameAlg, highRange); if (rc != 0) { printf("Invalid EK algorithm\n"); rc = BAD_FUNC_ARG; @@ -197,11 +204,10 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) #ifdef DEBUG_WOLFTPM TPM2_PrintPublicArea(&endorse.pub); #endif + } - /* TODO: Confirm the certificate public key matches this - * public key */ - - wolfTPM2_UnloadHandle(&dev, &endorse.handle); + if (rc == 0) { + /* TODO: Confirm the certificate public key matches */ } #ifndef WOLFTPM2_NO_WOLFCRYPT @@ -212,7 +218,10 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) printf("Parse Cert result: %d\n", rc); wc_FreeDecodedCert(&cert); } + /* TODO: Validate EK certificate chain */ #endif + + wolfTPM2_UnloadHandle(&dev, &endorse.handle); } exit: diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 1a2867a7..7cf5ae80 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -5866,13 +5866,17 @@ int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID name } int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg, - int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg) + int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange) { int rc; TPMA_OBJECT objectAttributes = ( TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent | TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_adminWithPolicy | TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt); + if (highRange) { + /* High range requires userWithAuth=1 */ + objectAttributes |= TPMA_OBJECT_userWithAuth; + } if (alg == TPM_ALG_RSA) { rc = GetKeyTemplateRSA(publicTemplate, nameAlg, @@ -5887,11 +5891,16 @@ int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg, rc = BAD_FUNC_ARG; /* not yet supported */ } - if (nameAlg == TPM_ALG_SHA256) { + if (nameAlg == TPM_ALG_SHA256 && !highRange) { publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY); XMEMCPY(publicTemplate->authPolicy.buffer, TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size); } + else if (nameAlg == TPM_ALG_SHA256) { + publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA256); + XMEMCPY(publicTemplate->authPolicy.buffer, + TPM_20_EK_AUTH_POLICY_SHA256, publicTemplate->authPolicy.size); + } #ifdef WOLFSSL_SHA384 else if (nameAlg == TPM_ALG_SHA384) { publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA384); @@ -5913,13 +5922,13 @@ int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg, int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate) { return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_RSA, 2048, - TPM_ALG_NULL, TPM_ALG_SHA256); + TPM_ALG_NULL, TPM_ALG_SHA256, 0); } int wolfTPM2_GetKeyTemplate_ECC_EK(TPMT_PUBLIC* publicTemplate) { return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_ECC, 256, - TPM_ECC_NIST_P256, TPM_ALG_SHA256); + TPM_ECC_NIST_P256, TPM_ALG_SHA256, 0); } int wolfTPM2_GetKeyTemplate_RSA_SRK(TPMT_PUBLIC* publicTemplate) diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h index 226b0602..30c248a7 100644 --- a/wolftpm/tpm2.h +++ b/wolftpm/tpm2.h @@ -1671,36 +1671,43 @@ typedef struct TPM2_AUTH_SESSION { /* EK Certificate Chains (0x100 - 0x1FF) - Not common */ #define TPM2_NV_EK_CHAIN (TPM_20_TCG_NV_SPACE + 0x100) -/* Predetermined TPM 2.0 Endorsement policy auth template for SHA2-256 */ -/* SHA256 (can be read from NV index 0x01C07F01) */ +/* Predetermined TPM 2.0 Endorsement policy auth templates */ +/* SHA256 (Low Range) */ static const BYTE TPM_20_EK_AUTH_POLICY[] = { 0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24, 0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64, 0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA }; +/* SHA256 (PolicyB - High Range) */ +static const BYTE TPM_20_EK_AUTH_POLICY_SHA256[] = { + 0xCA, 0x3D, 0x0A, 0x99, 0xA2, 0xB9, 0x39, 0x06, + 0xF7, 0xA3, 0x34, 0x24, 0x14, 0xEF, 0xCF, 0xB3, + 0xA3, 0x85, 0xD4, 0x4C, 0xD1, 0xFD, 0x45, 0x90, + 0x89, 0xD1, 0x9B, 0x50, 0x71, 0xC0, 0xB7, 0xA0 +}; #ifdef WOLFSSL_SHA384 -/* SHA384 (can be read from NV index 0x01C07F02) */ +/* SHA384 (PolicyB - High Range) */ static const BYTE TPM_20_EK_AUTH_POLICY_SHA384[] = { - 0x8B, 0xBF, 0x22, 0x66, 0x53, 0x7C, 0x17, 0x1C, - 0xB5, 0x6E, 0x40, 0x3C, 0x4D, 0xC1, 0xD4, 0xB6, - 0x4F, 0x43, 0x26, 0x11, 0xDC, 0x38, 0x6E, 0x6F, - 0x53, 0x20, 0x50, 0xC3, 0x27, 0x8C, 0x93, 0x0E, - 0x14, 0x3E, 0x8B, 0xB1, 0x13, 0x38, 0x24, 0xCC, - 0xB4, 0x31, 0x05, 0x38, 0x71, 0xC6, 0xDB, 0x53 + 0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC, + 0x53, 0xD8, 0x82, 0xBC, 0xF5, 0xFD, 0x3A, 0x1A, + 0x07, 0x41, 0x48, 0xBB, 0x35, 0xD3, 0xB4, 0xE4, + 0xCB, 0x1C, 0x0A, 0xD9, 0xBD, 0xE4, 0x19, 0xCA, + 0xCB, 0x47, 0xBA, 0x09, 0x69, 0x96, 0x46, 0x15, + 0x0F, 0x9F, 0xC0, 0x00, 0xF3, 0xF8, 0x0E, 0x12 }; #endif #ifdef WOLFSSL_SHA512 -/* SHA512 (can be read from NV index 0x01C07F03) */ +/* SHA512 (PolicyB - High Range) */ static const BYTE TPM_20_EK_AUTH_POLICY_SHA512[] = { - 0x1E, 0x3B, 0x76, 0x50, 0x2C, 0x8A, 0x14, 0x25, - 0xAA, 0x0B, 0x7B, 0x3F, 0xC6, 0x46, 0xA1, 0xB0, - 0xFA, 0xE0, 0x63, 0xB0, 0x3B, 0x53, 0x68, 0xF9, - 0xC4, 0xCD, 0xDE, 0xCA, 0xFF, 0x08, 0x91, 0xDD, - 0x68, 0x2B, 0xAC, 0x1A, 0x85, 0xD4, 0xD8, 0x32, - 0xB7, 0x81, 0xEA, 0x45, 0x19, 0x15, 0xDE, 0x5F, - 0xC5, 0xBF, 0x0D, 0xC4, 0xA1, 0x91, 0x7C, 0xD4, - 0x2F, 0xA0, 0x41, 0xE3, 0xF9, 0x98, 0xE0, 0xEE + 0xB8, 0x22, 0x1C, 0xA6, 0x9E, 0x85, 0x50, 0xA4, + 0x91, 0x4D, 0xE3, 0xFA, 0xA6, 0xA1, 0x8C, 0x07, + 0x2C, 0xC0, 0x12, 0x08, 0x07, 0x3A, 0x92, 0x8D, + 0x5D, 0x66, 0xD5, 0x9E, 0xF7, 0x9E, 0x49, 0xA4, + 0x29, 0xC4, 0x1A, 0x6B, 0x26, 0x95, 0x71, 0xD5, + 0x7E, 0xDB, 0x25, 0xFB, 0xDB, 0x18, 0x38, 0x42, + 0x56, 0x08, 0xB4, 0x13, 0xCD, 0x61, 0x6A, 0x5F, + 0x6D, 0xB5, 0xB6, 0x07, 0x1A, 0xF9, 0x9B, 0xEA }; #endif diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index e72722f4..de24c89a 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -2686,13 +2686,14 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM \param keyBits integer value, specifying bits for the key, typically 2048 (RSA) or 256 (ECC) \param curveId use one of the accepted TPM_ECC_CURVE values like TPM_ECC_NIST_P256 (only used when alg=TPM_ALG_ECC) \param nameAlg integer value of TPMI_ALG_HASH type, specifying a valid TPM2 hashing algorithm (typically TPM_ALG_SHA256) + \param highRange integer value: 0=low range, 1=high range \sa wolfTPM2_GetKeyTemplate_ECC_EK \sa wolfTPM2_GetKeyTemplate_RSA_SRK \sa wolfTPM2_GetKeyTemplate_RSA_AIK */ WOLFTPM_API int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg, - int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg); + int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange); /*! \ingroup wolfTPM2_Wrappers