Skip to content

Commit

Permalink
Merge pull request #320 from dgarske/fix_endorsement
Browse files Browse the repository at this point in the history 
Fixes for using endorsement hierarchy
  • Loading branch information
@embhorn
embhorn authored Dec 29, 2023
2 parents 7c079dd + 310fe7c commit e9ca868
Show file tree
Hide file tree
Showing 14 changed files with 357 additions and 214 deletions.
44 changes: 44 additions & 0 deletions .github/workflows/cmake-build.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: WolfTPM CMake Build Tests

on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]

jobs:
build:

runs-on: ubuntu-latest

steps:
#pull wolfTPM
- uses: actions/checkout@master

# Install cmake
- name: Install cmake
run: |
sudo apt-get update
sudo apt-get install -y cmake
#pull and build wolfssl
- uses: actions/checkout@master
with:
repository: wolfssl/wolfssl
path: wolfssl
- name: Build wolfssl
working-directory: ./wolfssl
run: |
mkdir build
cd build
cmake -DWOLFSSL_TPM=yes ..
make
sudo make install
#build wolftpm
- name: Build wolfTPM
run: |
mkdir build
cd build
cmake -DWOLFTPM_INTERFACE=SWTPM ..
make
1 change: 1 addition & 0 deletions CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ set(TPM_SOURCES
src/tpm2_tis.c
src/tpm2_winapi.c
src/tpm2_wrap.c
src/tpm2_cryptocb.c
hal/tpm_io.c
)

Expand Down
5 changes: 3 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -791,9 +791,10 @@ Connection: close

## Todo

* Key Generation and Attestation examples using endorsement hierarchy "-eh" are broken.
* Update to v1.59 of specification (adding CertifyX509)
* Add support for Endorsement certificates (EK Credential Profile).
* Update to v1.59 of specification (adding CertifyX509).
* Inner wrap support for SensitiveToPrivate.
* Firmware upgrade support on TPM's.

## Support

Expand Down
47 changes: 28 additions & 19 deletions examples/attestation/activate_credential.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ static void usage(void)
printf("Expected usage:\n");
printf("./examples/attestation/activate_credential [cred.blob] [-eh]\n");
printf("* cred.blob is a input file holding the generated credential.\n");
printf("* -eh: Use the EK public key to encrypt the challenge\n");
printf("Demo usage without parameters, uses \"cred.blob\" filename.\n");
}

Expand All @@ -64,14 +65,8 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
const char *input = "cred.blob";
const char *keyblob = "keyblob.bin";

union {
ActivateCredential_In activCred;
byte maxInput[MAX_COMMAND_SIZE];
} cmdIn;
union {
ActivateCredential_Out activCred;
byte maxOutput[MAX_RESPONSE_SIZE];
} cmdOut;
ActivateCredential_In activCredIn;
ActivateCredential_Out activCredOut;

if (argc == 1) {
printf("Using default values\n");
Expand Down Expand Up @@ -157,9 +152,13 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
/* Set the created Policy Session for use in next operation */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 0);
if (rc != 0) goto exit;
/* Set the name for the endorsement handle */
rc = wolfTPM2_SetAuthHandleName(&dev, 1, &endorse.handle);
if (rc != 0) goto exit;
}
else {
wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
rc = wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
if (rc != 0) goto exit;
}

/* Prepare the auth password for the Attestation Key */
Expand All @@ -169,19 +168,19 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle);

/* Prepare the Activate Credential command */
XMEMSET(&cmdIn.activCred, 0, sizeof(cmdIn.activCred));
XMEMSET(&cmdOut.activCred, 0, sizeof(cmdOut.activCred));
cmdIn.activCred.activateHandle = akKey.handle.hndl;
cmdIn.activCred.keyHandle = primary->handle.hndl;
XMEMSET(&activCredIn, 0, sizeof(activCredIn));
XMEMSET(&activCredOut, 0, sizeof(activCredOut));
activCredIn.activateHandle = akKey.handle.hndl;
activCredIn.keyHandle = primary->handle.hndl;
/* Read credential from the user file */
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
fp = XFOPEN(input, "rb");
if (fp != XBADFILE) {
dataSize = (int)XFREAD((BYTE*)&cmdIn.activCred.credentialBlob, 1,
sizeof(cmdIn.activCred.credentialBlob), fp);
dataSize = (int)XFREAD((BYTE*)&activCredIn.credentialBlob, 1,
sizeof(activCredIn.credentialBlob), fp);
if (dataSize > 0) {
dataSize += (int)XFREAD((BYTE*)&cmdIn.activCred.secret, 1,
sizeof(cmdIn.activCred.secret), fp);
dataSize += (int)XFREAD((BYTE*)&activCredIn.secret, 1,
sizeof(activCredIn.secret), fp);
}
XFCLOSE(fp);
}
Expand All @@ -192,18 +191,28 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
goto exit;
#endif
/* All required data to verify the credential is prepared */
rc = TPM2_ActivateCredential(&cmdIn.activCred, &cmdOut.activCred);
rc = TPM2_ActivateCredential(&activCredIn, &activCredOut);
if (rc != TPM_RC_SUCCESS) {
printf("TPM2_ActivateCredentials failed 0x%x: %s\n", rc,
printf("TPM2_ActivateCredential failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
goto exit;
}
printf("TPM2_ActivateCredential success\n");
if (endorseKey) {
/* The policy session is closed after use.
* Reset handle, so we don't try and free it */
tpmSession.handle.hndl = TPM_RH_NULL;
}

printf("Secret: %d\n", activCredOut.certInfo.size);
TPM2_PrintBin(activCredOut.certInfo.buffer,
activCredOut.certInfo.size);

exit:

wolfTPM2_UnloadHandle(&dev, &primary->handle);
wolfTPM2_UnloadHandle(&dev, &akKey.handle);
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
wolfTPM2_Cleanup(&dev);

exit_badargs:
Expand Down
70 changes: 33 additions & 37 deletions examples/attestation/make_credential.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,16 +68,10 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
const char *srkPubFile = "srk.pub";
const char *pubFilename = NULL;

union {
MakeCredential_In makeCred;
LoadExternal_In loadExtIn;
byte maxInput[MAX_COMMAND_SIZE];
} cmdIn;
union {
MakeCredential_Out makeCred;
LoadExternal_Out loadExtOut;
byte maxOutput[MAX_RESPONSE_SIZE];
} cmdOut;
MakeCredential_In makeCredIn;
MakeCredential_Out makeCredOut;
LoadExternal_In loadExtIn;
LoadExternal_Out loadExtOut;

if (argc == 1) {
printf("Using public key from SRK to create the challenge\n");
Expand All @@ -100,12 +94,6 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
goto exit_badargs;
}

XMEMSET(&name, 0, sizeof(name));
XMEMSET(&cmdIn.makeCred, 0, sizeof(cmdIn.makeCred));
XMEMSET(&cmdOut.makeCred, 0, sizeof(cmdOut.makeCred));
XMEMSET(&cmdIn.loadExtIn, 0, sizeof(cmdIn.loadExtIn));
XMEMSET(&cmdOut.loadExtOut, 0, sizeof(cmdOut.loadExtOut));

printf("Demo how to create a credential challenge for remote attestation\n");
printf("Credential will be stored in %s\n", output);

Expand All @@ -125,24 +113,26 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
}
rc = readKeyBlob(pubFilename, &primary);
if (rc != 0) {
printf("Failure to load %s\n", pubFilename);
printf("Failure to read %s\n", pubFilename);
goto exit;
}

/* Prepare the key for use by the TPM */
XMEMCPY(&cmdIn.loadExtIn.inPublic, &primary.pub,
sizeof(cmdIn.loadExtIn.inPublic));
cmdIn.loadExtIn.hierarchy = TPM_RH_NULL;
rc = TPM2_LoadExternal(&cmdIn.loadExtIn, &cmdOut.loadExtOut);
XMEMSET(&loadExtIn, 0, sizeof(loadExtIn));
XMEMSET(&loadExtOut, 0, sizeof(loadExtOut));
XMEMCPY(&loadExtIn.inPublic, &primary.pub, sizeof(loadExtIn.inPublic));
loadExtIn.hierarchy = TPM_RH_NULL;
rc = TPM2_LoadExternal(&loadExtIn, &loadExtOut);
if (rc != TPM_RC_SUCCESS) {
printf("TPM2_LoadExternal: failed %d: %s\n", rc,
wolfTPM2_GetRCString(rc));
return rc;
}
printf("Public key for encryption loaded\n");
handle.hndl = cmdOut.loadExtOut.objectHandle;

handle.hndl = loadExtOut.objectHandle;
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
/* Load AK Name digest */
XMEMSET(&name, 0, sizeof(name));
fp = XFOPEN("ak.name", "rb");
if (fp != XBADFILE) {
size_t nameReadSz = XFREAD((BYTE*)&name, 1, sizeof(name), fp);
Expand All @@ -153,31 +143,37 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
#endif

/* Create secret for the attestation server */
cmdIn.makeCred.credential.size = CRED_SECRET_SIZE;
wolfTPM2_GetRandom(&dev, cmdIn.makeCred.credential.buffer,
cmdIn.makeCred.credential.size);
/* Prepare the AK name */
cmdIn.makeCred.objectName.size = name.size;
XMEMCPY(cmdIn.makeCred.objectName.name, name.name,
cmdIn.makeCred.objectName.size);
XMEMSET(&makeCredIn, 0, sizeof(makeCredIn));
XMEMSET(&makeCredOut, 0, sizeof(makeCredOut));
makeCredIn.credential.size = CRED_SECRET_SIZE;
wolfTPM2_GetRandom(&dev, makeCredIn.credential.buffer,
makeCredIn.credential.size);
/* Set the object name */
makeCredIn.objectName.size = name.size;
XMEMCPY(makeCredIn.objectName.name, name.name,
makeCredIn.objectName.size);
/* Set TPM key and execute */
cmdIn.makeCred.handle = handle.hndl;
rc = TPM2_MakeCredential(&cmdIn.makeCred, &cmdOut.makeCred);
makeCredIn.handle = handle.hndl;
rc = TPM2_MakeCredential(&makeCredIn, &makeCredOut);
if (rc != TPM_RC_SUCCESS) {
printf("TPM2_MakeCredentials failed 0x%x: %s\n", rc,
printf("TPM2_MakeCredential failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
goto exit;
}
printf("TPM2_MakeCredential success\n");

printf("Secret: %d\n", makeCredIn.credential.size);
TPM2_PrintBin(makeCredIn.credential.buffer,
makeCredIn.credential.size);

#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
fp = XFOPEN(output, "wb");
if (fp != XBADFILE) {
dataSize = (int)XFWRITE((BYTE*)&cmdOut.makeCred.credentialBlob, 1,
sizeof(cmdOut.makeCred.credentialBlob), fp);
dataSize = (int)XFWRITE((BYTE*)&makeCredOut.credentialBlob, 1,
sizeof(makeCredOut.credentialBlob), fp);
if (dataSize > 0) {
dataSize += (int)XFWRITE((BYTE*)&cmdOut.makeCred.secret, 1,
sizeof(cmdOut.makeCred.secret), fp);
dataSize += (int)XFWRITE((BYTE*)&makeCredOut.secret, 1,
sizeof(makeCredOut.secret), fp);
}
XFCLOSE(fp);
}
Expand Down
46 changes: 31 additions & 15 deletions examples/keygen/keygen.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,6 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
const char *pemFilename = NULL;
#endif
FILE *fp;
#endif
size_t len = 0;
char symMode[] = "aesctr";
Expand Down Expand Up @@ -251,20 +250,26 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
printf("HMAC Session: Handle 0x%x\n",
(word32)tpmSession.handle.hndl);

/* set session for authorization of the primary key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}

if (endorseKey) {
/* Endorsement Key requires authorization with Policy */
wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
if (rc != 0) goto exit;
printf("EK Policy Session: Handle 0x%x\n",
(word32)tpmSession.handle.hndl);

/* Set the created Policy Session for use in next operation */
wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
if (rc != 0) goto exit;
}

/* Create new key */
Expand All @@ -285,6 +290,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
else {
rc = BAD_FUNC_ARG;
}
if (rc != 0) goto exit;

/* set session for authorization key */
auth.size = (int)sizeof(gAiKeyAuth)-1;
Expand Down Expand Up @@ -341,11 +347,25 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
printf("wolfTPM2_CreateKey failed\n");
goto exit;
}
if (endorseKey) {
/* Endorsement policy session is closed after use, so start another */
rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
if (rc == 0) {
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
}
if (rc != 0) goto exit;
}
rc = wolfTPM2_LoadKey(&dev, &newKeyBlob, &primary->handle);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_LoadKey failed\n");
goto exit;
}
if (endorseKey) {
/* The policy session is closed after use.
* Reset handle, so we don't try and free it */
tpmSession.handle.hndl = TPM_RH_NULL;
}

printf("New key created and loaded (pub %d, priv %d bytes)\n",
newKeyBlob.pub.size, newKeyBlob.priv.size);

Expand All @@ -357,14 +377,13 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
/* Store primary public key */
XMEMCPY(&primaryBlob.pub, &primary->pub, sizeof(primaryBlob.pub));
rc |= writeKeyBlob(pubFilename, &primaryBlob);

/* Write AK's Name digest */
fp = XFOPEN(nameFile, "wb");
if (fp != XBADFILE) {
XFWRITE((BYTE*)&newKeyBlob.name, 1, sizeof(newKeyBlob.name), fp);
printf("Wrote AK Name digest\n");
XFCLOSE(fp);
}
rc |= writeBin(nameFile, (byte*)&newKeyBlob.handle.name,
sizeof(newKeyBlob.handle.name));
printf("Wrote AK Name digest\n");
}
if (rc != TPM_RC_SUCCESS) goto exit;
#else
if (alg == TPM_ALG_SYMCIPHER) {
printf("The Public Part of a symmetric key contains only meta data\n");
Expand Down Expand Up @@ -421,10 +440,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
/* Close handles */
wolfTPM2_UnloadHandle(&dev, &primary->handle);
wolfTPM2_UnloadHandle(&dev, &newKeyBlob.handle);
/* EK policy is destroyed after use, flush parameter encryption session */
if (paramEncAlg != TPM_ALG_NULL && !endorseKey) {
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
}
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);

wolfTPM2_Cleanup(&dev);
return rc;
Expand Down
Loading

0 comments on commit e9ca868

Please sign in to comment.