diff --git a/.github/workflows/cmake-build.yml b/.github/workflows/cmake-build.yml new file mode 100644 index 00000000..158ac5c6 --- /dev/null +++ b/.github/workflows/cmake-build.yml @@ -0,0 +1,44 @@ +name: WolfTPM CMake Build Tests + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: +#pull wolfTPM + - uses: actions/checkout@master + +# Install cmake + - name: Install cmake + run: | + sudo apt-get update + sudo apt-get install -y cmake + +#pull and build wolfssl + - uses: actions/checkout@master + with: + repository: wolfssl/wolfssl + path: wolfssl + - name: Build wolfssl + working-directory: ./wolfssl + run: | + mkdir build + cd build + cmake -DWOLFSSL_TPM=yes .. + make + sudo make install + +#build wolftpm + - name: Build wolfTPM + run: | + mkdir build + cd build + cmake -DWOLFTPM_INTERFACE=SWTPM .. + make diff --git a/CMakeLists.txt b/CMakeLists.txt index 7a9bb724..b1b28770 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -35,6 +35,7 @@ set(TPM_SOURCES src/tpm2_tis.c src/tpm2_winapi.c src/tpm2_wrap.c + src/tpm2_cryptocb.c hal/tpm_io.c ) diff --git a/README.md b/README.md index 34902e55..3fbaaed4 100644 --- a/README.md +++ b/README.md @@ -791,9 +791,10 @@ Connection: close ## Todo -* Key Generation and Attestation examples using endorsement hierarchy "-eh" are broken. -* Update to v1.59 of specification (adding CertifyX509) +* Add support for Endorsement certificates (EK Credential Profile). +* Update to v1.59 of specification (adding CertifyX509). * Inner wrap support for SensitiveToPrivate. +* Firmware upgrade support on TPM's. ## Support diff --git a/examples/attestation/activate_credential.c b/examples/attestation/activate_credential.c index 27522553..93b2bc44 100644 --- a/examples/attestation/activate_credential.c +++ b/examples/attestation/activate_credential.c @@ -44,6 +44,7 @@ static void usage(void) printf("Expected usage:\n"); printf("./examples/attestation/activate_credential [cred.blob] [-eh]\n"); printf("* cred.blob is a input file holding the generated credential.\n"); + printf("* -eh: Use the EK public key to encrypt the challenge\n"); printf("Demo usage without parameters, uses \"cred.blob\" filename.\n"); } @@ -64,14 +65,8 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[]) const char *input = "cred.blob"; const char *keyblob = "keyblob.bin"; - union { - ActivateCredential_In activCred; - byte maxInput[MAX_COMMAND_SIZE]; - } cmdIn; - union { - ActivateCredential_Out activCred; - byte maxOutput[MAX_RESPONSE_SIZE]; - } cmdOut; + ActivateCredential_In activCredIn; + ActivateCredential_Out activCredOut; if (argc == 1) { printf("Using default values\n"); @@ -157,9 +152,13 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[]) /* Set the created Policy Session for use in next operation */ rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 0); if (rc != 0) goto exit; + /* Set the name for the endorsement handle */ + rc = wolfTPM2_SetAuthHandleName(&dev, 1, &endorse.handle); + if (rc != 0) goto exit; } else { - wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle); + rc = wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle); + if (rc != 0) goto exit; } /* Prepare the auth password for the Attestation Key */ @@ -169,19 +168,19 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[]) wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle); /* Prepare the Activate Credential command */ - XMEMSET(&cmdIn.activCred, 0, sizeof(cmdIn.activCred)); - XMEMSET(&cmdOut.activCred, 0, sizeof(cmdOut.activCred)); - cmdIn.activCred.activateHandle = akKey.handle.hndl; - cmdIn.activCred.keyHandle = primary->handle.hndl; + XMEMSET(&activCredIn, 0, sizeof(activCredIn)); + XMEMSET(&activCredOut, 0, sizeof(activCredOut)); + activCredIn.activateHandle = akKey.handle.hndl; + activCredIn.keyHandle = primary->handle.hndl; /* Read credential from the user file */ #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) fp = XFOPEN(input, "rb"); if (fp != XBADFILE) { - dataSize = (int)XFREAD((BYTE*)&cmdIn.activCred.credentialBlob, 1, - sizeof(cmdIn.activCred.credentialBlob), fp); + dataSize = (int)XFREAD((BYTE*)&activCredIn.credentialBlob, 1, + sizeof(activCredIn.credentialBlob), fp); if (dataSize > 0) { - dataSize += (int)XFREAD((BYTE*)&cmdIn.activCred.secret, 1, - sizeof(cmdIn.activCred.secret), fp); + dataSize += (int)XFREAD((BYTE*)&activCredIn.secret, 1, + sizeof(activCredIn.secret), fp); } XFCLOSE(fp); } @@ -192,18 +191,28 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[]) goto exit; #endif /* All required data to verify the credential is prepared */ - rc = TPM2_ActivateCredential(&cmdIn.activCred, &cmdOut.activCred); + rc = TPM2_ActivateCredential(&activCredIn, &activCredOut); if (rc != TPM_RC_SUCCESS) { - printf("TPM2_ActivateCredentials failed 0x%x: %s\n", rc, + printf("TPM2_ActivateCredential failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); goto exit; } printf("TPM2_ActivateCredential success\n"); + if (endorseKey) { + /* The policy session is closed after use. + * Reset handle, so we don't try and free it */ + tpmSession.handle.hndl = TPM_RH_NULL; + } + + printf("Secret: %d\n", activCredOut.certInfo.size); + TPM2_PrintBin(activCredOut.certInfo.buffer, + activCredOut.certInfo.size); exit: wolfTPM2_UnloadHandle(&dev, &primary->handle); wolfTPM2_UnloadHandle(&dev, &akKey.handle); + wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); wolfTPM2_Cleanup(&dev); exit_badargs: diff --git a/examples/attestation/make_credential.c b/examples/attestation/make_credential.c index 8ebe922d..b2b85f6f 100644 --- a/examples/attestation/make_credential.c +++ b/examples/attestation/make_credential.c @@ -68,16 +68,10 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[]) const char *srkPubFile = "srk.pub"; const char *pubFilename = NULL; - union { - MakeCredential_In makeCred; - LoadExternal_In loadExtIn; - byte maxInput[MAX_COMMAND_SIZE]; - } cmdIn; - union { - MakeCredential_Out makeCred; - LoadExternal_Out loadExtOut; - byte maxOutput[MAX_RESPONSE_SIZE]; - } cmdOut; + MakeCredential_In makeCredIn; + MakeCredential_Out makeCredOut; + LoadExternal_In loadExtIn; + LoadExternal_Out loadExtOut; if (argc == 1) { printf("Using public key from SRK to create the challenge\n"); @@ -100,12 +94,6 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[]) goto exit_badargs; } - XMEMSET(&name, 0, sizeof(name)); - XMEMSET(&cmdIn.makeCred, 0, sizeof(cmdIn.makeCred)); - XMEMSET(&cmdOut.makeCred, 0, sizeof(cmdOut.makeCred)); - XMEMSET(&cmdIn.loadExtIn, 0, sizeof(cmdIn.loadExtIn)); - XMEMSET(&cmdOut.loadExtOut, 0, sizeof(cmdOut.loadExtOut)); - printf("Demo how to create a credential challenge for remote attestation\n"); printf("Credential will be stored in %s\n", output); @@ -125,24 +113,26 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[]) } rc = readKeyBlob(pubFilename, &primary); if (rc != 0) { - printf("Failure to load %s\n", pubFilename); + printf("Failure to read %s\n", pubFilename); goto exit; } + /* Prepare the key for use by the TPM */ - XMEMCPY(&cmdIn.loadExtIn.inPublic, &primary.pub, - sizeof(cmdIn.loadExtIn.inPublic)); - cmdIn.loadExtIn.hierarchy = TPM_RH_NULL; - rc = TPM2_LoadExternal(&cmdIn.loadExtIn, &cmdOut.loadExtOut); + XMEMSET(&loadExtIn, 0, sizeof(loadExtIn)); + XMEMSET(&loadExtOut, 0, sizeof(loadExtOut)); + XMEMCPY(&loadExtIn.inPublic, &primary.pub, sizeof(loadExtIn.inPublic)); + loadExtIn.hierarchy = TPM_RH_NULL; + rc = TPM2_LoadExternal(&loadExtIn, &loadExtOut); if (rc != TPM_RC_SUCCESS) { printf("TPM2_LoadExternal: failed %d: %s\n", rc, wolfTPM2_GetRCString(rc)); return rc; } printf("Public key for encryption loaded\n"); - handle.hndl = cmdOut.loadExtOut.objectHandle; - + handle.hndl = loadExtOut.objectHandle; #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) /* Load AK Name digest */ + XMEMSET(&name, 0, sizeof(name)); fp = XFOPEN("ak.name", "rb"); if (fp != XBADFILE) { size_t nameReadSz = XFREAD((BYTE*)&name, 1, sizeof(name), fp); @@ -153,31 +143,37 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[]) #endif /* Create secret for the attestation server */ - cmdIn.makeCred.credential.size = CRED_SECRET_SIZE; - wolfTPM2_GetRandom(&dev, cmdIn.makeCred.credential.buffer, - cmdIn.makeCred.credential.size); - /* Prepare the AK name */ - cmdIn.makeCred.objectName.size = name.size; - XMEMCPY(cmdIn.makeCred.objectName.name, name.name, - cmdIn.makeCred.objectName.size); + XMEMSET(&makeCredIn, 0, sizeof(makeCredIn)); + XMEMSET(&makeCredOut, 0, sizeof(makeCredOut)); + makeCredIn.credential.size = CRED_SECRET_SIZE; + wolfTPM2_GetRandom(&dev, makeCredIn.credential.buffer, + makeCredIn.credential.size); + /* Set the object name */ + makeCredIn.objectName.size = name.size; + XMEMCPY(makeCredIn.objectName.name, name.name, + makeCredIn.objectName.size); /* Set TPM key and execute */ - cmdIn.makeCred.handle = handle.hndl; - rc = TPM2_MakeCredential(&cmdIn.makeCred, &cmdOut.makeCred); + makeCredIn.handle = handle.hndl; + rc = TPM2_MakeCredential(&makeCredIn, &makeCredOut); if (rc != TPM_RC_SUCCESS) { - printf("TPM2_MakeCredentials failed 0x%x: %s\n", rc, + printf("TPM2_MakeCredential failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); goto exit; } printf("TPM2_MakeCredential success\n"); + printf("Secret: %d\n", makeCredIn.credential.size); + TPM2_PrintBin(makeCredIn.credential.buffer, + makeCredIn.credential.size); + #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) fp = XFOPEN(output, "wb"); if (fp != XBADFILE) { - dataSize = (int)XFWRITE((BYTE*)&cmdOut.makeCred.credentialBlob, 1, - sizeof(cmdOut.makeCred.credentialBlob), fp); + dataSize = (int)XFWRITE((BYTE*)&makeCredOut.credentialBlob, 1, + sizeof(makeCredOut.credentialBlob), fp); if (dataSize > 0) { - dataSize += (int)XFWRITE((BYTE*)&cmdOut.makeCred.secret, 1, - sizeof(cmdOut.makeCred.secret), fp); + dataSize += (int)XFWRITE((BYTE*)&makeCredOut.secret, 1, + sizeof(makeCredOut.secret), fp); } XFCLOSE(fp); } diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c index d20ed223..7a7b6f5d 100644 --- a/examples/keygen/keygen.c +++ b/examples/keygen/keygen.c @@ -141,7 +141,6 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA) const char *pemFilename = NULL; #endif - FILE *fp; #endif size_t len = 0; char symMode[] = "aesctr"; @@ -251,20 +250,26 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; - printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + printf("HMAC Session: Handle 0x%x\n", (word32)tpmSession.handle.hndl); /* set session for authorization of the primary key */ rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, - (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | + TPMA_SESSION_continueSession)); if (rc != 0) goto exit; } if (endorseKey) { /* Endorsement Key requires authorization with Policy */ - wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession); + rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession); + if (rc != 0) goto exit; + printf("EK Policy Session: Handle 0x%x\n", + (word32)tpmSession.handle.hndl); + /* Set the created Policy Session for use in next operation */ - wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0); + rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0); + if (rc != 0) goto exit; } /* Create new key */ @@ -285,6 +290,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) else { rc = BAD_FUNC_ARG; } + if (rc != 0) goto exit; /* set session for authorization key */ auth.size = (int)sizeof(gAiKeyAuth)-1; @@ -341,11 +347,25 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) printf("wolfTPM2_CreateKey failed\n"); goto exit; } + if (endorseKey) { + /* Endorsement policy session is closed after use, so start another */ + rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession); + if (rc == 0) { + rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0); + } + if (rc != 0) goto exit; + } rc = wolfTPM2_LoadKey(&dev, &newKeyBlob, &primary->handle); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_LoadKey failed\n"); goto exit; } + if (endorseKey) { + /* The policy session is closed after use. + * Reset handle, so we don't try and free it */ + tpmSession.handle.hndl = TPM_RH_NULL; + } + printf("New key created and loaded (pub %d, priv %d bytes)\n", newKeyBlob.pub.size, newKeyBlob.priv.size); @@ -357,14 +377,13 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) /* Store primary public key */ XMEMCPY(&primaryBlob.pub, &primary->pub, sizeof(primaryBlob.pub)); rc |= writeKeyBlob(pubFilename, &primaryBlob); + /* Write AK's Name digest */ - fp = XFOPEN(nameFile, "wb"); - if (fp != XBADFILE) { - XFWRITE((BYTE*)&newKeyBlob.name, 1, sizeof(newKeyBlob.name), fp); - printf("Wrote AK Name digest\n"); - XFCLOSE(fp); - } + rc |= writeBin(nameFile, (byte*)&newKeyBlob.handle.name, + sizeof(newKeyBlob.handle.name)); + printf("Wrote AK Name digest\n"); } + if (rc != TPM_RC_SUCCESS) goto exit; #else if (alg == TPM_ALG_SYMCIPHER) { printf("The Public Part of a symmetric key contains only meta data\n"); @@ -421,10 +440,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) /* Close handles */ wolfTPM2_UnloadHandle(&dev, &primary->handle); wolfTPM2_UnloadHandle(&dev, &newKeyBlob.handle); - /* EK policy is destroyed after use, flush parameter encryption session */ - if (paramEncAlg != TPM_ALG_NULL && !endorseKey) { - wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); - } + wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); wolfTPM2_Cleanup(&dev); return rc; diff --git a/examples/native/native_test.c b/examples/native/native_test.c index 0fa00bca..e471bf05 100644 --- a/examples/native/native_test.c +++ b/examples/native/native_test.c @@ -162,13 +162,6 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) #endif TPM2B_PUBLIC_KEY_RSA message; -#ifndef WOLFTPM2_NO_WOLFCRYPT - byte pcr[TPM_SHA256_DIGEST_SIZE]; - int pcr_len = TPM_SHA256_DIGEST_SIZE; - byte hash[TPM_SHA256_DIGEST_SIZE]; - int hash_len = TPM_SHA256_DIGEST_SIZE; -#endif - TpmRsaKey endorse; TpmRsaKey storage; TpmHmacKey hmacKey; @@ -564,18 +557,9 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) (int)cmdOut.pcrRead.pcrValues.digests[0].size, (int)cmdOut.pcrRead.pcrUpdateCounter); TPM2_PrintBin(cmdOut.pcrRead.pcrValues.digests[0].buffer, - cmdOut.pcrRead.pcrValues.digests[0].size); + cmdOut.pcrRead.pcrValues.digests[0].size); #ifndef WOLFTPM2_NO_WOLFCRYPT - /* Hash SHA256 PCR[0] */ - rc = wc_Hash(WC_HASH_TYPE_SHA256, pcr, pcr_len, hash, hash_len); - if (rc < 0) { - printf("wc_Hash failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); - goto exit; - } - printf("wc_Hash of PCR[0]: size %d\n", hash_len); - TPM2_PrintBin(hash, hash_len); - /* Set Auth Session index 0 */ session[0].sessionHandle = sessionHandle; session[0].sessionAttributes = (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | @@ -587,18 +571,17 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) session[0].nonceCaller.size = TPM2_GetHashDigestSize(WOLFTPM2_WRAP_DIGEST); session[0].auth = sessionAuth; - /* Policy PCR */ + /* Policy PCR (Get) */ pcrIndex = 0; XMEMSET(&cmdIn.policyPCR, 0, sizeof(cmdIn.policyPCR)); cmdIn.policyPCR.policySession = sessionHandle; - cmdIn.policyPCR.pcrDigest.size = hash_len; - XMEMCPY(cmdIn.policyPCR.pcrDigest.buffer, hash, hash_len); + cmdIn.policyPCR.pcrDigest.size = 0; TPM2_SetupPCRSel(&cmdIn.policyPCR.pcrs, TPM_ALG_SHA1, pcrIndex); rc = TPM2_PolicyPCR(&cmdIn.policyPCR); if (rc != TPM_RC_SUCCESS) { printf("TPM2_PolicyPCR failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); - //goto exit; /* TODO: Fix failure on TPM2_PolicyPCR */ + goto exit; } else { printf("TPM2_PolicyPCR: Updated\n"); diff --git a/examples/pcr/policy.c b/examples/pcr/policy.c index e8d5b969..dc796084 100644 --- a/examples/pcr/policy.c +++ b/examples/pcr/policy.c @@ -154,7 +154,6 @@ int TPM2_PCR_Policy_Test(void* userCtx, int argc, char *argv[]) XMEMCPY(cmdIn.pcrPolicy.pcrDigest.buffer, digest, digestLen); } TPM2_SetupPCRSel(&cmdIn.pcrPolicy.pcrs, TPM_ALG_SHA256, pcrIndex); - //TPM2_SetupPCRSel(&cmdIn.pcrPolicy.pcrs, TPM_ALG_SHA384, pcrIndex); rc = TPM2_PolicyPCR(&cmdIn.pcrPolicy); if (rc != TPM_RC_SUCCESS) { printf("TPM2_PolicyPCR failed 0x%x: %s\n", rc, diff --git a/examples/run_examples.sh b/examples/run_examples.sh index 693c40bd..8f4ba757 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -39,7 +39,7 @@ fi # Key Generation Tests -echo -e "Ken Generation Tests" +echo -e "Key Generation Tests" ./examples/keygen/keygen keyblob.bin -rsa >> run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1 @@ -99,9 +99,22 @@ RESULT=$? rm -f keyedhashblob.bin [ $RESULT -ne 0 ] && echo -e "keygen keyed hash load failed! $RESULT" && exit 1 -# KeyGen Endorsement with Policy Secret -# TODO Fix: (TPM2_Create TPM_RC_AUTH_UNAVAILABLE) -#./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> run.out +if [ $WOLFCRYPT_ENABLE -eq 1 ]; then + # KeyGen under Endorsement + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1 + + ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 + ./examples/keygen/keyload ecckeyblobeh.bin -ecc -eh >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 +fi # NV Tests @@ -190,12 +203,14 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]] echo -e "TLS test (TPM as client) $1 $2" generate_port pushd $WOLFSSL_PATH >> run.out + echo -e "./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem" ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out & RESULT=$? [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1 popd >> run.out sleep 0.1 + echo -e "./examples/tls/tls_client -p=$port -$1 $2" ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1 @@ -268,15 +283,33 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1 fi -./examples/attestation/make_credential >> run.out -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "make_credential failed! $RESULT" && exit 1 -# TODO: Requires keygen -ek to be working -#./examples/attestation/make_credential -eh >> run.out -# TODO: Test broken (TPM2_ActivateCredentials TPM_RC_INTEGRITY) -#./examples/attestation/activate_credential >> run.out -#./examples/attestation/activate_credential -eh >> run.out +if [ $WOLFCRYPT_ENABLE -eq 1 ]; then + ./examples/keygen/keygen keyblob.bin -rsa >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1 + ./examples/attestation/make_credential >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "make_credential failed! $RESULT" && exit 1 + ./examples/attestation/activate_credential >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "activate_credential failed! $RESULT" && exit 1 + + # Endorsement hierarchy + ./examples/keygen/keygen keyblob.bin -rsa -eh >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen rsa endorsement failed! $RESULT" && exit 1 + ./examples/attestation/make_credential -eh >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "make_credential endorsement failed! $RESULT" && exit 1 + ./examples/attestation/activate_credential -eh >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "activate_credential endorsement failed! $RESULT" && exit 1 + rm -f cred.blob + rm -f ek.pub + rm -f srk.pub + rm -f ak.name +fi # PCR Quote Tests echo -e "PCR Quote tests" @@ -457,6 +490,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then rm -f aaa.bin fi +rm -f keyblob.bin echo -e "Success!" exit 0 diff --git a/src/tpm2.c b/src/tpm2.c index 2ec9f847..75f7ec70 100644 --- a/src/tpm2.c +++ b/src/tpm2.c @@ -5540,7 +5540,7 @@ const char* TPM2_GetRCString(int rc) /* for negative return codes use wolfCrypt */ if (rc < 0) { switch (rc) { - TPM_RC_STR(TPM_RC_TIMEOUT, "Hardware timeout"); + TPM_RC_STR(TPM_RC_TIMEOUT, "Hardware timeout"); default: break; } @@ -5555,127 +5555,173 @@ const char* TPM2_GetRCString(int rc) #else switch (rc) { /* copy of the error code strings from wolfCrypt */ - TPM_RC_STR(BAD_FUNC_ARG, "Bad function argument"); - TPM_RC_STR(BUFFER_E, "Buffer error, output too small or input too big"); - TPM_RC_STR(NOT_COMPILED_IN, "Feature not compiled in"); - TPM_RC_STR(BAD_MUTEX_E, "Bad mutex, operation failed"); - TPM_RC_STR(WC_TIMEOUT_E, "Timeout error"); + TPM_RC_STR(BAD_FUNC_ARG, "Bad function argument"); + TPM_RC_STR(BUFFER_E, "Buffer error, output too small or input too big"); + TPM_RC_STR(NOT_COMPILED_IN, "Feature not compiled in"); + TPM_RC_STR(BAD_MUTEX_E, "Bad mutex, operation failed"); + TPM_RC_STR(MEMORY_E, "Out of memory error"); + TPM_RC_STR(LENGTH_ONLY_E, "Output length only set, not for other use error"); + TPM_RC_STR(WC_TIMEOUT_E, "Timeout error"); + default: break; } #endif } - else if (rc == 0) { + else if (rc == TPM_RC_SUCCESS) { return "Success"; } - if (rc & RC_VER1) { + if ((rc & RC_WARN) && (rc & RC_FMT1) == 0) { + int rc_warn = rc & RC_MAX_WARN; + + switch (rc_warn) { + TPM_RC_STR(TPM_RC_CONTEXT_GAP, "Gap for context ID is too large"); + TPM_RC_STR(TPM_RC_OBJECT_MEMORY, "Out of memory for object contexts"); + TPM_RC_STR(TPM_RC_SESSION_MEMORY, "Out of memory for session contexts"); + TPM_RC_STR(TPM_RC_MEMORY, "Out of shared object/session memory or need space for internal operations"); + TPM_RC_STR(TPM_RC_SESSION_HANDLES, "Out of session handles; a session must be flushed before a new session may be created"); + TPM_RC_STR(TPM_RC_OBJECT_HANDLES, "Out of object handles"); + TPM_RC_STR(TPM_RC_LOCALITY, "Bad locality"); + TPM_RC_STR(TPM_RC_YIELDED, "The TPM has suspended operation on the command"); + TPM_RC_STR(TPM_RC_CANCELED, "The command was canceled"); + TPM_RC_STR(TPM_RC_TESTING, "TPM is performing self-tests"); + TPM_RC_STR(TPM_RC_NV_RATE, "The TPM is rate-limiting accesses to prevent wearout of NV"); + TPM_RC_STR(TPM_RC_LOCKOUT, "Authorizations for objects subject to DA protection are not allowed at " + "this time because the TPM is in DA lockout mode"); + TPM_RC_STR(TPM_RC_RETRY, "The TPM was not able to start the command"); + TPM_RC_STR(TPM_RC_NV_UNAVAILABLE, "The command may require writing of NV and NV is not current accessible"); + TPM_RC_STR(TPM_RC_NOT_USED, "This value is reserved and shall not be returned by the TPM"); + default: + break; + } + } + + else if ((rc & RC_VER1) && (rc & RC_FMT1) == 0) { int rc_fm0 = rc & RC_MAX_FM0; switch (rc_fm0) { - TPM_RC_STR(TPM_RC_SUCCESS, "Success"); - TPM_RC_STR(TPM_RC_BAD_TAG, "Bad Tag"); - TPM_RC_STR(TPM_RC_INITIALIZE, "TPM not initialized by TPM2_Startup or already initialized"); - TPM_RC_STR(TPM_RC_FAILURE, "Commands not being accepted because of a TPM failure"); - TPM_RC_STR(TPM_RC_SEQUENCE, "Improper use of a sequence handle"); - TPM_RC_STR(TPM_RC_DISABLED, "The command is disabled"); - TPM_RC_STR(TPM_RC_EXCLUSIVE, "Command failed because audit sequence required exclusivity"); - TPM_RC_STR(TPM_RC_AUTH_TYPE, "Authorization handle is not correct for command"); - TPM_RC_STR(TPM_RC_AUTH_MISSING, "Command requires an authorization session for handle and it is not present"); - TPM_RC_STR(TPM_RC_POLICY, "Policy failure in math operation or an invalid authPolicy value"); - TPM_RC_STR(TPM_RC_PCR, "PCR check fail"); - TPM_RC_STR(TPM_RC_PCR_CHANGED, "PCR have changed since checked"); - TPM_RC_STR(TPM_RC_UPGRADE, "Indicates that the TPM is in field upgrade mode"); + TPM_RC_STR(TPM_RC_BAD_TAG, "Bad Tag"); + TPM_RC_STR(TPM_RC_INITIALIZE, "TPM not initialized by TPM2_Startup or already initialized"); + TPM_RC_STR(TPM_RC_FAILURE, "Commands not being accepted because of a TPM failure"); + TPM_RC_STR(TPM_RC_SEQUENCE, "Improper use of a sequence handle"); + TPM_RC_STR(TPM_RC_DISABLED, "The command is disabled"); + TPM_RC_STR(TPM_RC_EXCLUSIVE, "Command failed because audit sequence required exclusivity"); + TPM_RC_STR(TPM_RC_AUTH_TYPE, "Authorization handle is not correct for command"); + TPM_RC_STR(TPM_RC_AUTH_MISSING, "Command requires an authorization session for handle and it is not present"); + TPM_RC_STR(TPM_RC_POLICY, "Policy failure in math operation or an invalid authPolicy value"); + TPM_RC_STR(TPM_RC_PCR, "PCR check fail"); + TPM_RC_STR(TPM_RC_PCR_CHANGED, "PCR have changed since checked"); + TPM_RC_STR(TPM_RC_UPGRADE, "Indicates that the TPM is in field upgrade mode"); TPM_RC_STR(TPM_RC_TOO_MANY_CONTEXTS, "Context ID counter is at maximum"); - TPM_RC_STR(TPM_RC_AUTH_UNAVAILABLE, "The authValue or authPolicy is not available for selected entity"); - TPM_RC_STR(TPM_RC_REBOOT, "A _TPM_Init and Startup(CLEAR) is required before the TPM can resume operation"); - TPM_RC_STR(TPM_RC_UNBALANCED, "The protection algorithms (hash and symmetric) are not reasonably balanced"); - TPM_RC_STR(TPM_RC_COMMAND_SIZE, "Command commandSize value is inconsistent with contents of the command buffer"); - TPM_RC_STR(TPM_RC_COMMAND_CODE, "Command code not supported"); - TPM_RC_STR(TPM_RC_AUTHSIZE, "The value of authorizationSize is out of range or the number of octets in the Authorization Area is greater than required"); - TPM_RC_STR(TPM_RC_AUTH_CONTEXT, "Use of an authorization session with a context command or another command that cannot have an authorization session"); - TPM_RC_STR(TPM_RC_NV_RANGE, "NV offset+size is out of range"); - TPM_RC_STR(TPM_RC_NV_SIZE, "Requested allocation size is larger than allowed"); - TPM_RC_STR(TPM_RC_NV_LOCKED, "NV access locked"); - TPM_RC_STR(TPM_RC_NV_AUTHORIZATION, "NV access authorization fails in command actions"); - TPM_RC_STR(TPM_RC_NV_UNINITIALIZED, "An NV Index is used before being initialized or the state saved by TPM2_Shutdown(STATE) could not be restored"); - TPM_RC_STR(TPM_RC_NV_SPACE, "Insufficient space for NV allocation"); - TPM_RC_STR(TPM_RC_NV_DEFINED, "NV Index or persistent object already defined"); - TPM_RC_STR(TPM_RC_BAD_CONTEXT, "Context in TPM2_ContextLoad() is not valid"); - TPM_RC_STR(TPM_RC_CPHASH, "The cpHash value already set or not correct for use"); - TPM_RC_STR(TPM_RC_PARENT, "Handle for parent is not a valid parent"); - TPM_RC_STR(TPM_RC_NEEDS_TEST, "Some function needs testing"); - TPM_RC_STR(TPM_RC_NO_RESULT, "Cannot process a request due to an unspecified problem"); - TPM_RC_STR(TPM_RC_SENSITIVE, "The sensitive area did not unmarshal correctly after decryption"); + TPM_RC_STR(TPM_RC_AUTH_UNAVAILABLE, "The authValue or authPolicy is not available for selected entity"); + TPM_RC_STR(TPM_RC_REBOOT, "A _TPM_Init and Startup(CLEAR) is required before the TPM can resume operation"); + TPM_RC_STR(TPM_RC_UNBALANCED, "The protection algorithms (hash and symmetric) are not reasonably balanced"); + TPM_RC_STR(TPM_RC_COMMAND_SIZE, "Command commandSize value is inconsistent with contents of the command buffer"); + TPM_RC_STR(TPM_RC_COMMAND_CODE, "Command code not supported"); + TPM_RC_STR(TPM_RC_AUTHSIZE, "The value of authorizationSize is out of range or the number of octets " + "in the Authorization Area is greater than required"); + TPM_RC_STR(TPM_RC_AUTH_CONTEXT, "Use of an authorization session with a context command or another command " + "that cannot have an authorization session"); + TPM_RC_STR(TPM_RC_NV_RANGE, "NV offset+size is out of range"); + TPM_RC_STR(TPM_RC_NV_SIZE, "Requested allocation size is larger than allowed"); + TPM_RC_STR(TPM_RC_NV_LOCKED, "NV access locked"); + TPM_RC_STR(TPM_RC_NV_AUTHORIZATION, "NV access authorization fails in command actions"); + TPM_RC_STR(TPM_RC_NV_UNINITIALIZED, "An NV Index is used before being initialized or the state saved by " + "TPM2_Shutdown(STATE) could not be restored"); + TPM_RC_STR(TPM_RC_NV_SPACE, "Insufficient space for NV allocation"); + TPM_RC_STR(TPM_RC_NV_DEFINED, "NV Index or persistent object already defined"); + TPM_RC_STR(TPM_RC_BAD_CONTEXT, "Context in TPM2_ContextLoad() is not valid"); + TPM_RC_STR(TPM_RC_CPHASH, "The cpHash value already set or not correct for use"); + TPM_RC_STR(TPM_RC_PARENT, "Handle for parent is not a valid parent"); + TPM_RC_STR(TPM_RC_NEEDS_TEST, "Some function needs testing"); + TPM_RC_STR(TPM_RC_NO_RESULT, "Cannot process a request due to an unspecified problem"); + TPM_RC_STR(TPM_RC_SENSITIVE, "The sensitive area did not unmarshal correctly after decryption"); default: break; } } - if (rc & RC_FMT1) { + /* Format-One Response Codes */ + else if (rc & RC_FMT1) { int rc_fmt1 = rc & RC_MAX_FMT1; + /* Bits: + * 0-5: Error Number + * 6: 1=Parameter Number, 0=Session or Handle + * 7: Format selector + * 8-11: Number of handle, session or parameter + * 11: 1=Handle + */ + if (rc & 0x40) { /* bit 6 */ + /* bits 8-11 */ + int param_num = (rc & 0xF00) >> 8; + #ifdef DEBUG_WOLFTPM + printf("Error: Parameter Number %d\n", param_num); + #endif + (void)param_num; + } + else if (rc & 0x800) { /* bit 11 */ + /* bits 8-10 */ + int session_num = (rc & 0x700) >> 8; + #ifdef DEBUG_WOLFTPM + printf("Error: Session Number %d\n", session_num); + #endif + (void)session_num; + } + else { + /* bits 8-10 */ + int handle_num = (rc & 0x700) >> 8; + #ifdef DEBUG_WOLFTPM + printf("Error: Handle Number %d\n", handle_num); + #endif + (void)handle_num; + } + switch (rc_fmt1) { - TPM_RC_STR(TPM_RC_ASYMMETRIC, "Asymmetric algorithm not supported or not correct"); - TPM_RC_STR(TPM_RC_ATTRIBUTES, "Inconsistent attributes"); - TPM_RC_STR(TPM_RC_HASH, "Hash algorithm not supported or not appropriate"); - TPM_RC_STR(TPM_RC_VALUE, "Value is out of range or is not correct for the context"); - TPM_RC_STR(TPM_RC_HIERARCHY, "Hierarchy is not enabled or is not correct for the use"); - TPM_RC_STR(TPM_RC_KEY_SIZE, "Key size is not supported"); - TPM_RC_STR(TPM_RC_MGF, "Mask generation function not supported"); - TPM_RC_STR(TPM_RC_MODE, "Mode of operation not supported"); - TPM_RC_STR(TPM_RC_TYPE, "The type of the value is not appropriate for the use"); - TPM_RC_STR(TPM_RC_HANDLE, "The handle is not correct for the use"); - TPM_RC_STR(TPM_RC_KDF, "Unsupported key derivation function or function not appropriate for use"); - TPM_RC_STR(TPM_RC_RANGE, "Value was out of allowed range"); - TPM_RC_STR(TPM_RC_AUTH_FAIL, "The authorization HMAC check failed and DA counter incremented"); - TPM_RC_STR(TPM_RC_NONCE, "Invalid nonce size or nonce value mismatch"); - TPM_RC_STR(TPM_RC_PP, "Authorization requires assertion of PP"); - TPM_RC_STR(TPM_RC_SCHEME, "Unsupported or incompatible scheme"); - TPM_RC_STR(TPM_RC_SIZE, "Structure is the wrong size"); - TPM_RC_STR(TPM_RC_SYMMETRIC, "Unsupported symmetric algorithm or key size, or not appropriate for instance"); - TPM_RC_STR(TPM_RC_TAG, "Incorrect structure tag"); - TPM_RC_STR(TPM_RC_SELECTOR, "Union selector is incorrect"); - TPM_RC_STR(TPM_RC_INSUFFICIENT, "The TPM was unable to unmarshal a value because there were not enough octets in the input buffer"); - TPM_RC_STR(TPM_RC_SIGNATURE, "The signature is not valid"); - TPM_RC_STR(TPM_RC_KEY, "Key fields are not compatible with the selected use"); - TPM_RC_STR(TPM_RC_POLICY_FAIL, "A policy check failed"); - TPM_RC_STR(TPM_RC_INTEGRITY, "Integrity check failed"); - TPM_RC_STR(TPM_RC_TICKET, "Invalid ticket"); - TPM_RC_STR(TPM_RC_RESERVED_BITS, "Reserved bits not set to zero as required"); - TPM_RC_STR(TPM_RC_BAD_AUTH, "Authorization failure without DA implications"); - TPM_RC_STR(TPM_RC_EXPIRED, "The policy has expired"); - TPM_RC_STR(TPM_RC_POLICY_CC, "The commandCode in the policy is not the commandCode of the command or the command code in a policy command references a command that is not implemented"); - TPM_RC_STR(TPM_RC_BINDING, "Public and sensitive portions of an object are not cryptographically bound"); - TPM_RC_STR(TPM_RC_CURVE, "Curve not supported"); - TPM_RC_STR(TPM_RC_ECC_POINT, "Point is not on the required curve"); + TPM_RC_STR(TPM_RC_ASYMMETRIC, "Asymmetric algorithm not supported or not correct"); + TPM_RC_STR(TPM_RC_ATTRIBUTES, "Inconsistent attributes"); + TPM_RC_STR(TPM_RC_HASH, "Hash algorithm not supported or not appropriate"); + TPM_RC_STR(TPM_RC_VALUE, "Value is out of range or is not correct for the context"); + TPM_RC_STR(TPM_RC_HIERARCHY, "Hierarchy is not enabled or is not correct for the use"); + TPM_RC_STR(TPM_RC_KEY_SIZE, "Key size is not supported"); + TPM_RC_STR(TPM_RC_MGF, "Mask generation function not supported"); + TPM_RC_STR(TPM_RC_MODE, "Mode of operation not supported"); + TPM_RC_STR(TPM_RC_TYPE, "The type of the value is not appropriate for the use"); + TPM_RC_STR(TPM_RC_HANDLE, "The handle is not correct for the use"); + TPM_RC_STR(TPM_RC_KDF, "Unsupported key derivation function or function not appropriate for use"); + TPM_RC_STR(TPM_RC_RANGE, "Value was out of allowed range"); + TPM_RC_STR(TPM_RC_AUTH_FAIL, "The authorization HMAC check failed and DA counter incremented"); + TPM_RC_STR(TPM_RC_NONCE, "Invalid nonce size or nonce value mismatch"); + TPM_RC_STR(TPM_RC_PP, "Authorization requires assertion of PP"); + TPM_RC_STR(TPM_RC_SCHEME, "Unsupported or incompatible scheme"); + TPM_RC_STR(TPM_RC_SIZE, "Structure is the wrong size"); + TPM_RC_STR(TPM_RC_SYMMETRIC, "Unsupported symmetric algorithm or key size, or not appropriate for instance"); + TPM_RC_STR(TPM_RC_TAG, "Incorrect structure tag"); + TPM_RC_STR(TPM_RC_SELECTOR, "Union selector is incorrect"); + TPM_RC_STR(TPM_RC_INSUFFICIENT, "The TPM was unable to unmarshal a value because there were not enough " + "octets in the input buffer"); + TPM_RC_STR(TPM_RC_SIGNATURE, "The signature is not valid"); + TPM_RC_STR(TPM_RC_KEY, "Key fields are not compatible with the selected use"); + TPM_RC_STR(TPM_RC_POLICY_FAIL, "A policy check failed"); + TPM_RC_STR(TPM_RC_INTEGRITY, "Integrity check failed"); + TPM_RC_STR(TPM_RC_TICKET, "Invalid ticket"); + TPM_RC_STR(TPM_RC_RESERVED_BITS, "Reserved bits not set to zero as required"); + TPM_RC_STR(TPM_RC_BAD_AUTH, "Authorization failure without DA implications"); + TPM_RC_STR(TPM_RC_EXPIRED, "The policy has expired"); + TPM_RC_STR(TPM_RC_POLICY_CC, "The commandCode in the policy is not the commandCode of the command or " + "the command code in a policy command references a command that is " + "not implemented"); + TPM_RC_STR(TPM_RC_BINDING, "Public and sensitive portions of an object are not cryptographically bound"); + TPM_RC_STR(TPM_RC_CURVE, "Curve not supported"); + TPM_RC_STR(TPM_RC_ECC_POINT, "Point is not on the required curve"); default: break; } } - if (rc & RC_WARN) { - int rc_warn = rc & RC_MAX_WARN; - - switch (rc_warn) { - TPM_RC_STR(TPM_RC_CONTEXT_GAP, "Gap for context ID is too large"); - TPM_RC_STR(TPM_RC_OBJECT_MEMORY, "Out of memory for object contexts"); - TPM_RC_STR(TPM_RC_SESSION_MEMORY, "Out of memory for session contexts"); - TPM_RC_STR(TPM_RC_MEMORY, "Out of shared object/session memory or need space for internal operations"); - TPM_RC_STR(TPM_RC_SESSION_HANDLES, "Out of session handles; a session must be flushed before a new session may be created"); - TPM_RC_STR(TPM_RC_OBJECT_HANDLES, "Out of object handles"); - TPM_RC_STR(TPM_RC_LOCALITY, "Bad locality"); - TPM_RC_STR(TPM_RC_YIELDED, "The TPM has suspended operation on the command"); - TPM_RC_STR(TPM_RC_CANCELED, "The command was canceled"); - TPM_RC_STR(TPM_RC_TESTING, "TPM is performing self-tests"); - TPM_RC_STR(TPM_RC_NV_RATE, "The TPM is rate-limiting accesses to prevent wearout of NV"); - TPM_RC_STR(TPM_RC_LOCKOUT, "Authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode"); - TPM_RC_STR(TPM_RC_RETRY, "The TPM was not able to start the command"); - TPM_RC_STR(TPM_RC_NV_UNAVAILABLE, "The command may require writing of NV and NV is not current accessible"); - TPM_RC_STR(TPM_RC_NOT_USED, "This value is reserved and shall not be returned by the TPM"); - default: - break; - } + else if (rc & 0x400) { /* bit 10 */ + return "Vendor defined response code"; } return "Unknown"; diff --git a/src/tpm2_packet.c b/src/tpm2_packet.c index 39eb74d2..ac2a8cc5 100644 --- a/src/tpm2_packet.c +++ b/src/tpm2_packet.c @@ -330,6 +330,12 @@ int TPM2_GetCmdAuthCount(TPM2_CTX* ctx, const CmdInfo_t* info) (sessionAttributes & TPMA_SESSION_audit)) authSessCount++; } + + /* Allow policy auth */ + else if (authReq && TPM2_IS_POLICY_SESSION(sessionHandle) && + sessionAttributes == 0) { + authSessCount++; + } else if (!authReq) { /* we cannot accept further authentications */ break; diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index c2b95ea4..d2257dd3 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -822,11 +822,18 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, { const TPM2B_AUTH* auth = NULL; const TPM2B_NAME* name = NULL; - /* don't set auth for policy session */ - if (dev->ctx.session == NULL || handle->policyAuth) { - return 0; + if (dev == NULL || index >= MAX_SESSION_NUM) { + return BAD_FUNC_ARG; } + if (handle) { + /* don't set auth for policy session, just name */ + if (handle->policyAuth) { + TPM2_AUTH_SESSION* session = &dev->session[index]; + session->name.size = handle->name.size; + XMEMCPY(session->name.name, handle->name.name, handle->name.size); + return TPM_RC_SUCCESS; + } auth = &handle->auth; name = &handle->name; } @@ -892,12 +899,14 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index, XMEMCPY(session->nonceTPM.buffer, tpmSession->nonceTPM.buffer, session->nonceTPM.size); - /* Parameter Encryption session will have an hmac added later. + /* Parameter Encryption or Policy session will have an HMAC added later. * Reserve space, the same way it was done for nonceCaller above. */ - if (session->sessionHandle != TPM_RS_PW && - ((session->sessionAttributes & TPMA_SESSION_encrypt) || - (session->sessionAttributes & TPMA_SESSION_decrypt))) { + if ((session->sessionHandle != TPM_RS_PW && + ((session->sessionAttributes & TPMA_SESSION_encrypt) || + (session->sessionAttributes & TPMA_SESSION_decrypt))) + || TPM2_IS_POLICY_SESSION(session->sessionHandle)) + { session->auth.size = TPM2_GetHashDigestSize(session->authHash); } } @@ -1763,7 +1772,7 @@ int wolfTPM2_CreateLoadedKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob, wolfTPM2_CopyPub(&keyBlob->pub, &createLoadedOut.outPublic); wolfTPM2_CopyPriv(&keyBlob->priv, &createLoadedOut.outPrivate); - wolfTPM2_CopyName(&keyBlob->name, &createLoadedOut.name); + wolfTPM2_CopyName(&keyBlob->handle.name, &createLoadedOut.name); return rc; } diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h index d386c6a1..63288ae1 100644 --- a/wolftpm/tpm2.h +++ b/wolftpm/tpm2.h @@ -1640,7 +1640,7 @@ typedef struct TPM2_AUTH_SESSION { #define TPM_20_NV_INDEX_EK_NONCE (TPM_20_PLATFORM_MFG_NV_SPACE + 3) #define TPM_20_NV_INDEX_EK_TEMPLATE (TPM_20_PLATFORM_MFG_NV_SPACE + 4) -/* Predetermined TPM 2.0 Endorsement policy auth template */ +/* Predetermined TPM 2.0 Endorsement policy auth template for SHA2-256 */ static const BYTE TPM_20_EK_AUTH_POLICY[] = { 0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc, 0x8d, 0x46, 0xa5, 0xd7, 0x24, 0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52, diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index 3785ac35..d46235b0 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -63,7 +63,6 @@ typedef struct WOLFTPM2_KEY { typedef struct WOLFTPM2_KEYBLOB { WOLFTPM2_HANDLE handle; TPM2B_PUBLIC pub; - TPM2B_NAME name; TPM2B_PRIVATE priv; } WOLFTPM2_KEYBLOB;