Prep for release v3.0

CMakeLists.txt

@@ -21,7 +21,7 @@
 
 cmake_minimum_required(VERSION 3.16)
 
-project(wolfTPM VERSION 2.7.0 LANGUAGES C)
+project(wolfTPM VERSION 3.0.0 LANGUAGES C)
 
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
 set(WOLFTPM_DEFINITIONS)

ChangeLog.md

@@ -1,5 +1,51 @@
 # Release Notes
 
+## wolfTPM Release 3.0.0 (Oct 31, 2023)
+
+**Summary**
+
+Refactor of command authentication. Support for ECC sessions and secrets. Support for policy sealing/unsealing. Examples for secure boot.
+
+**Detail**
+* Refactor of the command authentication. If command does not require auth do not supply it (PR #305)
+* Refactor HAL and added Microchip Harmony SPI HAL support (PR #251)
+* Relocate crypto callback code to its own code file (PR #304)
+* Fixed using a custom wolfTPM CSR sigType (PR #307)
+* Fixed support for ECC 384-bit only support (PR #307)
+* Fixed issue with using struct assignment (switched to memcpy) (PR #303)
+* Fixed various issues building with C++ compiler (PR #303)
+* Fixed issues with STM32 I2C build and improved performance (PR #302)
+* Fixed seal with RSA and PCR extend auth. (PR #296)
+* Fixed issue including user_settings.h when `--disable-wolfcrypt` set (PR #285)
+* Fixed TPM private key import with custom seed (PR #281)
+* Fixed autogen.sh (autoconf) to generate without warnings (PR #279)
+* Fixed TPM2 create with decrypt or restricted flag set (PR #275)
+* Fixed and improved low resource build options (PR #269)
+* Fixed the TPM_E_COMMAND_BLOCKED macro to have the correct value (PR #257)
+* Fixed casting and unused variable problems on windows (PR #255)
+* Fixed Linux usage of `cs_change` and added config overrides (PR #268)
+* Fixed and improved the NV auth and session auth set/unset (PR #299)
+* Fixed capability to handle unknown `TPM2_GetCapability` type and fix bad printf (PR #293)
+* Fixed macros for file IO XFEOF and XREWIND to make sure they are available (PR #277)
+* Fixed seal/unseal example (PR #306)
+* Fixed TLS examples with param enc enabled (PR #306)
+* Fixed signed_timestamp with ECC  (PR #306)
+* Added CI tests for CSharp wrappers (PR #307)
+* Added support for sealing/unsealing based on a PCR that is signed externally (PR #294)
+* Added examples for Secure Boot solution to store root of trust in NV (PR's #276, #289, #291 and #292)
+* Added support for importing and loading public ECC/RSA keys formatted as PEM or DER (PR #290)
+* Added new policy_nv example (PR #298)
+* Added `-nvhandle` argument to nvram examples (PR #296)
+* Added code to test external import between two TPM's (PR #288)
+* Added support for STM32 Cube Expansion Pack (PR #287)
+* Added support memory mapped (MMIO) TPM's (PR #271)
+* Added `wc_SetSeed_Cb` call for FIPS ecc (PR #270)
+* Added wrapper support for setting key usage (not just extended key usage) (PR #307)
+* Added RSA key import methods to handle PEM and DER encoding directly (PR #252)
+* Added thread local storage macro and make gActiveTPM local to the thread (PR #253)
+* Added Microchip macro names and Support for bench with MPLABX Harmony (PR #256)
+* Improvements to cmake build (PR's #280, #283 and #284)
+
 ## wolfTPM Release 2.7.0 (Dec 27, 2022)
 
 **Summary**

README.md

@@ -791,11 +791,9 @@ Connection: close
 
 ## Todo
 
-* Update to v1.59 of specification.
-* Add HMAC support for "authValue".
-* Add ECC encrypted salt.
-* Add bound auth session support.
-* Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support.
+* Key Generation and Attestation examples using endorsement hierarchy "-eh" are broken.
+* Update to v1.59 of specification (adding CertifyX509)
+* Inner wrap support for SensitiveToPrivate.
 
 ## Support
 

configure.ac

@@ -3,7 +3,7 @@
 # All right reserved.
 
 AC_COPYRIGHT([Copyright (C) 2014-2021 wolfSSL Inc.])
-AC_INIT([wolftpm],[2.7.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])
+AC_INIT([wolftpm],[3.0.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])
 
 AC_PREREQ([2.63])
 AC_CONFIG_AUX_DIR([build-aux])
@@ -28,7 +28,7 @@ AC_ARG_PROGRAM
 
 AC_CONFIG_HEADERS([src/config.h])
 
-WOLFTPM_LIBRARY_VERSION=15:0:0
+WOLFTPM_LIBRARY_VERSION=16:0:0
 #                        | | |
 #                 +------+ | +---+
 #                 |        |     |
@@ -241,13 +241,17 @@ then
 fi
 
 # Windows TBS device Support
+AC_ARG_ENABLE([wintbs],,
+    [ ENABLED_WINTBS=$enableval ],
+    [ ENABLED_WINTBS=no ]
+    )
 AC_ARG_ENABLE([winapi],
     [AS_HELP_STRING([--enable-winapi],[Enable use of TPM through Windows driver (default: disabled)])],
     [ ENABLED_WINAPI=$enableval ],
     [ ENABLED_WINAPI=no ]
     )
 
-if test "x$ENABLED_WINAPI" = "xyes"
+if test "x$ENABLED_WINAPI" = "xyes" || test "x$ENABLED_WINTBS" = "xyes"
 then
     if test "x$ENABLED_DEVTPM" = "xyes" -o "x$ENABLED_SWTPM" = "xyes"
     then

examples/keygen/external_import.c

@@ -89,9 +89,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
     TPMT_PUBLIC publicTemplate3;
     TPMA_OBJECT attributes;
     TPMI_ALG_PUBLIC alg = TPM_ALG_RSA;
-#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     const char* keyblobFile = "keyblob.bin";
-#endif
     int loadKeyBlob = 0;
 
     if (argc >= 2) {

examples/pcr/policy_sign.c

@@ -165,6 +165,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
             wc_FreeRsaKey(&key.rsa);
         }
     #else
+        (void)hashAlg;
         rc = NOT_COMPILED_IN;
     #endif
     }

examples/run_examples.sh

@@ -77,12 +77,9 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
-
     ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
-    # TODO: TPM2_Load (TPM_RC_INTEGRITY)
-    #./examples/keygen/keyload ecckeyblob.bin >> run.out
 fi
 rm -f ecckeyblob.bin
 
@@ -201,7 +198,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> run.out
-    sleep 0.2
+    sleep 0.4
     ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
@@ -214,7 +211,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
     pushd $WOLFSSL_PATH >> run.out
-    sleep 0.2
+    sleep 0.4
     ./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
@@ -223,24 +220,20 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
 
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     run_tpm_tls_client "rsa" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_client "rsa" "-aes"
+    run_tpm_tls_client "rsa" "-aes"
     run_tpm_tls_client "ecc" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_client "ecc" "-aes"
+    run_tpm_tls_client "ecc" "-aes"
 
     run_tpm_tls_server "rsa" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_server "rsa" "-aes"
+    run_tpm_tls_server "rsa" "-aes"
     run_tpm_tls_server "ecc" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_server "ecc" "-aes"
+    run_tpm_tls_server "ecc" "-aes"
 fi
 
 
 # Clock Tests
 echo -e "Clock tests"
-./examples/timestamp/clock_set
+./examples/timestamp/clock_set >> run.out
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "clock set failed! $RESULT" && exit 1
 
@@ -255,11 +248,14 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "signed_timestamp param enc failed! $RESULT" && exit 1
 fi
-# TODO: Test broken (wolfTPM2_GetTime TPM_RC_SCHEME)
-#./examples/timestamp/signed_timestamp -ecc >> run.out
-#if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
-    #./examples/timestamp/signed_timestamp -ecc -aes >> run.out
-#fi
+./examples/timestamp/signed_timestamp -ecc >> run.out
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc failed! $RESULT" && exit 1
+if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/timestamp/signed_timestamp -ecc -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1
+fi
 
 ./examples/attestation/make_credential >> run.out
 RESULT=$?
@@ -350,11 +346,21 @@ fi
 echo -e "Seal/Unseal (PCR policy)"
 ./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out
 RESULT=$?
-[ $RESULT -ne 0 ] && echo -e "seal pcr failed! $RESULT" && exit 1
-# TODO (TPM2_Load TPM_RC_BAD_AUTH)
-#./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
+[ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1
+./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1
 rm -f sealedkeyblob.bin
 
+if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
+    ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
+    rm -f sealedkeyblob.bin
+fi
 
 # Seal/Unseal (Policy auth)
 echo -e "Seal/Unseal (Policy auth)"

examples/seal/seal.c

@@ -40,9 +40,9 @@ static void usage(void)
 {
     printf("Expected usage:\n");
     printf("./examples/seal/seal [filename] [userdata]\n");
-    printf("* filename: Name of the file where the TPM key will be stored\n");
-    printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces)\n");
-    printf("Demo usage, without parameters, uses keyblob.bin as a filename\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
+    printf("* filename: Name of the file where the TPM key will be stored (default: keyblob.bin)\n");
+    printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces) (default: My1Pass2Phrase3)\n");
 }
 
 int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
@@ -95,6 +95,7 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
 
     printf("TPM2.0 Simple Seal example\n");
     printf("\tKey Blob: %s\n", outputFile);
+    printf("\tUser Data: %s\n", userData);
     printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -159,6 +160,9 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
         printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc));
     }
 
+    /* Remove the auth for loaded TPM seal object */
+    wolfTPM2_UnsetAuth(&dev, 0);
+
     /* Close handles */
     wolfTPM2_UnloadHandle(&dev, &storage.handle);
     wolfTPM2_UnloadHandle(&dev, &newKey.handle);

examples/seal/unseal.c

@@ -41,16 +41,20 @@ static void usage(void)
 {
     printf("Expected usage:\n");
     printf("./examples/seal/unseal [filename] [inkey_filename]\n");
-    printf("* filename - File contaning a TPM seal key\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
+    printf("* filename: Output for unsealed data (default: unseal.bin)\n");
+    printf("* inkey_filename: File with sealed keyed hashed object (keyblob.bin)\n");
     printf("Demo usage, without arguments, uses keyblob.bin file input.\n");
 }
 
 int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
 {
     int rc;
     WOLFTPM2_DEV dev;
-    WOLFTPM2_KEY key;
-    TPM2B_AUTH auth;
+    WOLFTPM2_KEYBLOB newKey;
+    WOLFTPM2_KEY storage; /* SRK */
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
+    WOLFTPM2_SESSION tpmSession;
     const char *filename = "unseal.bin";
     const char *inkeyfilename = "keyblob.bin";
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
@@ -60,14 +64,11 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     Unseal_In cmdIn_unseal;
     Unseal_Out cmdOut_unseal;
 
-    WOLFTPM2_KEYBLOB newKey;
-    WOLFTPM2_KEY storage; /* SRK */
-
-
+    XMEMSET(&storage, 0, sizeof(storage));
+    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
     XMEMSET(&cmdIn_unseal, 0, sizeof(cmdIn_unseal));
     XMEMSET(&cmdOut_unseal, 0, sizeof(cmdOut_unseal));
-    XMEMSET(&key, 0, sizeof(key));
-    XMEMSET(&auth, 0, sizeof(auth));
+    XMEMSET(&newKey, 0, sizeof(newKey));
 
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||
@@ -85,6 +86,23 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
            inkeyfilename = argv[2];
         }
     }
+    while (argc > 1) {
+        if (XSTRCMP(argv[argc-1], "-aes") == 0) {
+            paramEncAlg = TPM_ALG_CFB;
+        }
+        else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
+            paramEncAlg = TPM_ALG_XOR;
+        }
+        else if (argv[argc-1][0] == '-') {
+            printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
+        }
+        argc--;
+    }
+
+    printf("TPM2.0 Simple Unseal example\n");
+    printf("\tKey Blob: %s\n", inkeyfilename);
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
+
 
     printf("Example how to unseal data using TPM2.0\n");
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -97,6 +115,21 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
+    if (paramEncAlg != TPM_ALG_NULL) {
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
+            TPM_SE_HMAC, paramEncAlg);
+        if (rc != 0) goto exit;
+        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+            (word32)tpmSession.handle.hndl);
+
+        /* set session for authorization of the storage key */
+        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+        if (rc != 0) goto exit;
+
+    }
+
     rc = readKeyBlob(inkeyfilename, &newKey);
     if (rc != 0) goto exit;
 
@@ -109,9 +142,9 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
         (word32)newKey.handle.hndl);
 
     /* Set authorization for using the seal key */
-    auth.size = (int)sizeof(gKeyAuth) - 1;
-    XMEMCPY(auth.buffer, gKeyAuth, auth.size);
-    wolfTPM2_SetAuthPassword(&dev, 0, &auth);
+    newKey.handle.auth.size = (int)sizeof(gKeyAuth) - 1;
+    XMEMCPY(newKey.handle.auth.buffer, gKeyAuth, newKey.handle.auth.size);
+    wolfTPM2_SetAuthHandle(&dev, 0, &newKey.handle);
 
     cmdIn_unseal.itemHandle = newKey.handle.hndl;
 
@@ -146,12 +179,13 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     (void)filename;
 #endif
 
-    /* Remove the loaded TPM seal object */
-    wolfTPM2_SetAuthPassword(&dev, 0, NULL);
+    /* Remove the auth for loaded TPM seal object */
+    wolfTPM2_UnsetAuth(&dev, 0);
 
 exit:
     wolfTPM2_UnloadHandle(&dev, &storage.handle);
     wolfTPM2_UnloadHandle(&dev, &newKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
 
     wolfTPM2_Cleanup(&dev);
     return rc;

examples/timestamp/signed_timestamp.c

@@ -180,13 +180,8 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
     if (paramEncAlg != TPM_ALG_NULL) {
         sessionAttributes |= (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt);
     }
-#if 0
-    /* TODO: Investigate param enc with signed timestamp */
     rc = wolfTPM2_SetAuthSession(&dev, 2, &tpmSession, sessionAttributes);
     if (rc != 0) goto exit;
-#else
-    (void)sessionAttributes;
-#endif
 
     /* At this stage: The SRK is created, AIK is created and loaded,
      * Endorsement Hierarchy is enabled through policySecret,