Fixes for using endorsement hierarchy

.github/workflows/cmake-build.yml

@@ -0,0 +1,44 @@
+name: WolfTPM CMake Build Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+#pull wolfTPM
+    - uses: actions/checkout@master
+
+# Install cmake
+    - name: Install cmake
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y cmake
+
+#pull and build wolfssl
+    - uses: actions/checkout@master
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+    - name: Build wolfssl
+      working-directory: ./wolfssl
+      run: |
+        mkdir build
+        cd build
+        cmake -DWOLFSSL_TPM=yes ..
+        make
+        sudo make install
+
+#build wolftpm
+    - name: Build wolfTPM
+      run: |
+        mkdir build
+        cd build
+        cmake -DWOLFTPM_INTERFACE=SWTPM ..
+        make

CMakeLists.txt

@@ -35,6 +35,7 @@ set(TPM_SOURCES
     src/tpm2_tis.c
     src/tpm2_winapi.c
     src/tpm2_wrap.c
+    src/tpm2_cryptocb.c
     hal/tpm_io.c
     )
 

README.md

@@ -791,9 +791,10 @@ Connection: close
 
 ## Todo
 
-* Key Generation and Attestation examples using endorsement hierarchy "-eh" are broken.
-* Update to v1.59 of specification (adding CertifyX509)
+* Add support for Endorsement certificates (EK Credential Profile).
+* Update to v1.59 of specification (adding CertifyX509).
 * Inner wrap support for SensitiveToPrivate.
+* Firmware upgrade support on TPM's.
 
 ## Support
 

examples/attestation/activate_credential.c

@@ -44,6 +44,7 @@ static void usage(void)
     printf("Expected usage:\n");
     printf("./examples/attestation/activate_credential [cred.blob] [-eh]\n");
     printf("* cred.blob is a input file holding the generated credential.\n");
+    printf("* -eh: Use the EK public key to encrypt the challenge\n");
     printf("Demo usage without parameters, uses \"cred.blob\" filename.\n");
 }
 
@@ -64,14 +65,8 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     const char *input = "cred.blob";
     const char *keyblob = "keyblob.bin";
 
-    union {
-        ActivateCredential_In activCred;
-        byte maxInput[MAX_COMMAND_SIZE];
-    } cmdIn;
-    union {
-        ActivateCredential_Out activCred;
-        byte maxOutput[MAX_RESPONSE_SIZE];
-    } cmdOut;
+    ActivateCredential_In  activCredIn;
+    ActivateCredential_Out activCredOut;
 
     if (argc == 1) {
         printf("Using default values\n");
@@ -157,9 +152,13 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
         /* Set the created Policy Session for use in next operation */
         rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 0);
         if (rc != 0) goto exit;
+        /* Set the name for the endorsement handle */
+        rc = wolfTPM2_SetAuthHandleName(&dev, 1, &endorse.handle);
+        if (rc != 0) goto exit;
     }
     else {
-        wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
+        rc = wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
+        if (rc != 0) goto exit;
     }
 
     /* Prepare the auth password for the Attestation Key */
@@ -169,19 +168,19 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle);
 
     /* Prepare the Activate Credential command */
-    XMEMSET(&cmdIn.activCred, 0, sizeof(cmdIn.activCred));
-    XMEMSET(&cmdOut.activCred, 0, sizeof(cmdOut.activCred));
-    cmdIn.activCred.activateHandle = akKey.handle.hndl;
-    cmdIn.activCred.keyHandle = primary->handle.hndl;
+    XMEMSET(&activCredIn, 0, sizeof(activCredIn));
+    XMEMSET(&activCredOut, 0, sizeof(activCredOut));
+    activCredIn.activateHandle = akKey.handle.hndl;
+    activCredIn.keyHandle = primary->handle.hndl;
     /* Read credential from the user file */
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     fp = XFOPEN(input, "rb");
     if (fp != XBADFILE) {
-        dataSize = (int)XFREAD((BYTE*)&cmdIn.activCred.credentialBlob, 1,
-                                sizeof(cmdIn.activCred.credentialBlob), fp);
+        dataSize = (int)XFREAD((BYTE*)&activCredIn.credentialBlob, 1,
+                                sizeof(activCredIn.credentialBlob), fp);
         if (dataSize > 0) {
-            dataSize += (int)XFREAD((BYTE*)&cmdIn.activCred.secret, 1,
-                                    sizeof(cmdIn.activCred.secret), fp);
+            dataSize += (int)XFREAD((BYTE*)&activCredIn.secret, 1,
+                                     sizeof(activCredIn.secret), fp);
         }
         XFCLOSE(fp);
     }
@@ -192,18 +191,28 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     goto exit;
 #endif
     /* All required data to verify the credential is prepared */
-    rc = TPM2_ActivateCredential(&cmdIn.activCred, &cmdOut.activCred);
+    rc = TPM2_ActivateCredential(&activCredIn, &activCredOut);
     if (rc != TPM_RC_SUCCESS) {
-        printf("TPM2_ActivateCredentials failed 0x%x: %s\n", rc,
+        printf("TPM2_ActivateCredential failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));
         goto exit;
     }
     printf("TPM2_ActivateCredential success\n");
+    if (endorseKey) {
+        /* The policy session is closed after use.
+         * Reset handle, so we don't try and free it */
+        tpmSession.handle.hndl = TPM_RH_NULL;
+    }
+
+    printf("Secret: %d\n", activCredOut.certInfo.size);
+    TPM2_PrintBin(activCredOut.certInfo.buffer,
+                  activCredOut.certInfo.size);
 
 exit:
 
     wolfTPM2_UnloadHandle(&dev, &primary->handle);
     wolfTPM2_UnloadHandle(&dev, &akKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
     wolfTPM2_Cleanup(&dev);
 
 exit_badargs:

examples/attestation/make_credential.c

@@ -68,16 +68,10 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     const char *srkPubFile = "srk.pub";
     const char *pubFilename = NULL;
 
-    union {
-        MakeCredential_In makeCred;
-        LoadExternal_In  loadExtIn;
-        byte maxInput[MAX_COMMAND_SIZE];
-    } cmdIn;
-    union {
-        MakeCredential_Out makeCred;
-        LoadExternal_Out loadExtOut;
-        byte maxOutput[MAX_RESPONSE_SIZE];
-    } cmdOut;
+    MakeCredential_In  makeCredIn;
+    MakeCredential_Out makeCredOut;
+    LoadExternal_In  loadExtIn;
+    LoadExternal_Out loadExtOut;
 
     if (argc == 1) {
         printf("Using public key from SRK to create the challenge\n");
@@ -100,12 +94,6 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
         goto exit_badargs;
     }
 
-    XMEMSET(&name, 0, sizeof(name));
-    XMEMSET(&cmdIn.makeCred, 0, sizeof(cmdIn.makeCred));
-    XMEMSET(&cmdOut.makeCred, 0, sizeof(cmdOut.makeCred));
-    XMEMSET(&cmdIn.loadExtIn, 0, sizeof(cmdIn.loadExtIn));
-    XMEMSET(&cmdOut.loadExtOut, 0, sizeof(cmdOut.loadExtOut));
-
     printf("Demo how to create a credential challenge for remote attestation\n");
     printf("Credential will be stored in %s\n", output);
 
@@ -125,24 +113,26 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     }
     rc = readKeyBlob(pubFilename, &primary);
     if (rc != 0) {
-        printf("Failure to load %s\n", pubFilename);
+        printf("Failure to read %s\n", pubFilename);
         goto exit;
     }
+
     /* Prepare the key for use by the TPM */
-    XMEMCPY(&cmdIn.loadExtIn.inPublic, &primary.pub,
-        sizeof(cmdIn.loadExtIn.inPublic));
-    cmdIn.loadExtIn.hierarchy = TPM_RH_NULL;
-    rc = TPM2_LoadExternal(&cmdIn.loadExtIn, &cmdOut.loadExtOut);
+    XMEMSET(&loadExtIn, 0, sizeof(loadExtIn));
+    XMEMSET(&loadExtOut, 0, sizeof(loadExtOut));
+    XMEMCPY(&loadExtIn.inPublic, &primary.pub, sizeof(loadExtIn.inPublic));
+    loadExtIn.hierarchy = TPM_RH_NULL;
+    rc = TPM2_LoadExternal(&loadExtIn, &loadExtOut);
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_LoadExternal: failed %d: %s\n", rc,
             wolfTPM2_GetRCString(rc));
         return rc;
     }
     printf("Public key for encryption loaded\n");
-    handle.hndl = cmdOut.loadExtOut.objectHandle;
-
+    handle.hndl = loadExtOut.objectHandle;
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     /* Load AK Name digest */
+    XMEMSET(&name, 0, sizeof(name));
     fp = XFOPEN("ak.name", "rb");
     if (fp != XBADFILE) {
         size_t nameReadSz = XFREAD((BYTE*)&name, 1, sizeof(name), fp);
@@ -153,31 +143,37 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
 #endif
 
     /* Create secret for the attestation server */
-    cmdIn.makeCred.credential.size = CRED_SECRET_SIZE;
-    wolfTPM2_GetRandom(&dev, cmdIn.makeCred.credential.buffer,
-                        cmdIn.makeCred.credential.size);
-    /* Prepare the AK name */
-    cmdIn.makeCred.objectName.size = name.size;
-    XMEMCPY(cmdIn.makeCred.objectName.name, name.name,
-                cmdIn.makeCred.objectName.size);
+    XMEMSET(&makeCredIn, 0, sizeof(makeCredIn));
+    XMEMSET(&makeCredOut, 0, sizeof(makeCredOut));
+    makeCredIn.credential.size = CRED_SECRET_SIZE;
+    wolfTPM2_GetRandom(&dev, makeCredIn.credential.buffer,
+                             makeCredIn.credential.size);
+    /* Set the object name */
+    makeCredIn.objectName.size = name.size;
+    XMEMCPY(makeCredIn.objectName.name, name.name,
+            makeCredIn.objectName.size);
     /* Set TPM key and execute */
-    cmdIn.makeCred.handle = handle.hndl;
-    rc = TPM2_MakeCredential(&cmdIn.makeCred, &cmdOut.makeCred);
+    makeCredIn.handle = handle.hndl;
+    rc = TPM2_MakeCredential(&makeCredIn, &makeCredOut);
     if (rc != TPM_RC_SUCCESS) {
-        printf("TPM2_MakeCredentials failed 0x%x: %s\n", rc,
+        printf("TPM2_MakeCredential failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));
         goto exit;
     }
     printf("TPM2_MakeCredential success\n");
 
+    printf("Secret: %d\n", makeCredIn.credential.size);
+    TPM2_PrintBin(makeCredIn.credential.buffer,
+                  makeCredIn.credential.size);
+
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     fp = XFOPEN(output, "wb");
     if (fp != XBADFILE) {
-        dataSize = (int)XFWRITE((BYTE*)&cmdOut.makeCred.credentialBlob, 1,
-                                sizeof(cmdOut.makeCred.credentialBlob), fp);
+        dataSize = (int)XFWRITE((BYTE*)&makeCredOut.credentialBlob, 1,
+                                 sizeof(makeCredOut.credentialBlob), fp);
         if (dataSize > 0) {
-            dataSize += (int)XFWRITE((BYTE*)&cmdOut.makeCred.secret, 1,
-                                     sizeof(cmdOut.makeCred.secret), fp);
+            dataSize += (int)XFWRITE((BYTE*)&makeCredOut.secret, 1,
+                                      sizeof(makeCredOut.secret), fp);
         }
         XFCLOSE(fp);
     }

examples/keygen/keygen.c

@@ -141,7 +141,6 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
     const char *pemFilename = NULL;
     #endif
-    FILE *fp;
 #endif
     size_t len = 0;
     char symMode[] = "aesctr";
@@ -251,20 +250,26 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
-        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+        printf("HMAC Session: Handle 0x%x\n",
             (word32)tpmSession.handle.hndl);
 
         /* set session for authorization of the primary key */
         rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
-            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
+             TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;
     }
 
     if (endorseKey) {
         /* Endorsement Key requires authorization with Policy */
-        wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
+        rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
+        if (rc != 0) goto exit;
+        printf("EK Policy Session: Handle 0x%x\n",
+            (word32)tpmSession.handle.hndl);
+
         /* Set the created Policy Session for use in next operation */
-        wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
+        rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
+        if (rc != 0) goto exit;
     }
 
     /* Create new key */
@@ -285,6 +290,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         else {
             rc = BAD_FUNC_ARG;
         }
+        if (rc != 0) goto exit;
 
         /* set session for authorization key */
         auth.size = (int)sizeof(gAiKeyAuth)-1;
@@ -341,11 +347,25 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         printf("wolfTPM2_CreateKey failed\n");
         goto exit;
     }
+    if (endorseKey) {
+        /* Endorsement policy session is closed after use, so start another */
+        rc = wolfTPM2_CreateAuthSession_EkPolicy(&dev, &tpmSession);
+        if (rc == 0) {
+            rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
+        }
+        if (rc != 0) goto exit;
+    }
     rc = wolfTPM2_LoadKey(&dev, &newKeyBlob, &primary->handle);
     if (rc != TPM_RC_SUCCESS) {
         printf("wolfTPM2_LoadKey failed\n");
         goto exit;
     }
+    if (endorseKey) {
+        /* The policy session is closed after use.
+         * Reset handle, so we don't try and free it */
+        tpmSession.handle.hndl = TPM_RH_NULL;
+    }
+
     printf("New key created and loaded (pub %d, priv %d bytes)\n",
         newKeyBlob.pub.size, newKeyBlob.priv.size);
 
@@ -357,14 +377,13 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         /* Store primary public key */
         XMEMCPY(&primaryBlob.pub, &primary->pub, sizeof(primaryBlob.pub));
         rc |= writeKeyBlob(pubFilename, &primaryBlob);
+
         /* Write AK's Name digest */
-        fp = XFOPEN(nameFile, "wb");
-        if (fp != XBADFILE) {
-            XFWRITE((BYTE*)&newKeyBlob.name, 1, sizeof(newKeyBlob.name), fp);
-            printf("Wrote AK Name digest\n");
-            XFCLOSE(fp);
-        }
+        rc |= writeBin(nameFile, (byte*)&newKeyBlob.handle.name,
+            sizeof(newKeyBlob.handle.name));
+        printf("Wrote AK Name digest\n");
     }
+    if (rc != TPM_RC_SUCCESS) goto exit;
 #else
     if (alg == TPM_ALG_SYMCIPHER) {
         printf("The Public Part of a symmetric key contains only meta data\n");
@@ -421,10 +440,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     /* Close handles */
     wolfTPM2_UnloadHandle(&dev, &primary->handle);
     wolfTPM2_UnloadHandle(&dev, &newKeyBlob.handle);
-    /* EK policy is destroyed after use, flush parameter encryption session */
-    if (paramEncAlg != TPM_ALG_NULL && !endorseKey) {
-        wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
-    }
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
 
     wolfTPM2_Cleanup(&dev);
     return rc;