Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Implement full coverage for TPM 1.2 tests. (#7)
* Generate and store a fake EK certificate in TPM 1.2 test setup.

* Fix run of gen_ekcert.go

* Write out NVRAM cert header when generating ek cert

* Remove build flag gating tpm12 tests.
  • Loading branch information
twitchy-jsonp committed Apr 4, 2019
1 parent 509d807 commit 063d2bd
Show file tree
Hide file tree
Showing 3 changed files with 107 additions and 4 deletions.
2 changes: 0 additions & 2 deletions attest/attest_tpm12_test.go
Expand Up @@ -12,8 +12,6 @@
// License for the specific language governing permissions and limitations under
// the License.

// +build tpm12

package attest

import (
Expand Down
104 changes: 104 additions & 0 deletions ci/gen_ekcert.go
@@ -0,0 +1,104 @@
package main

import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/binary"
"encoding/hex"
"flag"
"fmt"
"math/big"
"os"
"os/exec"
"strings"
"time"
)

var simulatorStatePath = flag.String("state_path", "/tmp/sim/NVRAM/00.permall", "Path to ibmswtpm state file")

func ekPub() *rsa.PublicKey {
out, err := exec.Command("tpm_getpubek", "-z").Output()
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}

spl := strings.Split(string(out), "Public Key:")
hexKey := strings.NewReplacer(" ", "", "\n", "", "\r", "", "\t", "").Replace(spl[1])

modBytes, err := hex.DecodeString(hexKey)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}
return &rsa.PublicKey{
N: new(big.Int).SetBytes(modBytes),
E: 65537,
}
}

func generateCertificate(pub *rsa.PublicKey) []byte {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}

serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}

template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme Co"},
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(1, 0, 0),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}

derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}
return derBytes
}

func main() {
flag.Parse()
certBytes := generateCertificate(ekPub())

f, err := os.OpenFile("/tmp/ekcert", os.O_RDWR|os.O_TRUNC|os.O_CREATE, 0755)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}

// Write the header as documented in: TCG PC Specific Implementation
// Specification, section 7.3.2.
f.Write([]byte{0x10, 0x01, 0x00})
certLength := make([]byte, 2)
binary.BigEndian.PutUint16(certLength, uint16(len(certBytes)))
f.Write(certLength)

f.Write(certBytes)
f.Close()

cmd := exec.Command("tpm_nvwrite", "-z", "-i", "268496896", "-f", "/tmp/ekcert")
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}

}
5 changes: 3 additions & 2 deletions ci/setup_tpm12_simulator.sh
Expand Up @@ -26,6 +26,7 @@ if [[ "${1}" == "" ]]; then
exit 1
fi

PROJECT_ROOT=$(pwd)
BUILD_BASE="${1%/}" # Trim any trailing slash.
SIMULATOR_SRC="${BUILD_BASE}/simulator"

Expand Down Expand Up @@ -86,8 +87,6 @@ setup_tpm () {
${SIMULATOR_SRC}/libtpm/utils/tpminit
echo "Starting the TPM..."
${SIMULATOR_SRC}/libtpm/utils/tpmbios -cs
echo "Allocating NVRAM..."
${SIMULATOR_SRC}/libtpm/utils/nv_definespace -in 1000f000 -sz 3200

${SIMULATOR_SRC}/libtpm/utils/tpminit
${SIMULATOR_SRC}/libtpm/utils/tpmbios -cs
Expand All @@ -102,6 +101,8 @@ run_tcsd () {
sleep 1
tpm_createek
tpm_takeownership -yz
tpm_nvdefine -i 268496896 -z -s 3800 -p OWNERWRITE
go run -v "${PROJECT_ROOT}/ci/gen_ekcert.go"
sleep 1
}

Expand Down

0 comments on commit 063d2bd

Please sign in to comment.