Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

swtpm_setup: Write EK certificate files into a directory #466

Merged
merged 4 commits into from
Jul 30, 2021
Merged

swtpm_setup: Write EK certificate files into a directory #466

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d9e77fe
swtpm_setup: Move functions checking for directory access to library
stefanberger Jun 17, 2021
3c182dd
swtpm_setup: Get key description from function generating the EK key
stefanberger Jun 11, 2021
f9d0e23
swtpm_setup: Support --write-ek-cert-files as an option
stefanberger Jun 11, 2021
899c657
tests: Use the --write-ek-cert-files option and check for files
stefanberger Jun 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions man/man8/swtpm_setup.pod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,7 @@ The output may contain the following:
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"cmdarg-write-ek-cert-files",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072",
"tpm12-not-need-root"
Expand All @@ -212,6 +213,10 @@ The I<--keyfile-fd> option is supported.

The I<--pwdfile-fd> option is supported.

=item B<cmdarg-write-ek-cert-files>

The I<--write-ek-cert-files> option is supported

=item B<tpm2-rsa-keysize-2048, ...>

The shown RSA key sizes are supported for a TPM 2's EK key. If none of the
Expand All @@ -225,6 +230,18 @@ could do that.

=back

=item B<--write-ek-cert-files <directory>>

This option causes endorsement key (EK) files to be written into the provided
directory. The files contain the DER-formatted EKs that were written into the
NVRAM locations of the TPM 1.2 or TPM 2. The EK files have the filename pattern
of ek-<key type>.crt. Example for filenames are ek-rsa2048.crt, ek-rsa3072.crt,
and ek-secp384r1.crt.

The keys that are written for a TPM 2 may change over time as the default
strength of the EK keys changes. This means that one should look for all
files with the above filename pattern when looking for the EKs.

=item B<--help, -h>

Display the help screen
Expand Down
31 changes: 19 additions & 12 deletions src/swtpm_setup/swtpm.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -425,7 +425,7 @@ static int swtpm_tpm2_createprimary_rsa(struct swtpm *self, uint32_t primaryhand
unsigned int rsa_keysize, gboolean havenonce, size_t off,
uint32_t *curr_handle,
unsigned char *ektemplate, size_t *ektemplate_len,
gchar **ekparam);
gchar **ekparam, const gchar **key_description);

static int swtpm_tpm2_write_nvram(struct swtpm *self, uint32_t nvindex, uint32_t nvindexattrs,
const unsigned char *data, size_t data_len, gboolean lock_nvram,
Expand Down Expand Up @@ -666,7 +666,7 @@ static int swtpm_tpm2_createprimary_ek_rsa(struct swtpm *self, unsigned int rsa_
gboolean allowsigning, gboolean decryption,
uint32_t *curr_handle,
unsigned char *ektemplate, size_t *ektemplate_len,
gchar **ekparam)
gchar **ekparam, const gchar **key_description)
{
unsigned char authpolicy[48];
size_t authpolicy_len;
Expand Down Expand Up @@ -738,7 +738,7 @@ static int swtpm_tpm2_createprimary_ek_rsa(struct swtpm *self, unsigned int rsa_
symkeydata, symkeydata_len,
authpolicy, authpolicy_len, rsa_keysize,
havenonce, off, curr_handle,
ektemplate, ektemplate_len, ekparam);
ektemplate, ektemplate_len, ekparam, key_description);
}

/* Create an RSA key with the given parameters */
Expand All @@ -748,7 +748,7 @@ static int swtpm_tpm2_createprimary_rsa(struct swtpm *self, uint32_t primaryhand
unsigned int rsa_keysize, gboolean havenonce, size_t off,
uint32_t *curr_handle,
unsigned char *ektemplate, size_t *ektemplate_len,
gchar **ekparam)
gchar **ekparam, const gchar **key_description)
{
const unsigned char *nonce;
size_t nonce_len;
Expand All @@ -768,6 +768,8 @@ static int swtpm_tpm2_createprimary_rsa(struct swtpm *self, uint32_t primaryhand
nonce = NONCE_RSA2048;
nonce_len = sizeof(NONCE_RSA2048);
hashalg = TPM2_ALG_SHA256;
if (key_description)
*key_description = "rsa2048";
} else if (rsa_keysize == 3072) {
if (!havenonce) {
nonce = NONCE_EMPTY;
Expand All @@ -777,6 +779,8 @@ static int swtpm_tpm2_createprimary_rsa(struct swtpm *self, uint32_t primaryhand
nonce_len = sizeof(NONCE_RSA3072);
}
hashalg = TPM2_ALG_SHA384;
if (key_description)
*key_description = "rsa3072";
} else {
logerr(self->logfile, "Internal error in %s: unsupported RSA keysize %d.\n",
__func__, rsa_keysize);
Expand Down Expand Up @@ -867,7 +871,7 @@ static int swtpm_tpm2_createprimary_ecc(struct swtpm *self, uint32_t primaryhand
const unsigned char *nonce, size_t nonce_len,
size_t off, uint32_t *curr_handle,
unsigned char *ektemplate, size_t *ektemplate_len,
gchar **ekparam)
gchar **ekparam, const gchar **key_description)
{
struct tpm_req_header hdr = TPM_REQ_HEADER_INITIALIZER(TPM2_ST_SESSIONS, 0, TPM2_CC_CREATEPRIMARY);
struct tpm2_authblock authblock = TPM2_AUTHBLOCK_INITIALIZER(TPM2_RS_PW, 0, 0, 0);
Expand Down Expand Up @@ -936,6 +940,8 @@ static int swtpm_tpm2_createprimary_ecc(struct swtpm *self, uint32_t primaryhand
if (curveid == TPM2_ECC_NIST_P384) {
exp_ksize = 48;
cid = "secp384r1";
if (key_description)
*key_description = cid;
} else {
logerr(self->logfile, "Unknown curveid 0x%x\n", curveid);
return 1;
Expand Down Expand Up @@ -988,7 +994,7 @@ static int swtpm_tpm2_createprimary_spk_ecc_nist_p384(struct swtpm *self,
return swtpm_tpm2_createprimary_ecc(self, TPM2_RH_OWNER, keyflags, symkeydata, symkeydata_len,
authpolicy, authpolicy_len, TPM2_ECC_NIST_P384, TPM2_ALG_SHA384,
NONCE_ECC_384, sizeof(NONCE_ECC_384), off, curr_handle,
NULL, 0, NULL);
NULL, 0, NULL, NULL);
}

static int swtpm_tpm2_createprimary_spk_rsa(struct swtpm *self, unsigned int rsa_keysize,
Expand All @@ -1015,7 +1021,7 @@ static int swtpm_tpm2_createprimary_spk_rsa(struct swtpm *self, unsigned int rsa
return swtpm_tpm2_createprimary_rsa(self, TPM2_RH_OWNER, keyflags,
symkeydata, symkeydata_len,
authpolicy, authpolicy_len, rsa_keysize, TRUE,
off, curr_handle, NULL, 0, NULL);
off, curr_handle, NULL, 0, NULL, NULL);
}

/* Create either an ECC or RSA storage primary key */
Expand Down Expand Up @@ -1044,7 +1050,7 @@ static int swtpm_tpm2_create_spk(struct swtpm *self, gboolean isecc, unsigned in
static int swtpm_tpm2_createprimary_ek_ecc_nist_p384(struct swtpm *self, gboolean allowsigning,
gboolean decryption, uint32_t *curr_handle,
unsigned char *ektemplate, size_t *ektemplate_len,
gchar **ekparam)
gchar **ekparam, const char **key_description)
{
unsigned char authpolicy[48]= {
0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC, 0x53, 0xD8, 0x82, 0xBC,
Expand Down Expand Up @@ -1090,7 +1096,7 @@ static int swtpm_tpm2_createprimary_ek_ecc_nist_p384(struct swtpm *self, gboolea
ret = swtpm_tpm2_createprimary_ecc(self, TPM2_RH_ENDORSEMENT, keyflags, symkeydata, symkeydata_len,
authpolicy, authpolicy_len, TPM2_ECC_NIST_P384, TPM2_ALG_SHA384,
NONCE_EMPTY, sizeof(NONCE_EMPTY), off, curr_handle,
ektemplate, ektemplate_len, ekparam);
ektemplate, ektemplate_len, ekparam, key_description);
if (ret != 0)
logerr(self->logfile, "%s failed\n", __func__);

Expand All @@ -1100,7 +1106,7 @@ static int swtpm_tpm2_createprimary_ek_ecc_nist_p384(struct swtpm *self, gboolea
/* Create an ECC or RSA EK */
static int swtpm_tpm2_create_ek(struct swtpm *self, gboolean isecc, unsigned int rsa_keysize,
gboolean allowsigning, gboolean decryption, gboolean lock_nvram,
gchar **ekparam)
gchar **ekparam, const gchar **key_description)
{
uint32_t tpm2_ek_handle, nvindex, curr_handle;
const char *keytype;
Expand Down Expand Up @@ -1128,10 +1134,11 @@ static int swtpm_tpm2_create_ek(struct swtpm *self, gboolean isecc, unsigned int
}
if (isecc)
ret = swtpm_tpm2_createprimary_ek_ecc_nist_p384(self, allowsigning, decryption, &curr_handle,
ektemplate, &ektemplate_len, ekparam);
ektemplate, &ektemplate_len, ekparam,
key_description);
else
ret = swtpm_tpm2_createprimary_ek_rsa(self, rsa_keysize, allowsigning, decryption, &curr_handle,
ektemplate, &ektemplate_len, ekparam);
ektemplate, &ektemplate_len, ekparam, key_description);

if (ret == 0)
ret = swtpm_tpm2_evictcontrol(self, curr_handle, tpm2_ek_handle);
Expand Down
2 changes: 1 addition & 1 deletion src/swtpm_setup/swtpm.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ struct swtpm2_ops {
int (*create_spk)(struct swtpm *self, gboolean isecc, unsigned int rsa_keysize);
int (*create_ek)(struct swtpm *self, gboolean isecc, unsigned int rsa_keysize,
gboolean allowsigning, gboolean decryption, gboolean lock_nvram,
gchar **ekparam);
gchar **ekparam, const gchar **key_description);
int (*get_all_pcr_banks)(struct swtpm *self, gchar ***all_pcr_banks);
int (*set_active_pcr_banks)(struct swtpm *self, gchar **pcr_banks_l, gchar **all_pcr_banks,
gchar ***active);
Expand Down
Loading