Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C init token support #378

Merged
merged 9 commits into from Jan 6, 2020
Merged

C init token support #378

merged 9 commits into from Jan 6, 2020

Conversation

williamcroberts
Copy link
Member

@williamcroberts williamcroberts commented Jan 2, 2020
edited

Initial code for supporting C_InitToken, on 1 of three states:

  1. db found with primary object configured, use that.
  2. no db found, use PC WG Spec SRK if present at address 0x81000001
  3. no db found, create a persistent key at the first persistent slot.

This contains a schema bump and upgrades the DB

Backup your db
I would recommend, since this is the first upgrade schema code, to manually backup your db.
Backup instructions can be found here:

tpm2_ptool: kill python 2.X support
7ec278b 
Python < 3 is EOL, so stop supporting it. Also, new features in sqlite3
python bindings make db backups easier.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
williamcroberts
williamcroberts commented Jan 2, 2020
View reviewed changes
tools/setup.py Outdated Show resolved Hide resolved
@codecov
Copy link

codecov bot commented Jan 3, 2020
edited

Codecov Report

Merging #378 into master will decrease coverage by 0.44%.
The diff coverage is 65.46%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #378      +/-   ##
==========================================
- Coverage   75.17%   74.73%   -0.45%     
==========================================
  Files          29       29              
  Lines        5157     5732     +575     
==========================================
+ Hits         3877     4284     +407     
- Misses       1280     1448     +168
Impacted Files Coverage Δ
src/pkcs11.c 68.29% <100%> (+1.21%) ⬆️
src/lib/emitter.c 56.7% <49.01%> (-3.47%) ⬇️
src/lib/db.c 63.83% <62.36%> (+4.59%) ⬆️
src/lib/token.c 79.15% <65.82%> (-5.17%) ⬇️
src/lib/tpm.c 73.5% <74.16%> (+0.36%) ⬆️
src/lib/slot.c 89.69% <83.33%> (-6.31%) ⬇️
src/lib/mutex.h 100% <0%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 066a962...d3fd766. Read the comment docs.

williamcroberts
williamcroberts commented Jan 3, 2020
View reviewed changes
src/lib/token.c Outdated Show resolved Hide resolved
williamcroberts
williamcroberts commented Jan 3, 2020
View reviewed changes
src/lib/token.c Outdated Show resolved Hide resolved
William Roberts added 8 commits January 3, 2020 12:10
tpm2_ptool: require python3.7 for db upgrade
baa367c 
SQLite3 bindings for python don't have the backup API implemented until
Python 3.7. Make this the new minimum requirement for tpm2_ptool so
we can use this feature.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm: fix free code
5e5a7fc 
Signed-off-by: William Roberts <william.c.roberts@intel.com>
C_Initalize: initial support (db schema bump)
3b2cc36 
Support initializing a token from a potentially empty store. The code
determines, based on a search logic how to proceed. If a store is found
using the "store search logic", then any new tokens are created using
the first primary object found.

If no store is found, the TPM is queried
to see if it has a primary SRK as documented in the provisioning guide:
  - https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf

If it does, it uses that. If no primary SRK can be found, it creates
one and persists it at the first persistent slot
"TPM2_PERSISTENT_FIRST".

This change also includes a DB Schema increment from version 1 to
version 2. The update code creates a backup of the db using the sqlite3
backup API. This backup exists during the update/create process and is
unlinked when done on success. The update/db creation code will refuse
to run if the path is not unlinked. This way on failure, the user will
be notified of the issue, and can manually restore via a cp if needed.

During the initialization of the db, a file lock is created using the
sqlite3db name plus the suffix of ".lock". This lock is used to coordinate
multiple process access where the version could be checked and multiple
processes try and update the DB. This could result in a time of check time
of use issue around detecting and applying upgrade logic.

TODO:
  - Update Container Image to Python 3.7+
  - Test under ASAN

Fixes: tpm2-software#364

Signed-off-by: William Roberts <william.c.roberts@intel.com>
ci: set python version to 3.7
ec30db9 
No need for the matrix anymore either, so remove it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
ci: set stable versions for TSS deps
9f74b86 
Signed-off-by: William Roberts <william.c.roberts@intel.com>
configure.ac: fix pkgconfig check for esapi flags
8866351 
ESAPI below versions 2.2.1 need to manually manage session flags.
However, the PKG config check was setting MANAGE to 1.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
configure: require ESYS version >= 2.0
904bc7c 
Signed-off-by: William Roberts <william.c.roberts@intel.com>
docs/BUILDING: update
d3fd766 
The BUILDING.md doc is way out of date, update it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
@williamcroberts williamcroberts merged commit 63336ca into tpm2-software:master Jan 6, 2020
@williamcroberts williamcroberts deleted the C_InitToken-support branch January 16, 2020 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@williamcroberts