3 changes: 3 additions & 0 deletions .travis.yml
View file
Expand Up @@ -64,3 +64,6 @@ install:

script:
- ./.ci/travis-build-and-run-tests.sh

after_failure:
- cat build/test-suite.log
13 changes: 8 additions & 5 deletions Makefile.am
View file
Expand Up @@ -46,7 +46,7 @@ sbin_PROGRAMS = \
tools/tpm2_load \
tools/tpm2_send_command \
tools/tpm2_dump_capability \
tools/tpm2_listpcrs \
tools/tpm2_pcrlist \
tools/tpm2_listpersistent \
tools/tpm2_startup \
tools/tpm2_rc_decode \
Expand Down Expand Up @@ -78,7 +78,8 @@ sbin_PROGRAMS = \
tools/tpm2_sign \
tools/tpm2_unseal \
tools/tpm2_dictionarylockout \
tools/tpm2_createpolicy
tools/tpm2_createpolicy \
tools/tpm2_pcrextend

noinst_LIBRARIES = $(LIB_COMMON)
lib_libcommon_a_SOURCES = \
Expand All @@ -101,7 +102,7 @@ lib_libcommon_a_SOURCES = \
tools_tpm2_create_SOURCES = tools/tpm2_create.c tools/main.c
tools_tpm2_createprimary_SOURCES = tools/tpm2_createprimary.c tools/main.c
tools_tpm2_dump_capability_SOURCES = tools/tpm2_dump_capability.c tools/main.c
tools_tpm2_listpcrs_SOURCES = tools/tpm2_listpcrs.c tools/main.c
tools_tpm2_pcrlist_SOURCES = tools/tpm2_pcrlist.c tools/main.c
tools_tpm2_listpersistent_SOURCES = tools/tpm2_listpersistent.c tools/main.c
tools_tpm2_load_SOURCES = tools/tpm2_load.c tools/main.c
tools_tpm2_send_command_SOURCES = tools/tpm2_send_command.c tools/main.c
Expand Down Expand Up @@ -137,6 +138,7 @@ tools_tpm2_sign_SOURCES = tools/tpm2_sign.c tools/main.c
tools_tpm2_unseal_SOURCES = tools/tpm2_unseal.c tools/main.c
tools_tpm2_dictionarylockout_SOURCES = tools/tpm2_dictionarylockout.c tools/main.c
tools_tpm2_createpolicy_SOURCES = tools/tpm2_createpolicy.c tools/main.c
tools_tpm2_pcrextend_SOURCES = tools/tpm2_pcrextend.c tools/main.c

# rc_decode does not use common main, since it does not need a dynamic TCTI.
tools_tpm2_rc_decode_SOURCES = lib/rc-decode.c tools/tpm2_rc_decode.c
Expand Down Expand Up @@ -193,7 +195,7 @@ man8_MANS = \
man/man8/tpm2_dump_capability.8 \
man/man8/tpm2_send_command.8 \
man/man8/tpm2_startup.8 \
man/man8/tpm2_listpcrs.8 \
man/man8/tpm2_pcrlist.8 \
man/man8/tpm2_quote.8 \
man/man8/tpm2_takeownership.8 \
man/man8/tpm2_getpubek.8 \
Expand Down Expand Up @@ -226,7 +228,8 @@ man8_MANS = \
man/man8/tpm2_listpersistent.8 \
man/man8/tpm2_rc_decode.8 \
man/man8/tpm2_dictionarylockout.8 \
man/man8/tpm2_createpolicy.8
man/man8/tpm2_createpolicy.8 \
man/man8/tpm2_pcrextend.8

man/man8/%.8 : man/%.8.in man/common-options.troff man/tcti-options.troff man/tcti-environment.troff man/alg-common.troff man/hash-alg-common.troff man/object-alg-common.troff man/sign-alg-common.troff
rm -f $@
Expand Down
180 changes: 180 additions & 0 deletions lib/tpm2_alg_util.c
View file
Expand Up @@ -4,6 +4,9 @@

#include <sapi/tpm20.h>

#include "files.h"
#include "log.h"
#include "tpm_hash.h"
#include "tpm2_alg_util.h"
#include "tpm2_util.h"

Expand Down Expand Up @@ -120,3 +123,180 @@ TPM_ALG_ID tpm2_alg_util_from_optarg(char *optarg) {
}
return halg;
}

bool tpm2_alg_util_is_hash_alg(TPM_ALG_ID id) {

switch (id) {
case TPM_ALG_SHA1 :
/* fallsthrough */
case TPM_ALG_SHA256 :
/* fallsthrough */
case TPM_ALG_SHA384 :
/* fallsthrough */
case TPM_ALG_SHA512 :
/* fallsthrough */
case TPM_ALG_SM3_256 :
return true;
/* no default */
}

return false;
}

static UINT16 hash_alg_size(TPMI_ALG_HASH id) {

switch (id) {
case TPM_ALG_SHA1 :
return SHA1_DIGEST_SIZE;
case TPM_ALG_SHA256 :
return SHA256_DIGEST_SIZE;
case TPM_ALG_SHA384 :
return SHA384_DIGEST_SIZE;
case TPM_ALG_SHA512 :
return SHA512_DIGEST_SIZE;
case TPM_ALG_SM3_256 :
return SM3_256_DIGEST_SIZE;
/* no default */
}

return 0;
}

static const char *hex_to_byte_err(int rc) {

switch (rc) {
case -2:
return "String not even in length";
case -3:
return "Non hex digit found";
case -4:
return "Hex value too big for digest";
}
return "unknown";
}

bool pcr_parse_digest_list(char **argv, int len,
tpm2_pcr_digest_spec *digest_spec) {

/*
* int is chosen because of what is passed in from main, avoids
* sign differences.
* */
int i;
for (i = 0; i < len; i++) {
tpm2_pcr_digest_spec *dspec = &digest_spec[i];

UINT32 count = 0;

/*
* Split <pcr index>:<hash alg>=<hash value>,... on : and separate with null byte, ie:
* <pce index> '\0' <hash alg>'\0'<data>
*
* Start by splitting out the pcr index, and validating it.
*/
char *spec_str = argv[i];
char *pcr_index_str = spec_str;
char *digest_spec_str = strchr(spec_str, ':');
if (!digest_spec_str) {
LOG_ERR("Expecting : in digest spec, not found, got: \"%s\"", spec_str);
return false;
}

*digest_spec_str = '\0';
digest_spec_str++;

bool result = tpm2_util_string_to_uint32(pcr_index_str, &dspec->pcr_index);
if (!result) {
LOG_ERR("Got invalid PCR Index: \"%s\", in digest spec: \"%s\"",
pcr_index_str, spec_str);
return false;
}

/* now that the pcr_index is removed, parse the remaining <hash_name>=<hash_value>,.. */
char *digest_hash_tok;
char *save_ptr = NULL;

/* keep track of digests we have seen */

while ((digest_hash_tok = strtok_r(digest_spec_str, ",", &save_ptr))) {
digest_spec_str = NULL;

if (count >= ARRAY_LEN(dspec->digests.digests)) {
LOG_ERR("Specified too many digests per spec, max is: %zu",
ARRAY_LEN(dspec->digests.digests));
return false;
}

TPMT_HA *d = &dspec->digests.digests[count];

char *stralg = digest_hash_tok;
char *split = strchr(digest_hash_tok, '=');
if (!split) {
LOG_ERR("Expecting = in <hash alg>=<hash value> spec, got: "
"\"%s\"", digest_hash_tok);
return false;
}
*split = '\0';
split++;

char *data = split;

/*
* Convert and validate the hash algorithm. It should be a hash algorithm
*/
TPM_ALG_ID alg = tpm2_alg_util_from_optarg(stralg);
if (alg == TPM_ALG_ERROR) {
LOG_ERR("Could not convert algorithm, got: \"%s\"", stralg);
return false;
}

bool is_hash_alg = tpm2_alg_util_is_hash_alg(alg);
if (!is_hash_alg) {
LOG_ERR("Algorithm is not a hash algorithm, got: \"%s\"",
stralg);
return false;
}

d->hashAlg = alg;

/* fill up the TPMT_HA structure with algorithm and digest */
BYTE *digest_data = (BYTE *) &d->digest;

UINT16 expected_hash_size = hash_alg_size(alg);
/* strip any preceding hex on the data as tpm2_util_hex_to_byte_structure doesn't support it */
bool is_hex = !strncmp("0x", data, 2);
if (is_hex) {
data += 2;
}

UINT16 size = expected_hash_size;
int rc = tpm2_util_hex_to_byte_structure(data, &size,
digest_data);
if (rc) {
LOG_ERR("Error \"%s\" converting hex string as data, got:"
" \"%s\"", hex_to_byte_err(rc), data);
return false;
}

if (expected_hash_size != size) {
LOG_ERR(
"Algorithm \"%s\" expects a size of %u bytes, got: %u",
stralg, expected_hash_size, size);
return false;
}

count++;
}

if (!count) {
LOG_ERR("Missing or invalid <hash alg>=<hash value> spec for pcr:"
" \"%s\"", pcr_index_str);
return false;
}

/* assign count at the end, so count is 0 on error */
dspec->digests.count = count;
}

return true;
}
64 changes: 64 additions & 0 deletions lib/tpm2_alg_util.h
View file
Expand Up @@ -72,4 +72,68 @@ const char *tpm2_alg_util_algtostr(TPM_ALG_ID id);
*/
TPM_ALG_ID tpm2_alg_util_from_optarg(char *optarg);

/**
* Detects if an algorithm is considered a hashing algorithm.
* @param id
* The algorithm id to check.
* @return
* True if it is a hash algorithm, False otherwise.
*/
bool tpm2_alg_util_is_hash_alg(TPM_ALG_ID id);

/**
* Contains the information from parsing an argv style vector of strings for
* pcr digest language specifications.
*/
typedef struct tpm2_pcr_digest_spec tpm2_pcr_digest_spec;
struct tpm2_pcr_digest_spec {
TPML_DIGEST_VALUES digests;
TPMI_DH_PCR pcr_index;
};

/**
* Parses an argv array that contains a digest specification at each location
* within argv.
*
* The digest specification is as follows:
* - A pcr identifier as understood by strtoul with 0 as the base.
* - A colon followed by the algorithm hash specification.
* - The algorithm hash specification is as follows:
* - The algorithm friendly name or raw numerical as understood by
* strtoul with a base of 0.
* - An equals sign
* - The hex hash value,
*
* This all distills to a string that looks like this:
* <pcr index>:<hash alg id>=<hash value>
*
* Example:
* "4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
*
* Note:
* Multiple specifications of PCR and hash are OK. Multiple hashes
* cause the pcr to be extended with both hashes. Multiple same PCR
* values cause the PCR to be extended multiple times. Extension
* is done in order from left to right as specified.
*
* At most 5 hash extensions per PCR entry are supported. This
* is to keep the parser simple.
*
* @param sapi_context
* The system API context for hashing files with the tpm. This can
* be NULL if the argument vector doesn't have a file spec for the hash.
* @param argv
* The argv of digest specifications to parse.
* @param len
* The number of digest specifications to parse.
* @param digests
* An array of tpm2_pcr_digest_spec big enough to hold len items.
* @return
* True if parsing was successful, False otherwise.
* @note
* This function logs errors via LOG_ERR.
*/
bool pcr_parse_digest_list(char **argv, int len,
tpm2_pcr_digest_spec *digest_spec);

#endif /* LIB_TPM2_ALG_UTIL_H_ */
69 changes: 69 additions & 0 deletions man/tpm2_pcrextend.8.in
View file
@@ -0,0 +1,69 @@
.\" Copyright (c) 2017, Intel Corporation
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright notice,
.\" this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright notice,
.\" this list of conditions and the following disclaimer in the documentation
.\" and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of Intel Corporation nor the names of its contributors
.\" may be used to endorse or promote products derived from this software without
.\" specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" THE POSSIBILITY OF SUCH DAMAGE.
.TH tpm2_pcrextend 8 "DECEMBER 2017" Intel "tpm2-tools"
.SH NAME
tpm2_pcrextend\ - Extend PCR(s).
.SH SYNOPSIS
.B tpm2_pcrextend
[ COMMON OPTIONS ] [ TCTI OPTIONS ] [ PCR_DIGEST_SPEC... ]
.PP
.B tpm2_pcrextend
Extends the pcrs with values indicated by PCR_DIGEST_SPEC.

A PCR_DIGEST_SPEC is defined as follows:
- A numerical pcr identifier.
- A colon followed by the algorithm hash specification.
The algorithm hash specification is as follows:
-The algorithm friendly name or raw numerical.
-An equals sign.
-The hex hash value.

Example Digest Specification:
.Dl
4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

Note that multiple specifications of PCR and hash are OK. Multiple hashes
cause the pcr to be extended with both hashes. Multiple same PCR values cause
the PCR to be extended multiple times. Extension is done in order from left to
right as specified. At most 5 hash extensions per PCR entry are supported. This
is to keep the parser simple.

.SH OPTIONS
@COMMON_OPTIONS_INCLUDE@
@TCTI_OPTIONS_INCLUDE@
.SH ENVIRONMENT\@TCTI_ENVIRONMENT_INCLUDE@
.SH EXAMPLES
.PP
.nf
.RS
tpm2_pcrextend 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
tpm2_pcrextend 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15,sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
tpm2_pcrextend 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 7:sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
.RE
.fi