Showing with 58 additions and 22 deletions.

+2 −2 Makefile.am

+6 −1 man/common/pcr.md

+5 −9 man/common/signature.md

+6 −0 man/tpm2_certify.1.md

+8 −3 man/tpm2_pcrlist.1.md

+5 −1 man/tpm2_quote.1.md

+9 −1 man/tpm2_sign.1.md

+17 −5 tools/tpm2_certify.c
diff --git a/Makefile.am b/Makefile.am
@@ -323,8 +323,8 @@ man/man1/%.1 : man/%.1.md $(MARKDOWN_COMMON_DEPS)
 	    -e '/\[pcr bank specifiers\]/d' \
 	    -e '/\[pubkey options\]/r man/common/pubkey.md' \
 	    -e '/\[pubkey options\]/d' \
-	    -e '/\[signature options\]/r man/common/signature.md' \
-	    -e '/\[signature options\]/d' \
+	    -e '/\[signature format specifiers\]/r man/common/signature.md' \
+	    -e '/\[signature format specifiers\]/d' \
 	    < $< | pandoc -s -t man > $@
 
 CLEANFILES = $(man1_MANS)
diff --git a/man/common/pcr.md b/man/common/pcr.md
@@ -14,4 +14,9 @@ For example:
 sha:3,4+sha256:5,6
 ```
 will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6
-from the SHA256 bank.
+from the SHA256 bank.
+
+## Note
+PCR Selections allow for up to 5 hash to pcr selection mappings.
+This is a limitaion in design in the single call to the tpm to
+get the pcr values.
diff --git a/man/common/signature.md b/man/common/signature.md
@@ -1,10 +1,6 @@
-  * **-s**, **--sig**=_TICKET\_FILE_:
+# Signature Format Specifiers
 
-    The signature file, records the signature structure.
-
-  * **-f**, **--format**
-
-    Format selection for the signature output file. 'tss' (the default) will
-    output a binary blob according to the TPM 2.0 specification. 'plain' will
-    output the plain signature data as defined by the used cryptographic
-    algorithm.
+Format selection for the signature output file. **tss** (the default) will
+output a binary blob according to the TPM 2.0 specification and any potential
+compiler padding. The option **plain** will output the plain signature data
+as defined by the used cryptographic algorithm.
diff --git a/man/tpm2_certify.1.md b/man/tpm2_certify.1.md
@@ -54,12 +54,18 @@ These options control the ceritifcation:
   * **-s**, **--sig-file**=_SIG\_FILE_:
     Output file name for the signature data.
 
+  * **-f**, **--format**
+
+    Format selection for the signature output file. See section "Signature Format Specifiers".
+
 [common options](common/options.md)
 
 [common tcti options](common/tcti.md)
 
 [password formatting](common/password.md)
 
+[signature format specifiers](common/signature.md)
+
 # EXAMPLES
 
 ```

diff --git a/man/tpm2_pcrlist.1.md b/man/tpm2_pcrlist.1.md
@@ -12,10 +12,16 @@
 
 # DESCRIPTION
 
-**tpm2_pcrlist**(1) Displays PCR values.
+**tpm2_pcrlist**(1) Displays PCR values. Without any options, **tpm2_pcrlist**
+outputs all pcrs and their hash banks. One can use either the **-g** or **-L**
+mutually exclusive options to filter the output.
 
 # OPTIONS
 
+  * **-f**, **--format**=_FORMAT_:
+    Specify the output format. Valid output formats are:
+    * yaml - output in the YAML file format.
+
   * **-g**, **--algorithm**=_HASH\_ALGORITHM_:
     Only output PCR banks with the given algorithm.
     Algorithms should follow the "formatting standards, see section
@@ -29,15 +35,14 @@
     _PCR\_SELECTION\_LIST_ values should follow the
     pcr bank specifiers standards, see section "PCR Bank Specfiers".
 
-
   * **-s**, **--algs**:
     Output the list of supported algorithms.
 
 [common options](common/options.md)
 
 [common tcti options](common/tcti.md)
 
-[pcr bank specifiers](common/password.md)
+[pcr bank specifiers](common/pcr.md)
 
 [supported hash algorithms](common/hash.md)
 

diff --git a/man/tpm2_quote.1.md b/man/tpm2_quote.1.md
@@ -48,7 +48,9 @@
     message output file, records the quote message that makes up the data that
     is signed by the TPM.
 
-[signature options](common/signature.md)
+  * **-f**, **--format**
+
+    Format selection for the signature output file. See section "Signature Format Specifiers".
 
   * **-q**, **--qualify-data**:
 
@@ -70,6 +72,8 @@
 
 [pcr bank specifiers](common/password.md)
 
+[signature format specifiers](common/signature.md)
+
 # EXAMPLES
 
 ```

diff --git a/man/tpm2_sign.1.md b/man/tpm2_sign.1.md
@@ -50,7 +50,13 @@ data and validation shall indicate that hashed data did not start with
 
     The ticket file, containning the validation structure, optional.
 
-[signature options](common/signature.md)
+  * **-s**, **--sig**=_TICKET\_FILE_:
+
+    The signature file, records the signature structure.
+
+  * **-f**, **--format**
+
+    Format selection for the signature output file. See section "Signature Format Specifiers".
 
   * **-S**, **--input-session-handle**=_SESSION\_HANDLE_:
 
@@ -66,6 +72,8 @@ data and validation shall indicate that hashed data did not start with
 
 [algorithm specifiers](common/alg.md)
 
+[signature format specifiers](common/signature.md)
+
 # EXAMPLES
 
 

diff --git a/tools/tpm2_certify.c b/tools/tpm2_certify.c
@@ -37,6 +37,7 @@
 #include <limits.h>
 #include <sapi/tpm20.h>
 
+#include "conversion.h"
 #include "tpm2_options.h"
 #include "tpm2_password_util.h"
 #include "tpm2_util.h"
@@ -68,16 +69,20 @@ struct tpm_certify_ctx {
         UINT16 s : 1;
         UINT16 C : 1;
         UINT16 c : 1;
+        UINT16 f : 1;
+        UINT16 unused : 6;
     } flags;
     char *context_file;
     char *context_key_file;
+    signature_format sig_fmt;
 };
 
 static tpm_certify_ctx ctx = {
     .cmd_auth = {
         TPMS_AUTH_COMMAND_INIT(TPM_RS_PW),
         TPMS_AUTH_COMMAND_INIT(TPM_RS_PW),
     },
+    .sig_fmt = signature_format_tss,
 };
 
 static bool get_key_type(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT object_handle, TPMI_ALG_PUBLIC *type) {
@@ -196,14 +201,12 @@ static bool certify_and_save_data(TSS2_SYS_CONTEXT *sapi_context) {
 
     /* serialization is safe here, since it's just a byte array */
     result = files_save_bytes_to_file(ctx.file_path.attest,
-            (UINT8 *) certify_info.t.attestationData, certify_info.t.size);
+            certify_info.t.attestationData, certify_info.t.size);
     if (!result) {
         return false;
     }
 
-    /* TODO serialization is not safe here */
-    return files_save_bytes_to_file(ctx.file_path.sig, (UINT8 *) &signature,
-            sizeof(signature));
+    return tpm2_convert_signature(&signature, ctx.sig_fmt, ctx.file_path.sig);
 }
 
 static bool on_option(char key, char *value) {
@@ -283,6 +286,13 @@ static bool on_option(char key, char *value) {
         ctx.context_file = optarg;
         ctx.flags.C = 1;
         break;
+    case 'f':
+        ctx.flags.f = 1;
+        ctx.sig_fmt = tpm2_parse_signature_format(optarg);
+
+        if (ctx.sig_fmt == signature_format_err) {
+            return false;
+        }
     }
 
     return true;
@@ -300,10 +310,12 @@ bool tpm2_tool_onstart(tpm2_options **opts) {
       {"sig-file",      required_argument, NULL, 's'},
       {"obj-context",   required_argument, NULL, 'C'},
       {"key-context",   required_argument, NULL, 'c'},
+      { "format",      required_argument, NULL, 'f' },
       {NULL,           no_argument,       NULL, '\0'}
     };
 
-    *opts = tpm2_options_new("H:k:P:K:g:a:s:C:c:", ARRAY_LEN(topts), topts, on_option, NULL);
+    *opts = tpm2_options_new("H:k:P:K:g:a:s:C:c:f:", ARRAY_LEN(topts), topts,
+            on_option, NULL);
 
     return *opts != NULL;
 }