Showing with 198 additions and 242 deletions.
  1. +3 −3 Makefile.am
  2. +85 −107 tools/tpm2_takeownership.c
  3. +110 −132 tools/tpm2_unseal.c
6 changes: 3 additions & 3 deletions Makefile.am
View file
Expand Up @@ -63,6 +63,8 @@ bin_PROGRAMS = \
tools/tpm2_getpubek \
tools/tpm2_getrandom \
tools/tpm2_hmac \
tools/tpm2_takeownership \
tools/tpm2_unseal \
tools/tpm2_verifysignature

# NEED TO PORT
Expand All @@ -86,9 +88,7 @@ bin_PROGRAMS = \
# tools/tpm2_rsaencrypt \
# tools/tpm2_send_command \
# tools/tpm2_sign \
# tools/tpm2_startup \
# tools/tpm2_takeownership \
# tools/tpm2_unseal
# tools/tpm2_startup

tcti_src = ""
if HAVE_TCTI_DEV
Expand Down
192 changes: 85 additions & 107 deletions tools/tpm2_takeownership.c
View file
Expand Up @@ -29,20 +29,14 @@
// THE POSSIBILITY OF SUCH DAMAGE.
//**********************************************************************;

#include <stdarg.h>
#include <stdbool.h>

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <limits.h>
#include <ctype.h>
#include <getopt.h>

#include <sapi/tpm20.h>

#include "tpm2_options.h"
#include "log.h"
#include "tpm2_options.h"
#include "tpm2_password_util.h"
#include "tpm2_tool.h"
#include "tpm2_util.h"
Expand All @@ -60,10 +54,16 @@ struct takeownership_ctx {
password endorse;
password lockout;
} passwords;
TSS2_SYS_CONTEXT *sapi_context;

struct {
UINT8 clear_auth : 1;
UINT8 unused : 7;
};
};

bool clear_hierarchy_auth(takeownership_ctx *ctx) {
static takeownership_ctx ctx;

static bool clear_hierarchy_auth(TSS2_SYS_CONTEXT *sapi_context) {

TPMS_AUTH_COMMAND sessionData = {
.sessionHandle = TPM_RS_PW,
Expand All @@ -78,9 +78,9 @@ bool clear_hierarchy_auth(takeownership_ctx *ctx) {
sessionsData.cmdAuths = &sessionDataArray[0];
sessionsData.cmdAuthsCount = 1;

memcpy(&sessionData.hmac, &ctx->passwords.lockout.old, sizeof(ctx->passwords.lockout.old));
memcpy(&sessionData.hmac, &ctx.passwords.lockout.old, sizeof(ctx.passwords.lockout.old));

UINT32 rval = Tss2_Sys_Clear(ctx->sapi_context, TPM_RH_LOCKOUT, &sessionsData, 0);
TPM_RC rval = Tss2_Sys_Clear(sapi_context, TPM_RH_LOCKOUT, &sessionsData, 0);
if (rval != TPM_RC_SUCCESS) {
LOG_ERR("Clearing Failed! TPM error code: 0x%0x", rval);
return false;
Expand Down Expand Up @@ -123,122 +123,100 @@ static bool change_auth(TSS2_SYS_CONTEXT *sapi_context,
return true;
}

static bool change_hierarchy_auth(takeownership_ctx *ctx) {
static bool change_hierarchy_auth(TSS2_SYS_CONTEXT *sapi_context) {

// change owner, endorsement and lockout auth.
return change_auth(ctx->sapi_context, &ctx->passwords.owner,
return change_auth(sapi_context, &ctx.passwords.owner,
"Owner", TPM_RH_OWNER)
&& change_auth(ctx->sapi_context, &ctx->passwords.endorse,
&& change_auth(sapi_context, &ctx.passwords.endorse,
"Endorsement", TPM_RH_ENDORSEMENT)
&& change_auth(ctx->sapi_context, &ctx->passwords.lockout,
&& change_auth(sapi_context, &ctx.passwords.lockout,
"Lockout", TPM_RH_LOCKOUT);
}

static bool init(int argc, char *argv[], char *envp[], takeownership_ctx *ctx,
bool *clear_auth) {

struct option sOpts[] = {
{ "ownerPasswd", required_argument, NULL, 'o' },
{"endorsePasswd", required_argument, NULL, 'e' },
{ "lockPasswd", required_argument, NULL, 'l' },
{ "oldOwnerPasswd", required_argument, NULL, 'O' },
{ "oldEndorsePasswd", required_argument, NULL, 'E' },
{ "oldLockPasswd", required_argument, NULL, 'L' },
{ "clear", no_argument, NULL, 'c' },
{ NULL, no_argument, NULL, '\0' },
};

if (argc == 1) {
execute_man(argv[0], envp);
return false;
}
static bool on_option(char key, char *value) {

if (argc > (int) (2 * sizeof(sOpts) / sizeof(struct option))) {
showArgMismatch(argv[0]);
return false;
}
bool result;

*clear_auth = false;
switch (key) {
case 'c':
ctx.clear_auth = true;
break;

int opt;
bool result;
while ((opt = getopt_long(argc, argv, "o:e:l:O:E:L:c", sOpts, NULL))
!= -1) {

switch (opt) {
case 'c':
*clear_auth = true;
break;

case 'o':
result = tpm2_password_util_from_optarg(optarg, &ctx->passwords.owner.new);
if (!result) {
LOG_ERR("Invalid new owner password, got\"%s\"", optarg);
return false;
}
break;
case 'e':
result = tpm2_password_util_from_optarg(optarg, &ctx->passwords.endorse.new);
if (!result) {
LOG_ERR("Invalid new endorse password, got\"%s\"", optarg);
return false;
}
break;
case 'l':
result = tpm2_password_util_from_optarg(optarg, &ctx->passwords.lockout.new);
if (!result) {
LOG_ERR("Invalid new lockout password, got\"%s\"", optarg);
return false;
}
break;
case 'O':
result = tpm2_password_util_from_optarg(optarg, &ctx->passwords.owner.old);
if (!result) {
LOG_ERR("Invalid current owner password, got\"%s\"", optarg);
return false;
}
break;
case 'E':
result = tpm2_password_util_from_optarg(optarg, &ctx->passwords.endorse.old);
if (!result) {
LOG_ERR("Invalid current endorse password, got\"%s\"", optarg);
return false;
}
break;
case 'L':
result = tpm2_password_util_from_optarg(optarg, &ctx->passwords.lockout.old);
if (!result) {
LOG_ERR("Invalid current lockout password, got\"%s\"", optarg);
return false;
}
break;
case '?':
default:
showArgMismatch(argv[0]);
case 'o':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.owner.new);
if (!result) {
LOG_ERR("Invalid new owner password, got\"%s\"", optarg);
return false;
}
break;
case 'e':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.endorse.new);
if (!result) {
LOG_ERR("Invalid new endorse password, got\"%s\"", optarg);
return false;
}
break;
case 'l':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.lockout.new);
if (!result) {
LOG_ERR("Invalid new lockout password, got\"%s\"", optarg);
return false;
}
break;
case 'O':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.owner.old);
if (!result) {
LOG_ERR("Invalid current owner password, got\"%s\"", optarg);
return false;
}
break;
case 'E':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.endorse.old);
if (!result) {
LOG_ERR("Invalid current endorse password, got\"%s\"", optarg);
return false;
}
break;
case 'L':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.lockout.old);
if (!result) {
LOG_ERR("Invalid current lockout password, got\"%s\"", optarg);
return false;
}
break;
/*no default */
}

return true;
}

int execute_tool(int argc, char *argv[], char *envp[], common_opts_t *opts,
TSS2_SYS_CONTEXT *sapi_context) {
bool tpm2_tool_onstart(tpm2_options **opts) {

struct option topts[] = {
{ "ownerPasswd", required_argument, NULL, 'o' },
{"endorsePasswd", required_argument, NULL, 'e' },
{ "lockPasswd", required_argument, NULL, 'l' },
{ "oldOwnerPasswd", required_argument, NULL, 'O' },
{ "oldEndorsePasswd", required_argument, NULL, 'E' },
{ "oldLockPasswd", required_argument, NULL, 'L' },
{ "clear", no_argument, NULL, 'c' },
{ NULL, no_argument, NULL, '\0' },
};

/* opts is unused */
(void) opts;
*opts = tpm2_options_new("o:e:l:O:E:L:c", ARRAY_LEN(topts), topts,
on_option, NULL);

takeownership_ctx ctx = {
.sapi_context = sapi_context,
};
return *opts != NULL;
}

bool clear_auth = false;
bool result = init(argc, argv, envp, &ctx, &clear_auth);
if (!result) {
return 1;
}
int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) {

UNUSED(flags);

int rc = (clear_auth ? clear_hierarchy_auth(&ctx) : change_hierarchy_auth(&ctx));
bool result = (ctx.clear_auth ? clear_hierarchy_auth(sapi_context)
: change_hierarchy_auth(sapi_context));

/* true is success, coerce to 0 for program success */
return rc == false;
return result == false;
}