Showing with 36 additions and 35 deletions.
  1. +8 −12 man/tpm2_getmanufec.1.md
  2. +3 −3 test/system/test_tpm2_getmanufec.sh
  3. +25 −20 tools/tpm2_getmanufec.c
20 changes: 8 additions & 12 deletions man/tpm2_getmanufec.1.md
View file
Expand Up @@ -10,7 +10,7 @@ server.

# SYNOPSIS

**tpm2_getmanufec** [*OPTIONS*]
**tpm2_getmanufec** [*OPTIONS*] [*URL*]

# DESCRIPTION

Expand Down Expand Up @@ -41,30 +41,26 @@ server.
object algorithms. See section "Algorithm Specifiers" on how to specify
an algorithm argument.

* **-f**, **--file**=_FILE_:
* **-f**, **--output**=_FILE_:
specifies the file used to save the public portion of EK.

* **-N**, **--NonPersistent**:
* **-N**, **--non-persistent**:
specifies to readout the EK public without making it persistent.

* **-O**, **--OfflineProv**:
* **-O**, **--offline**:
specifies that the file specifier from **-f** is an EK retrieved from offline
platform that needs to be provisioned.

* **-E**, **--ECertFile**=_EC\_CERT\_FILE_:
* **-E**, **--ec-cert**=_EC\_CERT\_FILE_:
Specifies the file used to save the Endorsement Credentials retrieved from
the TPM manufacturer provisioning server. Defaults to stdout if not
specified.

* **-S**, **--EKserverAddr**=_SERVER\_ADDRESS_:
specifies to attempt retrieving the Endorsement Credentials from the
specified TPM manufacturer provisioning server.

* **-U**, **--SSL_NO_VERIFY**:
specifies to attempt connecting with the TPM manufacturer provisioning server
with SSL_NO_VERIFY option.

* **-i**, **--input-session-handle**=_SESSION\_HANDLE_:
* **-S**, **--input-session-handle**=_SESSION\_HANDLE_:
Optional Input session handle from a policy session for authorization.


Expand All @@ -87,8 +83,8 @@ provided by setting the curl mode verbose, see:
# EXAMPLES

```
tpm2_getmanufec -e abc123 -o abc123 -P passwd -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/
tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/
tpm2_getmanufec -e abc123 -o abc123 -P passwd -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin https://tpm.manufacturer.com/ekcertserver/
tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin https://tpm.manufacturer.com/ekcertserver/
```

# RETURNS
Expand Down
6 changes: 3 additions & 3 deletions test/system/test_tpm2_getmanufec.sh
View file
Expand Up @@ -60,10 +60,10 @@ d76e06520b64f2a1da1b331469aa000000000000000000000000000000000000\
e29dae839f5b4ca0f5de27c9522c23c54e1c2ce57859525118bd4470b18180ee\
f78ae4267bcd0000" | xxd -r -p > test_ek.pub

tpm2_getmanufec -g rsa -O -N -U -E ECcert.bin -f test_ek.pub -S https://ekop.intel.com/ekcertservice/
tpm2_getmanufec -g rsa -O -N -U -E ECcert.bin -f test_ek.pub https://ekop.intel.com/ekcertservice/

# Test that stdoutput is the same
tpm2_getmanufec -g rsa -O -N -U -f test_ek.pub -S https://ekop.intel.com/ekcertservice/ > ECcert2.bin
tpm2_getmanufec -g rsa -O -N -U -f test_ek.pub https://ekop.intel.com/ekcertservice/ > ECcert2.bin

# stdout file should match -E file.
cmp ECcert.bin ECcert2.bin
Expand All @@ -73,7 +73,7 @@ tpm2_takeownership -c
tpm2_takeownership -o $opass -e $epass

tpm2_getmanufec -H $handle -U -E ECcert2.bin -f test_ek.pub -o $opass -e $epass \
-S https://ekop.intel.com/ekcertservice/
https://ekop.intel.com/ekcertservice/

tpm2_listpersistent | grep -q $handle

Expand Down
45 changes: 25 additions & 20 deletions tools/tpm2_getmanufec.c
View file
Expand Up @@ -441,11 +441,6 @@ int RetrieveEndorsementCredentials(char *b64h)

int TPMinitialProvisioning(void)
{
if (ctx.ek_server_addr == NULL) {
LOG_ERR("TPM Manufacturer Endorsement Credential Server Address cannot be NULL");
return 1;
}

char *b64 = Base64Encode(HashEKPublicKey());
if (!b64) {
LOG_ERR("Base64Encode returned null");
Expand Down Expand Up @@ -520,13 +515,6 @@ static bool on_option(char key, char *value) {
LOG_WARN("TLS communication with the said TPM manufacturer server setup with SSL_NO_VERIFY!");
break;
case 'S':
if (ctx.ek_server_addr) {
LOG_ERR("Multiple specifications of -S");
return false;
}
ctx.ek_server_addr = value;
break;
case 'i':
return_val = tpm2_util_string_to_uint32(value, &handle);
if (!return_val) {
LOG_ERR("Could not convert session handle to number, got: \"%s\"",
Expand All @@ -543,6 +531,18 @@ static bool on_option(char key, char *value) {
return true;
}

static bool on_args(int argc, char **argv) {

if (argc > 1) {
LOG_ERR("Only supports one remote server url, got: %d", argc);
return false;
}

ctx.ek_server_addr = argv[0];

return true;
}

bool tpm2_tool_onstart(tpm2_options **opts) {

const struct option topts[] =
Expand All @@ -552,16 +552,16 @@ bool tpm2_tool_onstart(tpm2_options **opts) {
{ "handle" , 1, NULL, 'H' },
{ "ek-passwd" , 1, NULL, 'P' },
{ "alg" , 1, NULL, 'g' },
{ "file" , 1, NULL, 'f' },
{ "NonPersistent", 0, NULL, 'N' },
{ "OfflineProv" , 0, NULL, 'O' },
{ "ECcertFile" , 1, NULL, 'E' },
{ "EKserverAddr" , 1, NULL, 'S' },
{ "SSL_NO_VERIFY", 0, NULL, 'U' },
{"input-session-handle",1,NULL,'i'},
{ "output" , 1, NULL, 'f' },
{ "non-persistent", 0, NULL, 'N' },
{ "offline" , 0, NULL, 'O' },
{ "ec-cert" , 1, NULL, 'E' },
{ "SSL-NO-VERIFY" , 0, NULL, 'U' },
{"input-session-handle",1,NULL,'S'},
};

*opts = tpm2_options_new("e:o:H:P:g:f:NOE:S:i:U", ARRAY_LEN(topts), topts, on_option, NULL);
*opts = tpm2_options_new("e:o:H:P:g:f:NOE:S:i:U", ARRAY_LEN(topts), topts,
on_option, on_args);

return *opts != NULL;
}
Expand All @@ -572,6 +572,11 @@ int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) {
int return_val = 1;
int provisioning_return_val = 0;

if (!ctx.ek_server_addr) {
LOG_ERR("Must specify a remote server url!");
return 1;
}

ctx.verbose = flags.verbose;

if (ctx.ec_cert_path) {
Expand Down