Showing with 89 additions and 129 deletions.
  1. +13 −4 man/tpm2_getmanufec.1.md
  2. +27 −23 test/system/test_tpm2_getmanufec.sh
  3. +49 −102 tools/tpm2_getmanufec.c
17 changes: 13 additions & 4 deletions man/tpm2_getmanufec.1.md
View file
Expand Up @@ -32,6 +32,9 @@ OPTIONS
* `-P`, `--ekPasswd`=_EK\_PASSWORD_:
specifies the EK password when created (string,optional,default:NULL).

Passwords should follow the password formatting standards, see
section "Password Formatting".

* `-H`, `--handle`=_HANDLE_:
specifies the handle used to make EK persistent (hex).

Expand All @@ -42,7 +45,10 @@ OPTIONS
an algorithm argument.

* `-f`, `--file`=_FILE_:
specifies to readout the EK public without making it persistent.
specifies the file used to save the public portion of EK.

* `-N`, `--NonPersistent`:
specifies to readout the EK public without making it persistent.

* `-O`, `--OfflineProv`:
specifies that the file specifier from `-f` is an EK retrieved from offline
Expand All @@ -57,8 +63,9 @@ OPTIONS
specifies to attempt retrieving the Endorsement Credentials from the
specified TPM manufacturer provisioning server.

* `-X`, `--passwdInHex`:
passwords given by any options are hex format.
* `-U`, `--SSL_NO_VERIFY`:
specifies to attempt connecting with the TPM manufacturer provisioning server
with SSL_NO_VERIFY option.

* `-i`, `--input-session-handle`=_SESSION\_HANDLE_:
Optional Input session handle from a policy session for authorization.
Expand All @@ -68,6 +75,8 @@ OPTIONS

[common tcti options](common/tcti.md)

[password formatting](common/password.md)

[supported public object algorithms](common/object-alg.md)

[algorithm specifiers](common/alg.md)
Expand All @@ -83,7 +92,7 @@ EXAMPLES
--------
```
tpm2_getmanufec -e abc123 -o abc123 -P passwd -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/
tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -X -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/
tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/
```

RETURNS
Expand Down
50 changes: 27 additions & 23 deletions test/system/test_tpm2_getmanufec.sh
View file
Expand Up @@ -31,6 +31,22 @@
# THE POSSIBILITY OF SUCH DAMAGE.
#;**********************************************************************;

handle=0x81000000
opass=abc123
epass=abc123

cleanup() {
rm -f test_ek.pub ECcert.bin ECcert2.bin test_ek.pub
}

trap cleanup EXIT

onerror() {
echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?"
exit 1
}
trap onerror ERR

echo "3a01000001000b00b20003002000837197674484b3f81a90cc8d46a5d724fd52\
d76e06520b64f2a1da1b331469aa000000000000000000000000000000000000\
0000000000000000000000000000000006008000430010000000000000080000\
Expand All @@ -45,39 +61,27 @@ e29dae839f5b4ca0f5de27c9522c23c54e1c2ce57859525118bd4470b18180ee\
f78ae4267bcd0000" | xxd -r -p > test_ek.pub

tpm2_getmanufec -g rsa -O -N -U -E ECcert.bin -f test_ek.pub -S https://ekop.intel.com/ekcertservice/
if [ $? != 0 ];then
echo "tpm2_getmanufec command failed, please check the environment or parameters!"
exit 1
fi

# Test that stdoutput is the same
tpm2_getmanufec -g rsa -O -N -U -f test_ek.pub -S https://ekop.intel.com/ekcertservice/ > ECcert2.bin
if [ $? != 0 ]; then
echo "tpm2_getmanufec to stdout command failed, please check the environment or parameters!"
exit 1
fi

# stdout file should match -E file.
cmp ECcert.bin ECcert2.bin
if [ $? != 0 ]; then
echo "Files produced by tpm2_getmanufec -E and stdout differ, expected to be the same!"
exit 1
fi

# Test providing endorsement password to create EK and owner password to persist.
tpm2_takeownership -c
tpm2_takeownership -o $opass -e $epass

tpm2_getmanufec -H $handle -U -E ECcert2.bin -f test_ek.pub -o $opass -e $epass \
-S https://ekop.intel.com/ekcertservice/

tpm2_listpersistent | grep -q $handle

tpm2_evictcontrol -H $handle -A o -P $opass

if [ $(md5sum ECcert.bin| awk '{ print $1 }') != "56af9eb8a271bbf7ac41b780acd91ff5" ]; then
echo "Failed: retrieving endorsement certificate"
exit 1
else
echo "Successful: retrieving endorsement certificate"
fi

if [ ! -f ECcert.bin ]; then
echo "ECcert.bin File not found!"
else
rm -f ECcert.bin
fi
if [ ! -f test_ek.pub ]; then
echo "ECcert.bin File not found!"
else
rm -f test_ek.pub
fi