Showing with 52 additions and 50 deletions.
  1. +52 −50 tools/tpm2_takeownership.c
102 changes: 52 additions & 50 deletions tools/tpm2_takeownership.c
View file
Expand Up @@ -93,8 +93,21 @@ bool clear_hierarchy_auth(takeownership_ctx *ctx) {
return true;
}

static bool change_hierarchy_auth(takeownership_ctx *ctx) {
// helper function to populate the TPM2B_AUTH that we need appropriately
static bool gen_tpm2b_auth(TPM2B_AUTH *passwd, bool is_hex_password,
const char *old_new, const char *description, TPM2B_AUTH *auth)
{
char desc[256];

// unique identifier for error reporting
snprintf(desc, sizeof(desc), "%s %s", old_new, description);

return password_tpm2_util_to_auth(passwd, is_hex_password, desc, auth);
}

static bool change_auth(TSS2_SYS_CONTEXT *sapi_context,
struct password *pwd, bool is_hex_passwords,
const char *desc, TPMI_RH_HIERARCHY_AUTH auth_handle) {
TPM2B_AUTH newAuth;
TPMS_AUTH_COMMAND sessionData = {
.sessionHandle = TPM_RS_PW,
Expand All @@ -109,61 +122,50 @@ static bool change_hierarchy_auth(takeownership_ctx *ctx) {
sessionsData.cmdAuths = &sessionDataArray[0];
sessionsData.cmdAuthsCount = 1;

struct {
TPM2B_AUTH *new_passwd;
TPM2B_AUTH *old_passwd;
TPMI_RH_HIERARCHY_AUTH auth_handle;
char *desc;
} sources[] = {
{
.new_passwd = &ctx->passwords.owner.new,
.old_passwd = &ctx->passwords.owner.old,
.auth_handle = TPM_RH_OWNER,
.desc = "Owner"
},
{
.new_passwd = &ctx->passwords.endorse.new,
.old_passwd = &ctx->passwords.endorse.old,
.auth_handle = TPM_RH_ENDORSEMENT,
.desc = "Endorsement"
},
{
.new_passwd = &ctx->passwords.lockout.new,
.old_passwd = &ctx->passwords.lockout.old,
.auth_handle = TPM_RH_LOCKOUT,
.desc = "Lockout"
}
};
// generate newAuth from the new password
if (!gen_tpm2b_auth(&pwd->new, is_hex_passwords, "new", desc, &newAuth)) {
return false;
}

unsigned i;
for (i = 0; i < ARRAY_LEN(sources); i++) {
// generate our session data HMAC from the old password
if (!gen_tpm2b_auth(&pwd->old, is_hex_passwords, "old", desc, &sessionData.hmac)) {
return false;
}

unsigned j;
for (j = 0; j < 2; j++) {
TPM2B_AUTH *passwd =
j == 0 ? sources[i].new_passwd : sources[i].old_passwd;
TPM2B_AUTH *auth_dest = j == 0 ? &newAuth : &sessionData.hmac;
UINT32 rval = Tss2_Sys_HierarchyChangeAuth(sapi_context,
auth_handle, &sessionsData, &newAuth, 0);
if (rval != TPM_RC_SUCCESS) {
LOG_ERR("Could not change hierarchy for %s. TPM Error:0x%x",
desc, rval);
return false;
}

char desc[256];
snprintf(desc, sizeof(desc), "%s %s",
j == 0 ? "new" : "old", sources[i].desc);
LOG_INFO("Successfully changed hierarchy for %s", desc);

bool result = password_tpm2_util_to_auth(passwd, ctx->is_hex_passwords, desc,
auth_dest);
if (!result) {
return false;
}
}
return true;
}

UINT32 rval = Tss2_Sys_HierarchyChangeAuth(ctx->sapi_context,
sources[i].auth_handle, &sessionsData, &newAuth, 0);
if (rval != TPM_RC_SUCCESS) {
LOG_ERR("Could not change hierarchy for %s. TPM Error:0x%x",
sources[i].desc, rval);
return false;
}
static bool change_hierarchy_auth(takeownership_ctx *ctx) {

LOG_INFO("Successfully changed hierarchy for %s", sources[i].desc);
// change owner auth
if (!change_auth(ctx->sapi_context, &ctx->passwords.owner,
ctx->is_hex_passwords, "Owner", TPM_RH_OWNER))
{
return false;
}

// change endorsement auth
if (!change_auth(ctx->sapi_context, &ctx->passwords.endorse,
ctx->is_hex_passwords, "Endorsement", TPM_RH_ENDORSEMENT))
{
return false;
}

// change lockout auth
if (!change_auth(ctx->sapi_context, &ctx->passwords.lockout,
ctx->is_hex_passwords, "Lockout", TPM_RH_LOCKOUT))
{
return false;
}

return true;
Expand Down