Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example for Secure Boot solution to store root of trust in NV #276

Merged
merged 9 commits into from Aug 10, 2023
Merged

Example for Secure Boot solution to store root of trust in NV #276

merged 9 commits into from Aug 10, 2023

Conversation

dgarske
Copy link
Contributor

@dgarske dgarske commented Jul 6, 2023
edited

  • TPM based toot of trust for secure boot. Provides authentication and tamper protection.
  • Fixed uses of arg= in examples
  • Add support for encrypting secret using ECC key. Allows using ECC for parameter encryption and importing ECC keys with custom seed. Requires Enable math API's for wolfTPM wolfssl#6683
  • Add support for NV lock.
  • Cleanup wrapper function order/groups.
  • Added wolfTPM2_ChangePlatformAuth wrapper to help set the platform auth. This is useful from the bootloader to make sure no one can use the platform hierarchy from application.
  • Sanitize the IO TX/RX buffers (make sure they are zero initialized).
  • Fixes for building with NO_HMAC.
  • Update wolfSSL test certs.
  • Added TPM_TIS_MAX_WAIT.
  • Fix build with WOLFTPM_DEBUG_VERBOSE only.

@dgarske dgarske self-assigned this Jul 6, 2023
@dgarske dgarske force-pushed the secure_rot branch 2 times, most recently from 3a6d7b1 to 1107654 Compare July 20, 2023 20:44
@dgarske dgarske force-pushed the secure_rot branch 3 times, most recently from a99b5a2 to 33f9873 Compare July 28, 2023 18:20
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 7, 2023
@dgarske
wolfBoot TPM improvements:
cebec8f 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 7, 2023
@dgarske
wolfBoot TPM improvements:
90c0dd5 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
@dgarske dgarske marked this pull request as ready for review August 7, 2023 20:18
@dgarske dgarske mentioned this pull request Aug 7, 2023
Merged
4 tasks
@dgarske dgarske force-pushed the secure_rot branch 4 times, most recently from 6e3e301 to 7c3e9f1 Compare August 8, 2023 22:50
@dgarske
Add support for encrypting secret using ECC key. Allows using ECC for…
3f29c59 
… parameter encryption and importing ECC keys with custom seed. Requires wolfSSL/wolfssl#6683
@dgarske dgarske requested a review from jpbland1 August 8, 2023 23:19
@dgarske dgarske assigned jpbland1 and dgarske and unassigned dgarske and jpbland1 Aug 8, 2023
@dgarske dgarske assigned jpbland1 and unassigned dgarske Aug 10, 2023
jpbland1
jpbland1 approved these changes Aug 10, 2023
View reviewed changes
Copy link
Contributor

@jpbland1 jpbland1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed and tested, confirmed that the index is locked by running a second time to see the write fail to overwrite the locked index

@jpbland1 jpbland1 merged commit c349986 into wolfSSL:master Aug 10, 2023
1 check passed
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 10, 2023
@dgarske
wolfBoot TPM improvements:
336dab2 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
dgarske added a commit to dgarske/wolfBoot that referenced this pull request Aug 15, 2023
@dgarske
wolfBoot TPM improvements:
371834c 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
danielinux pushed a commit to wolfSSL/wolfBoot that referenced this pull request Aug 17, 2023
@dgarske @danielinux
wolfBoot TPM improvements:
69adb25 
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on wolfSSL/wolfTPM#276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
@dgarske dgarske deleted the secure_rot branch December 29, 2023 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpbland1 jpbland1 jpbland1 approved these changes

Assignees

@jpbland1 jpbland1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dgarske @jpbland1