wolfTPM Support for sealing/unsealing based on a PCR that is signed externally

.github/workflows/make-test-swtpm.yml

@@ -1,8 +1,8 @@
-name: Swtpm Build Test
+name: WolfTPM Build Tests
 
 on:
   push:
-    branches: [ '*' ]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
 
@@ -14,6 +14,7 @@ jobs:
     steps:
 #pull wolfTPM
     - uses: actions/checkout@master
+
 #setup wolfssl
     - uses: actions/checkout@master
       with:
@@ -28,27 +29,95 @@ jobs:
     - name: wolfssl make install
       working-directory: ./wolfssl
       run: sudo make install
+
 #setup ibmswtpm2
     - uses: actions/checkout@master
       with:
         repository: kgoldman/ibmswtpm2
         path: ibmswtpm2
     - name: ibmswtpm2 make
       working-directory: ./ibmswtpm2/src
-      run: make
-#setup wolfTPM
+      run: |
+          make
+          ./tpm_server &
+
+#setup and test defaults (with simulator)
     - name: autogen
       run: ./autogen.sh
     - name: configure
       run: ./configure --enable-swtpm
-    - name: make test
+    - name: make
+      run: make
+    - name: make check
       run: |
-          ./ibmswtpm2/src/tpm_server &
-          sleep 2 && make check && ./examples/native/native_test && ./examples/wrap/wrap_test
+        make check
+        WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh
 
-#test wolfTPM without wolfCrypt
+#test no wolfcrypt
     - name: configure no wolfCrypt
       run: ./configure --enable-swtpm --disable-wolfcrypt
-    - name: make test no wolfCrypt
+    - name: make no wolfCrypt
+      run: make
+    - name: make check no wolfCrypt
+      run: |
+        make check
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0  ./examples/run_examples.sh
+
+#test no wrapper
+    - name: configure no wrapper
+      run: ./configure --enable-swtpm --disable-wrapper
+    - name: make no wrapper
+      run: make
+    - name: make check no wrapper
+      run: ./examples/native/native_test
+
+# test small stack
+    - name: configure smallstack
+      run: ./configure --enable-swtpm --enable-smallstack
+    - name: make smallstack
+      run: make
+    - name: make check smallstack
       run: |
-          make check && ./examples/native/native_test && ./examples/wrap/wrap_test
+        make check
+        WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh
+
+# test tislock
+    - name: configure tislock
+      run: ./configure --enable-tislock
+    - name: make tislock
+      run: make
+
+# build debug
+    - name: configure debug
+      run: ./configure --enable-debug
+    - name: make debug
+      run: make
+
+# build verbose
+    - name: configure debug verbose
+      run: ./configure --enable-debug=verbose
+    - name: make debug verbose
+      run: make
+
+# build io
+    - name: configure debug io
+      run: ./configure --enable-debug=io CFLAGS="-DWOLFTPM_DEBUG_TIMEOUT"
+    - name: make debug io
+      run: make
+
+# build advio
+    - name: configure advio
+      run: ./configure --enable-advio
+    - name: make debug io
+      run: make
+
+# capture logs on failure
+    - name: Upload failure logs
+      if: failure()
+      uses: actions/upload-artifact@v3
+      with:
+        name: wolftpm-test-logs
+        path: |
+          run.out
+          test-suite.log
+        retention-days: 5

.gitignore

@@ -48,6 +48,7 @@ examples/pcr/quote
 examples/pcr/read_pcr
 examples/pcr/extend
 examples/pcr/policy
+examples/pcr/policy_sign
 examples/pcr/reset
 examples/timestamp/clock_set
 examples/management/flush
@@ -64,18 +65,17 @@ examples/keygen/external_import
 examples/nvram/store
 examples/nvram/read
 examples/nvram/counter
-examples/nvram/seal_policy_auth_nv
-examples/nvram/seal_policy_auth_nv_external
 examples/gpio/gpio_config
 examples/gpio/gpio_set
 examples/gpio/gpio_read
 examples/gpio/gpio_nuvoton
 examples/seal/seal
 examples/seal/unseal
-examples/seal/seal_policy_auth
 examples/attestation/make_credential
 examples/attestation/activate_credential
 examples/boot/secure_rot
+examples/boot/secret_seal
+examples/boot/secret_unseal
 
 # Generated Cert Files
 certs/ca-*.pem

certs/certreq.sh

@@ -6,9 +6,9 @@ echo Run ./examples/csr/csr first to generate the CSR
 
 # Make sure required CA files exist and are populated
 rm -f ./certs/index.*
-touch ./certs/index.txt 
+touch ./certs/index.txt
 if [ ! -f ./certs/serial ]; then
-	echo 1000 > ./certs/serial
+	echo 3650 > ./certs/serial
 fi
 if [ ! -f ./certs/crlnumber ]; then
 	echo 2000 > ./certs/crlnumber
@@ -25,22 +25,22 @@ if [ "$1" == "clean" ]; then
 
 	# cleanup the ./examples/csr/csr generated
 	rm -f ./certs/tpm-*-cert.csr
-	
+
 	exit 0
 fi
 
 
 # Generate RSA 2048-bit CA
 if [ ! -f ./certs/ca-rsa-key.pem ]; then
 	openssl req -new -newkey rsa:2048 -keyout ./certs/ca-rsa-key.pem -nodes -out ./certs/ca-rsa-cert.csr -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
-    openssl x509 -req -in ./certs/ca-rsa-cert.csr -days 1000 -extfile ./certs/ca-rsa.cnf -extensions v3_ca -signkey ./certs/ca-rsa-key.pem -out ./certs/ca-rsa-cert.pem
+    openssl x509 -req -in ./certs/ca-rsa-cert.csr -days 3650 -extfile ./certs/ca-rsa.cnf -extensions v3_ca -signkey ./certs/ca-rsa-key.pem -out ./certs/ca-rsa-cert.pem
     rm ./certs/ca-rsa-cert.csr
 
 	openssl x509 -in ./certs/ca-rsa-cert.pem -inform PEM -out ./certs/ca-rsa-cert.der -outform DER
 	openssl rsa -in ./certs/ca-rsa-key.pem -inform PEM -out ./certs/ca-rsa-key.der -outform DER
 
 	# generate CRL
-	openssl ca -config ./certs/ca-rsa.cnf -gencrl -crldays 1000 -out ./certs/ca-rsa.crl -keyfile ./certs/ca-rsa-key.pem -cert ./certs/ca-rsa-cert.pem
+	openssl ca -config ./certs/ca-rsa.cnf -gencrl -crldays 3650 -out ./certs/ca-rsa.crl -keyfile ./certs/ca-rsa-key.pem -cert ./certs/ca-rsa-cert.pem
 fi
 
 # Sign RSA certificates
@@ -62,7 +62,7 @@ if [ ! -f ./certs/ca-ecc-key.pem ]; then
 	openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
 
 	# generate CRL
-	openssl ca -config ./certs/ca-ecc.cnf -gencrl -crldays 1000 -out ./certs/ca-ecc.crl -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
+	openssl ca -config ./certs/ca-ecc.cnf -gencrl -crldays 3650 -out ./certs/ca-ecc.crl -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
 fi
 
 

configure.ac

@@ -350,7 +350,8 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_SMALL_STACK"
 
     # Reduces max packet and buffer sizes to 1024 bytes
-    AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1024 -DWOLFTPM2_MAX_BUFFER=1500 -DMAX_DIGEST_BUFFER=973"
+    # RSA KeyGen AES response is 1329 MAX_RESPONSE_SIZE
+    AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DWOLFTPM2_MAX_BUFFER=1500 -DMAX_DIGEST_BUFFER=973"
 
     # If parameter encryption is not used then maximum session count is one
     if test "x$ENABLED_WOLFCRYPT" = "xno"

examples/README.md

@@ -48,7 +48,7 @@ More information about how to test and use PCR attestation can be found in the i
 
 Demonstrates how to create Remote Attestation challenge using the TPM 2.0 and afterwards prepare a response.
 
-Detailed information about using these examples can be found in  [examples/attestation/README.md](./examples/attestation/README.md)
+Detailed information about using these examples can be found in  [examples/attestation/README.md](/examples/attestation/README.md)
 
 `./examples/attestation/make_credential`
 `./examples/attestation/activate_credential`
@@ -80,8 +80,6 @@ This behavior depends on the `sessionAttributes`:
 
 Either one can be set separately or both can be set in one authorization session. This is up to the user (developer).
 
-`./examples/pcr/quote_paramenc`
-
 ## CSR
 
 Generates a Certificate Signing Request for building a certificate based on a TPM key pair.
@@ -450,45 +448,17 @@ mySecretMessage
 
 After a successful unsealing, the data is stored into a new file. If no filename is provided, the `unseal` tool stores the data in `unseal.bin`.
 
-### Sealing data to the TPM with policy authorization
+### Sealing secret based on PCR(s) with policy signed by external key
 
-Data can also be sealed to the TPM, either to NVM or regular, with policy authorization. ./examples/seal/seal\_policy\_auth.c shows an example of how to seal data to the TPM using the wolfTPM2\_SealWithAuthKey function and unseal with wolfTPM2\_UnsealWithAuthSig. These functions call wolfTPM2\_PolicyPCR to add the PCR values to the policyDigest and TPM2\_PolicyAuthorize to sign the digest with either an ecc or rsa key. ./examples/nvram/seal\_policy\_auth\_nv.c is similar but seals to the data to NVM and uses TPM2\_PolicyAuthorizeNV to keep the policyDigest in NVM so it persists in between boots. ./examples/nvram/seal\_policy\_auth\_nv\_external.c works the same way but it shows how to use a key generated from outside wolfTPM, currently only supports ecc256 keys
+See [examples/boot/README.md](/examples/boot/README.md)
+
+
+## Secure Boot
+
+### TPM based root of trust
+
+See [examples/boot/README.md](/examples/boot/README.md)
 
-```
-$ ./examples/seal/seal_policy_auth -ecc -aes 16
-Example for sealing data to the TPM with policy authorization
-	PCR Indicies:16 
-	Use Parameter Encryption: CFB
-wolfTPM2_Init: success
-TPM2_StartAuthSession: sessionHandle 0x3000000
-Loading SRK: Storage 0x81000200 (282 bytes)
-ECC template
-Loaded sealBlob to 0x80000002
-TPM2_StartAuthSession: sessionHandle 0x3000000
-Usealed secret matches!
-
-$ ./examples/nvram/seal_policy_auth_nv -ecc -aes 16
-Example for sealing data to NV memory with policy authorization
-	PCR Indicies:16 
-	Use Parameter Encryption: CFB
-wolfTPM2_Init: success
-TPM2_StartAuthSession: sessionHandle 0x3000000
-Loading SRK: Storage 0x81000200 (282 bytes)
-ECC template
-TPM2_StartAuthSession: sessionHandle 0x3000000
-Usealed secret matches!
-
-$ ./examples/nvram/seal_policy_auth_nv_external -ecc -aes 16
-Warning: Unrecognized option: -ecc
-Example for sealing data to NV memory with policy authorization
-	PCR Indicies:16 
-	Use Parameter Encryption: CFB
-wolfTPM2_Init: success
-Loading SRK: Storage 0x81000200 (282 bytes)
-TPM2_StartAuthSession: sessionHandle 0x3000000
-TPM2_StartAuthSession: sessionHandle 0x3000000
-Usealed secret matches!
-```
 
 ## GPIO Control
 

examples/attestation/activate_credential.c

@@ -57,7 +57,7 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_KEY *primary = NULL;
     WOLFTPM2_KEYBLOB akKey;
     WOLFTPM2_SESSION tpmSession;
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     FILE *fp;
     int dataSize = 0;
 #endif
@@ -174,7 +174,7 @@ int TPM2_ActivateCredential_Example(void* userCtx, int argc, char *argv[])
     cmdIn.activCred.activateHandle = akKey.handle.hndl;
     cmdIn.activCred.keyHandle = primary->handle.hndl;
     /* Read credential from the user file */
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     fp = XFOPEN(input, "rb");
     if (fp != XBADFILE) {
         dataSize = (int)XFREAD((BYTE*)&cmdIn.activCred.credentialBlob, 1,

examples/attestation/make_credential.c

@@ -59,7 +59,7 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_KEYBLOB primary;
     WOLFTPM2_HANDLE handle;
     TPM2B_NAME name;
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     FILE *fp;
     int dataSize = 0;
 #endif
@@ -141,7 +141,7 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     printf("Public key for encryption loaded\n");
     handle.hndl = cmdOut.loadExtOut.objectHandle;
 
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     /* Load AK Name digest */
     fp = XFOPEN("ak.name", "rb");
     if (fp != XBADFILE) {
@@ -170,7 +170,7 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     }
     printf("TPM2_MakeCredential success\n");
 
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     fp = XFOPEN(output, "wb");
     if (fp != XBADFILE) {
         dataSize = (int)XFWRITE((BYTE*)&cmdOut.makeCred.credentialBlob, 1,