[thirdparty/strongswan.git] / src / libtpmtss / tpm_tss_tss2.c

/*
 * Copyright (C) 2016 Andreas Steffen
 * HSR Hochschule fuer Technik Rapperswil
 *
* This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "tpm_tss_tss2.h"
#include "tpm_tss_tss2_names.h"

#ifdef TSS_TSS2

#include <asn1/asn1.h>
#include <asn1/oid.h>

#include <tss2/tpm20.h>
#include <tcti/tcti_socket.h>

#define LABEL	"TPM 2.0 -"

typedef struct private_tpm_tss_tss2_t private_tpm_tss_tss2_t;

/**
 * Private data of an tpm_tss_tss2_t object.
 */
struct private_tpm_tss_tss2_t {

	/**
	 * Public tpm_tss_tss2_t interface.
	 */
	tpm_tss_t public;

	/**
	 * TCTI context
	 */
	TSS2_TCTI_CONTEXT *tcti_context;

	/**
	 * SYS context
	 */
	TSS2_SYS_CONTEXT  *sys_context;

	/**
	 * Number of supported algorithms
	 */
	size_t supported_algs_count;

	/**
	 * List of supported algorithms
	 */
	TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET];
};

/**
 * Some symbols required by libtctisocket
 */
FILE *outFp;
uint8_t simulator = 1;

int TpmClientPrintf (uint8_t type, const char *format, ...)
{
    return 0;
}

/**
 * Convert hash algorithm to TPM_ALG_ID
 */
static TPM_ALG_ID hash_alg_to_tpm_alg_id(hash_algorithm_t alg)
{
	switch (alg)
	{
		case HASH_SHA1:
			return TPM_ALG_SHA1;
		case HASH_SHA256:
			return TPM_ALG_SHA256;
		case HASH_SHA384:
			return TPM_ALG_SHA384;
		case HASH_SHA512:
			return TPM_ALG_SHA512;
		default:
			return TPM_ALG_ERROR;
	}
}

/**
 * Check if an algorithm given by its TPM_ALG_ID is supported by the TPM
 */
static bool is_supported_alg(private_tpm_tss_tss2_t *this, TPM_ALG_ID alg_id)
{
	int i;

	if (alg_id == TPM_ALG_ERROR)
	{
		return FALSE;
	}

	for (i = 0; i < this->supported_algs_count; i++)
	{
		if (this->supported_algs[i] == alg_id)
		{
			return TRUE;
		}
	}

	return FALSE;
}

/**
 * Get a list of supported algorithms
 */
static bool get_algs_capability(private_tpm_tss_tss2_t *this)
{
	TPMS_CAPABILITY_DATA cap_data;
	TPMI_YES_NO more_data;
	TPM_ALG_ID alg;
	uint32_t rval, i;
	size_t len = BUF_LEN;
	char buf[BUF_LEN];
	char *pos = buf;
	int written;

	/* get supported algorithms */
	rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS,
						0, TPM_PT_ALGORITHM_SET, &more_data, &cap_data, 0);
	if (rval != TPM_RC_SUCCESS)
	{
		DBG1(DBG_PTS, "%s GetCapability failed for TPM_CAP_ALGS: 0x%06x",
					   LABEL, rval);
		return FALSE;
	}

	/* Number of supported algorithms */
	this->supported_algs_count = cap_data.data.algorithms.count;

	/* store and print supported algorithms */
	for (i = 0; i < this->supported_algs_count; i++)
	{
		alg = cap_data.data.algorithms.algProperties[i].alg;
		this->supported_algs[i] = alg;

		written = snprintf(pos, len, " %N", tpm_alg_id_names, alg);
		if (written < 0 || written >= len)
		{
			break;
		}
		pos += written;
		len -= written;
	}
	DBG2(DBG_PTS, "%s algorithms:%s", LABEL, buf);

	/* get supported ECC curves */
	rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ECC_CURVES,
						0, TPM_PT_LOADED_CURVES, &more_data, &cap_data, 0);
	if (rval != TPM_RC_SUCCESS)
	{
		DBG1(DBG_PTS, "%s GetCapability failed for TPM_ECC_CURVES: 0x%06x",
					   LABEL, rval);
		return FALSE;
	}

	/* reset print buffer */
	pos = buf;
	len = BUF_LEN;

	/* print supported ECC curves */
	for (i = 0; i < cap_data.data.eccCurves.count; i++)
	{
		written = snprintf(pos, len, " %N", tpm_ecc_curve_names,
						   cap_data.data.eccCurves.eccCurves[i]);
		if (written < 0 || written >= len)
		{
			break;
		}
		pos += written;
		len -= written;
	}
	DBG2(DBG_PTS, "%s ECC curves:%s", LABEL, buf);

	return TRUE;
}

/**
 * Initialize TSS context
 */
static bool initialize_context(private_tpm_tss_tss2_t *this)
{
	size_t   tcti_context_size;
	uint32_t sys_context_size;
	uint32_t rval;

	TCTI_SOCKET_CONF rm_if_config = { DEFAULT_HOSTNAME,
									  DEFAULT_RESMGR_TPM_PORT
									};

	TSS2_ABI_VERSION abi_version = { TSSWG_INTEROP,
									 TSS_SAPI_FIRST_FAMILY,
									 TSS_SAPI_FIRST_LEVEL,
									 TSS_SAPI_FIRST_VERSION
								   };

	/* determine size of tcti context */
	rval = InitSocketTcti(NULL, &tcti_context_size, &rm_if_config, 0);
	if (rval != TSS2_RC_SUCCESS)
	{
		DBG1(DBG_PTS, "%s could not get tcti_context size: 0x%06x",
					   LABEL, rval);
		return FALSE;
	}

	/* allocate memory for tcti context */
	this->tcti_context = (TSS2_TCTI_CONTEXT*)malloc(tcti_context_size);

	/* initialize tcti context */
	rval = InitSocketTcti(this->tcti_context, &tcti_context_size,
						  &rm_if_config, 0);
	if (rval != TSS2_RC_SUCCESS)
	{
		DBG1(DBG_PTS, "%s could not get tcti_context: 0x%06x",
					   LABEL, rval);
		return FALSE;
	}

	/* determine size of sys context */
	sys_context_size = Tss2_Sys_GetContextSize(0);

	/* allocate memory for sys context */
	this->sys_context = malloc(sys_context_size);

	/* initialize sys context */
	rval = Tss2_Sys_Initialize(this->sys_context, sys_context_size,
							   this->tcti_context, &abi_version);
	if (rval != TSS2_RC_SUCCESS)
	{
		DBG1(DBG_PTS, "%s could not get sys_context: 0x%06x",
					   LABEL, rval);
		return FALSE;
	}

	/* get a list of supported algorithms and ECC curves */
	return get_algs_capability(this);
}

/**
 * Finalize TSS context
 */
static void finalize_context(private_tpm_tss_tss2_t *this)
{
	if (this->tcti_context)
	{
		TeardownSocketTcti(this->tcti_context);
	}
	if (this->sys_context)
	{
		Tss2_Sys_Finalize(this->sys_context);
		free(this->sys_context);
	}
}

METHOD(tpm_tss_t, get_version, tpm_version_t,
	private_tpm_tss_tss2_t *this)
{
	return TPM_VERSION_2_0;
}

METHOD(tpm_tss_t, get_version_info, chunk_t,
	private_tpm_tss_tss2_t *this)
{
	return chunk_empty;
}

/**
 * read the public key portion of a TSS 2.0 AIK key from NVRAM
 */
bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle,
	TPM2B_PUBLIC *public)
{
	uint32_t rval;

	TPM2B_NAME name = { { sizeof(TPM2B_NAME)-2, } };
	TPM2B_NAME qualified_name = { { sizeof(TPM2B_NAME)-2, } };

	TPMS_AUTH_RESPONSE session_data;
	TSS2_SYS_RSP_AUTHS sessions_data;
	TPMS_AUTH_RESPONSE *session_data_array[1];

	session_data_array[0]  = &session_data;
	sessions_data.rspAuths = &session_data_array[0];
	sessions_data.rspAuthsCount = 1;

	/* always send simulator platform command, ignored by true RM */
	PlatformCommand(this->tcti_context ,MS_SIM_POWER_ON );
	PlatformCommand(this->tcti_context, MS_SIM_NV_ON );

	/* read public key for a given object handle from TPM 2.0 NVRAM */
	rval = Tss2_Sys_ReadPublic(this->sys_context, handle, 0, public, &name,
							   &qualified_name, &sessions_data);

	PlatformCommand(this->tcti_context, MS_SIM_POWER_OFF);

	if (rval != TPM_RC_SUCCESS)
	{
		DBG1(DBG_PTS, "%s could not read public key from handle 0x%08x: 0x%06x",
					   LABEL, handle, rval);
		return FALSE;
	}
	return TRUE;
}

METHOD(tpm_tss_t, generate_aik, bool,
	private_tpm_tss_tss2_t *this, chunk_t ca_modulus, chunk_t *aik_blob,
	chunk_t *aik_pubkey, chunk_t *identity_req)
{
	return FALSE;
}

METHOD(tpm_tss_t, get_public, chunk_t,
	private_tpm_tss_tss2_t *this, uint32_t handle)
{
	TPM2B_PUBLIC public = { { 0, } };
	chunk_t aik_blob, aik_pubkey = chunk_empty;

	if (!read_public(this, handle, &public))
	{
		return chunk_empty;
	}

	aik_blob = chunk_create((u_char*)&public, sizeof(public));
	DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob);

	/* convert TSS 2.0 AIK public key blot into PKCS#1 format */
	switch (public.t.publicArea.type)
	{
		case TPM_ALG_RSA:
		{
			TPM2B_PUBLIC_KEY_RSA *rsa;
			chunk_t aik_exponent, aik_modulus;

			rsa = &public.t.publicArea.unique.rsa;
			aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size);
			aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);

			/* subjectPublicKeyInfo encoding of AIK RSA key */
			if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER,
					NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
					CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
			{
				DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key "
							  "failed", LABEL);
			}
			break;
		}
		case TPM_ALG_ECC:
		{
			TPMS_ECC_POINT *ecc;
			chunk_t ecc_point;
			uint8_t *pos;

			ecc = &public.t.publicArea.unique.ecc;

			/* allocate space for bit string */
			pos = asn1_build_object(&ecc_point, ASN1_BIT_STRING,
									2 + ecc->x.t.size + ecc->y.t.size);
			/* bit string length is a multiple of octets */
			*pos++ = 0x00;
			/* uncompressed ECC point format */
			*pos++ = 0x04;
			/* copy x coordinate of ECC point */
			memcpy(pos, ecc->x.t.buffer, ecc->x.t.size);
			pos += ecc->x.t.size;
			/* copy y coordinate of ECC point */
			memcpy(pos, ecc->y.t.buffer, ecc->y.t.size);
			/* subjectPublicKeyInfo encoding of AIK ECC key */
			aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm",
							asn1_wrap(ASN1_SEQUENCE, "mm",
								asn1_build_known_oid(OID_EC_PUBLICKEY),
								asn1_build_known_oid(ecc->x.t.size == 32 ?
										OID_PRIME256V1 : OID_SECT384R1)),
							ecc_point);
			break;
		}
		default:
			DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL);
	}

	return aik_pubkey;
}

METHOD(tpm_tss_t, read_pcr, bool,
	private_tpm_tss_tss2_t *this, uint32_t pcr_num, chunk_t *pcr_value,
	hash_algorithm_t alg)
{
    TPML_PCR_SELECTION  pcr_sel_in, pcr_sel_out;
	TPML_DIGEST pcr_values;
	TPM_ALG_ID alg_id;

	uint32_t pcr_update_counter, rval;
	uint8_t *pcr_value_ptr;
	size_t   pcr_value_len;

	alg_id = hash_alg_to_tpm_alg_id(alg);
	if (!is_supported_alg(this, alg_id))
	{
		DBG1(DBG_PTS, "%s %N hash algorithm not supported by TPM",
			 LABEL, hash_algorithm_short_names, alg);
		return FALSE;
	}

	if (pcr_num >= PLATFORM_PCR)
	{
		DBG1(DBG_PTS, "%s maximum number of supported PCR is %d",
					   LABEL, PLATFORM_PCR);
		return FALSE;
	}

	/* initialize the PCR Selection structure */
	pcr_sel_in.count = 1;
	pcr_sel_in.pcrSelections[0].hash = alg_id;
	pcr_sel_in.pcrSelections[0].sizeofSelect = 3;
	pcr_sel_in.pcrSelections[0].pcrSelect[0] = 0;
	pcr_sel_in.pcrSelections[0].pcrSelect[1] = 0;
	pcr_sel_in.pcrSelections[0].pcrSelect[2] = 0;

	/* set the desired PCR */
	pcr_sel_in.pcrSelections[0].pcrSelect[pcr_num / 8] = 1 << (pcr_num % 8);

	/* initialize the PCR Digest structure */
	memset(&pcr_values, 0, sizeof(TPML_DIGEST));

	/* read the PCR value */
	rval = Tss2_Sys_PCR_Read(this->sys_context, 0, &pcr_sel_in,
				&pcr_update_counter, &pcr_sel_out, &pcr_values, 0);
	if (rval != TPM_RC_SUCCESS)
	{
		DBG1(DBG_PTS, "%s PCR bank could not be read: 0x%60x",
					   LABEL, rval);
		return FALSE;
	}
	pcr_value_ptr = (uint8_t *)pcr_values.digests[0].t.buffer;
	pcr_value_len = (size_t)   pcr_values.digests[0].t.size;

	*pcr_value = chunk_clone(chunk_create(pcr_value_ptr, pcr_value_len));

	return TRUE;
}

METHOD(tpm_tss_t, extend_pcr, bool,
	private_tpm_tss_tss2_t *this, uint32_t pcr_num, chunk_t *pcr_value,
	chunk_t data, hash_algorithm_t alg)
{
	/* TODO */
	return FALSE;
}

METHOD(tpm_tss_t, quote, bool,
	private_tpm_tss_tss2_t *this, uint32_t aik_handle, uint32_t pcr_sel,
	hash_algorithm_t alg, chunk_t data, tpm_quote_mode_t mode, chunk_t *pcr_comp,
	chunk_t *quote_sig)
{
	/* TODO */
	return FALSE;
}

METHOD(tpm_tss_t, destroy, void,
	private_tpm_tss_tss2_t *this)
{
	finalize_context(this);
	free(this);
}

/**
 * See header
 */
tpm_tss_t *tpm_tss_tss2_create()
{
	private_tpm_tss_tss2_t *this;
	bool available;

	INIT(this,
		.public = {
			.get_version = _get_version,
			.get_version_info = _get_version_info,
			.generate_aik = _generate_aik,
			.get_public = _get_public,
			.read_pcr = _read_pcr,
			.extend_pcr = _extend_pcr,
			.quote = _quote,
			.destroy = _destroy,
		},
	);

	available = initialize_context(this);
	DBG1(DBG_PTS, "TPM 2.0 via TSS2 %savailable", available ? "" : "not ");

	if (!available)
	{
		destroy(this);
		return NULL;
	}
	return &this->public;
}

#else /* TSS_TSS2 */

tpm_tss_t *tpm_tss_tss2_create()
{
	return NULL;
}

#endif /* TSS_TSS2 */
Commit	Line	Data
c08753bd AS	1	/*
	2	* Copyright (C) 2016 Andreas Steffen
	3	* HSR Hochschule fuer Technik Rapperswil
	4	*
	5	* This program is free software; you can redistribute it and/or modify it
	6	* under the terms of the GNU General Public License as published by the
	7	* Free Software Foundation; either version 2 of the License, or (at your
	8	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	9	*
	10	* This program is distributed in the hope that it will be useful, but
	11	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	12	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	13	* for more details.
	14	*/
	15
	16	#include "tpm_tss_tss2.h"
8301dc85	17	#include "tpm_tss_tss2_names.h"
c08753bd AS	18
	19	#ifdef TSS_TSS2
	20
	21	#include <asn1/asn1.h>
	22	#include <asn1/oid.h>
	23
	24	#include <tss2/tpm20.h>
	25	#include <tcti/tcti_socket.h>
	26
	27	#define LABEL "TPM 2.0 -"
	28
	29	typedef struct private_tpm_tss_tss2_t private_tpm_tss_tss2_t;
	30
	31	/**
	32	* Private data of an tpm_tss_tss2_t object.
	33	*/
	34	struct private_tpm_tss_tss2_t {
	35
	36	/**
	37	* Public tpm_tss_tss2_t interface.
	38	*/
	39	tpm_tss_t public;
	40
	41	/**
	42	* TCTI context
	43	*/
	44	TSS2_TCTI_CONTEXT *tcti_context;
	45
	46	/**
	47	* SYS context
	48	*/
	49	TSS2_SYS_CONTEXT *sys_context;
	50
bc67802a AS	51	/**
	52	* Number of supported algorithms
	53	*/
	54	size_t supported_algs_count;
	55
	56	/**
	57	* List of supported algorithms
	58	*/
	59	TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET];
c08753bd AS	60	};
	61
	62	/**
	63	* Some symbols required by libtctisocket
	64	*/
	65	FILE *outFp;
	66	uint8_t simulator = 1;
	67
	68	int TpmClientPrintf (uint8_t type, const char *format, ...)
	69	{
	70	return 0;
	71	}
	72
bc67802a AS	73	/**
	74	* Convert hash algorithm to TPM_ALG_ID
	75	*/
	76	static TPM_ALG_ID hash_alg_to_tpm_alg_id(hash_algorithm_t alg)
	77	{
	78	switch (alg)
	79	{
	80	case HASH_SHA1:
	81	return TPM_ALG_SHA1;
	82	case HASH_SHA256:
	83	return TPM_ALG_SHA256;
	84	case HASH_SHA384:
	85	return TPM_ALG_SHA384;
	86	case HASH_SHA512:
	87	return TPM_ALG_SHA512;
	88	default:
	89	return TPM_ALG_ERROR;
	90	}
	91	}
	92
	93	/**
	94	* Check if an algorithm given by its TPM_ALG_ID is supported by the TPM
	95	*/
	96	static bool is_supported_alg(private_tpm_tss_tss2_t *this, TPM_ALG_ID alg_id)
	97	{
	98	int i;
	99
	100	if (alg_id == TPM_ALG_ERROR)
	101	{
	102	return FALSE;
	103	}
	104
	105	for (i = 0; i < this->supported_algs_count; i++)
	106	{
	107	if (this->supported_algs[i] == alg_id)
	108	{
	109	return TRUE;
	110	}
	111	}
	112
	113	return FALSE;
	114	}
	115
8301dc85 AS	116	/**
	117	* Get a list of supported algorithms
	118	*/
	119	static bool get_algs_capability(private_tpm_tss_tss2_t *this)
	120	{
	121	TPMS_CAPABILITY_DATA cap_data;
	122	TPMI_YES_NO more_data;
bc67802a	123	TPM_ALG_ID alg;
8301dc85 AS	124	uint32_t rval, i;
	125	size_t len = BUF_LEN;
	126	char buf[BUF_LEN];
	127	char *pos = buf;
	128	int written;
	129
	130	/* get supported algorithms */
	131	rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS,
	132	0, TPM_PT_ALGORITHM_SET, &more_data, &cap_data, 0);
	133	if (rval != TPM_RC_SUCCESS)
	134	{
	135	DBG1(DBG_PTS, "%s GetCapability failed for TPM_CAP_ALGS: 0x%06x",
	136	LABEL, rval);
	137	return FALSE;
	138	}
	139
bc67802a AS	140	/* Number of supported algorithms */
	141	this->supported_algs_count = cap_data.data.algorithms.count;
	142
	143	/* store and print supported algorithms */
	144	for (i = 0; i < this->supported_algs_count; i++)
8301dc85	145	{
bc67802a AS	146	alg = cap_data.data.algorithms.algProperties[i].alg;
	147	this->supported_algs[i] = alg;
	148
	149	written = snprintf(pos, len, " %N", tpm_alg_id_names, alg);
8301dc85 AS	150	if (written < 0 \|\| written >= len)
	151	{
	152	break;
	153	}
	154	pos += written;
	155	len -= written;
	156	}
	157	DBG2(DBG_PTS, "%s algorithms:%s", LABEL, buf);
	158
	159	/* get supported ECC curves */
	160	rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ECC_CURVES,
	161	0, TPM_PT_LOADED_CURVES, &more_data, &cap_data, 0);
	162	if (rval != TPM_RC_SUCCESS)
	163	{
	164	DBG1(DBG_PTS, "%s GetCapability failed for TPM_ECC_CURVES: 0x%06x",
	165	LABEL, rval);
	166	return FALSE;
	167	}
	168
	169	/* reset print buffer */
	170	pos = buf;
	171	len = BUF_LEN;
	172
	173	/* print supported ECC curves */
	174	for (i = 0; i < cap_data.data.eccCurves.count; i++)
	175	{
	176	written = snprintf(pos, len, " %N", tpm_ecc_curve_names,
	177	cap_data.data.eccCurves.eccCurves[i]);
	178	if (written < 0 \|\| written >= len)
	179	{
	180	break;
	181	}
	182	pos += written;
	183	len -= written;
	184	}
	185	DBG2(DBG_PTS, "%s ECC curves:%s", LABEL, buf);
	186
	187	return TRUE;
	188	}
	189
c08753bd AS	190	/**
	191	* Initialize TSS context
	192	*/
	193	static bool initialize_context(private_tpm_tss_tss2_t *this)
	194	{
	195	size_t tcti_context_size;
	196	uint32_t sys_context_size;
	197	uint32_t rval;
	198
	199	TCTI_SOCKET_CONF rm_if_config = { DEFAULT_HOSTNAME,
	200	DEFAULT_RESMGR_TPM_PORT
	201	};
	202
	203	TSS2_ABI_VERSION abi_version = { TSSWG_INTEROP,
	204	TSS_SAPI_FIRST_FAMILY,
	205	TSS_SAPI_FIRST_LEVEL,
	206	TSS_SAPI_FIRST_VERSION
	207	};
	208
	209	/* determine size of tcti context */
	210	rval = InitSocketTcti(NULL, &tcti_context_size, &rm_if_config, 0);
	211	if (rval != TSS2_RC_SUCCESS)
	212	{
	213	DBG1(DBG_PTS, "%s could not get tcti_context size: 0x%06x",
	214	LABEL, rval);
	215	return FALSE;
	216	}
	217
	218	/* allocate memory for tcti context */
	219	this->tcti_context = (TSS2_TCTI_CONTEXT*)malloc(tcti_context_size);
	220
	221	/* initialize tcti context */
	222	rval = InitSocketTcti(this->tcti_context, &tcti_context_size,
	223	&rm_if_config, 0);
	224	if (rval != TSS2_RC_SUCCESS)
	225	{
	226	DBG1(DBG_PTS, "%s could not get tcti_context: 0x%06x",
	227	LABEL, rval);
	228	return FALSE;
	229	}
	230
	231	/* determine size of sys context */
	232	sys_context_size = Tss2_Sys_GetContextSize(0);
	233
	234	/* allocate memory for sys context */
	235	this->sys_context = malloc(sys_context_size);
	236
	237	/* initialize sys context */
	238	rval = Tss2_Sys_Initialize(this->sys_context, sys_context_size,
	239	this->tcti_context, &abi_version);
	240	if (rval != TSS2_RC_SUCCESS)
	241	{
	242	DBG1(DBG_PTS, "%s could not get sys_context: 0x%06x",
	243	LABEL, rval);
	244	return FALSE;
	245	}
8301dc85 AS	246
	247	/* get a list of supported algorithms and ECC curves */
	248	return get_algs_capability(this);
c08753bd AS	249	}
	250
	251	/**
	252	* Finalize TSS context
	253	*/
	254	static void finalize_context(private_tpm_tss_tss2_t *this)
	255	{
	256	if (this->tcti_context)
	257	{
	258	TeardownSocketTcti(this->tcti_context);
	259	}
	260	if (this->sys_context)
	261	{
	262	Tss2_Sys_Finalize(this->sys_context);
	263	free(this->sys_context);
	264	}
	265	}
	266
	267	METHOD(tpm_tss_t, get_version, tpm_version_t,
	268	private_tpm_tss_tss2_t *this)
	269	{
	270	return TPM_VERSION_2_0;
	271	}
	272
fedc6769 AS	273	METHOD(tpm_tss_t, get_version_info, chunk_t,
	274	private_tpm_tss_tss2_t *this)
	275	{
	276	return chunk_empty;
	277	}
	278
c08753bd AS	279	/**
	280	* read the public key portion of a TSS 2.0 AIK key from NVRAM
	281	*/
	282	bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle,
	283	TPM2B_PUBLIC *public)
	284	{
	285	uint32_t rval;
	286
	287	TPM2B_NAME name = { { sizeof(TPM2B_NAME)-2, } };
	288	TPM2B_NAME qualified_name = { { sizeof(TPM2B_NAME)-2, } };
	289
	290	TPMS_AUTH_RESPONSE session_data;
	291	TSS2_SYS_RSP_AUTHS sessions_data;
	292	TPMS_AUTH_RESPONSE *session_data_array[1];
	293
	294	session_data_array[0] = &session_data;
	295	sessions_data.rspAuths = &session_data_array[0];
	296	sessions_data.rspAuthsCount = 1;
	297
	298	/* always send simulator platform command, ignored by true RM */
	299	PlatformCommand(this->tcti_context ,MS_SIM_POWER_ON );
	300	PlatformCommand(this->tcti_context, MS_SIM_NV_ON );
	301
	302	/* read public key for a given object handle from TPM 2.0 NVRAM */
	303	rval = Tss2_Sys_ReadPublic(this->sys_context, handle, 0, public, &name,
	304	&qualified_name, &sessions_data);
	305
	306	PlatformCommand(this->tcti_context, MS_SIM_POWER_OFF);
	307
	308	if (rval != TPM_RC_SUCCESS)
	309	{
	310	DBG1(DBG_PTS, "%s could not read public key from handle 0x%08x: 0x%06x",
	311	LABEL, handle, rval);
	312	return FALSE;
	313	}
	314	return TRUE;
	315	}
	316
	317	METHOD(tpm_tss_t, generate_aik, bool,
	318	private_tpm_tss_tss2_t this, chunk_t ca_modulus, chunk_t aik_blob,
	319	chunk_t aik_pubkey, chunk_t identity_req)
	320	{
	321	return FALSE;
	322	}
	323
	324	METHOD(tpm_tss_t, get_public, chunk_t,
	325	private_tpm_tss_tss2_t *this, uint32_t handle)
	326	{
	327	TPM2B_PUBLIC public = { { 0, } };
	328	chunk_t aik_blob, aik_pubkey = chunk_empty;
	329
	330	if (!read_public(this, handle, &public))
	331	{
	332	return chunk_empty;
	333	}
	334
	335	aik_blob = chunk_create((u_char*)&public, sizeof(public));
	336	DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob);
	337
	338	/* convert TSS 2.0 AIK public key blot into PKCS#1 format */
	339	switch (public.t.publicArea.type)
	340	{
	341	case TPM_ALG_RSA:
	342	{
343	TPM2B_PUBLIC_KEY_RSA *rsa;
344	chunk_t aik_exponent, aik_modulus;
345
346	rsa = &public.t.publicArea.unique.rsa;
347	aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size);
348	aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
349
350	/* subjectPublicKeyInfo encoding of AIK RSA key */
351	if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER,
352	NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
353	CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
354	{
355	DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key "
356	"failed", LABEL);
357	}
358	break;
359	}
360	case TPM_ALG_ECC:
361	{
362	TPMS_ECC_POINT *ecc;
363	chunk_t ecc_point;
364	uint8_t *pos;
365
366	ecc = &public.t.publicArea.unique.ecc;
367
368	/* allocate space for bit string */
369	pos = asn1_build_object(&ecc_point, ASN1_BIT_STRING,
370	2 + ecc->x.t.size + ecc->y.t.size);
371	/* bit string length is a multiple of octets */
372	*pos++ = 0x00;
373	/* uncompressed ECC point format */
374	*pos++ = 0x04;
375	/* copy x coordinate of ECC point */
376	memcpy(pos, ecc->x.t.buffer, ecc->x.t.size);
377	pos += ecc->x.t.size;
378	/* copy y coordinate of ECC point */
379	memcpy(pos, ecc->y.t.buffer, ecc->y.t.size);
380	/* subjectPublicKeyInfo encoding of AIK ECC key */
381	aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm",
382	asn1_wrap(ASN1_SEQUENCE, "mm",
383	asn1_build_known_oid(OID_EC_PUBLICKEY),
384	asn1_build_known_oid(ecc->x.t.size == 32 ?
385	OID_PRIME256V1 : OID_SECT384R1)),
386	ecc_point);
387	break;
388	}
389	default:
390	DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL);
391	}
392
393	return aik_pubkey;
394	}
395
30d4989a AS	396	METHOD(tpm_tss_t, read_pcr, bool,
	397	private_tpm_tss_tss2_t this, uint32_t pcr_num, chunk_t pcr_value,
	398	hash_algorithm_t alg)
	399	{
bc67802a AS	400	TPML_PCR_SELECTION pcr_sel_in, pcr_sel_out;
	401	TPML_DIGEST pcr_values;
	402	TPM_ALG_ID alg_id;
	403
	404	uint32_t pcr_update_counter, rval;
	405	uint8_t *pcr_value_ptr;
	406	size_t pcr_value_len;
	407
	408	alg_id = hash_alg_to_tpm_alg_id(alg);
	409	if (!is_supported_alg(this, alg_id))
	410	{
	411	DBG1(DBG_PTS, "%s %N hash algorithm not supported by TPM",
	412	LABEL, hash_algorithm_short_names, alg);
	413	return FALSE;
	414	}
	415
	416	if (pcr_num >= PLATFORM_PCR)
	417	{
	418	DBG1(DBG_PTS, "%s maximum number of supported PCR is %d",
	419	LABEL, PLATFORM_PCR);
	420	return FALSE;
	421	}
	422
	423	/* initialize the PCR Selection structure */
	424	pcr_sel_in.count = 1;
	425	pcr_sel_in.pcrSelections[0].hash = alg_id;
	426	pcr_sel_in.pcrSelections[0].sizeofSelect = 3;
	427	pcr_sel_in.pcrSelections[0].pcrSelect[0] = 0;
	428	pcr_sel_in.pcrSelections[0].pcrSelect[1] = 0;
	429	pcr_sel_in.pcrSelections[0].pcrSelect[2] = 0;
	430
	431	/* set the desired PCR */
	432	pcr_sel_in.pcrSelections[0].pcrSelect[pcr_num / 8] = 1 << (pcr_num % 8);
	433
	434	/* initialize the PCR Digest structure */
	435	memset(&pcr_values, 0, sizeof(TPML_DIGEST));
	436
	437	/* read the PCR value */
	438	rval = Tss2_Sys_PCR_Read(this->sys_context, 0, &pcr_sel_in,
	439	&pcr_update_counter, &pcr_sel_out, &pcr_values, 0);
	440	if (rval != TPM_RC_SUCCESS)
	441	{
	442	DBG1(DBG_PTS, "%s PCR bank could not be read: 0x%60x",
	443	LABEL, rval);
	444	return FALSE;
	445	}
	446	pcr_value_ptr = (uint8_t *)pcr_values.digests[0].t.buffer;
	447	pcr_value_len = (size_t) pcr_values.digests[0].t.size;
	448
	449	*pcr_value = chunk_clone(chunk_create(pcr_value_ptr, pcr_value_len));
	450
	451	return TRUE;
30d4989a AS	452	}
	453
	454	METHOD(tpm_tss_t, extend_pcr, bool,
	455	private_tpm_tss_tss2_t this, uint32_t pcr_num, chunk_t pcr_value,
	456	chunk_t data, hash_algorithm_t alg)
	457	{
	458	/* TODO */
	459	return FALSE;
	460	}
	461
	462	METHOD(tpm_tss_t, quote, bool,
	463	private_tpm_tss_tss2_t *this, uint32_t aik_handle, uint32_t pcr_sel,
	464	hash_algorithm_t alg, chunk_t data, tpm_quote_mode_t mode, chunk_t *pcr_comp,
	465	chunk_t *quote_sig)
	466	{
	467	/* TODO */
	468	return FALSE;
	469	}
	470
c08753bd AS	471	METHOD(tpm_tss_t, destroy, void,
	472	private_tpm_tss_tss2_t *this)
	473	{
	474	finalize_context(this);
	475	free(this);
	476	}
	477
	478	/**
	479	* See header
	480	*/
	481	tpm_tss_t *tpm_tss_tss2_create()
	482	{
	483	private_tpm_tss_tss2_t *this;
	484	bool available;
	485
	486	INIT(this,
	487	.public = {
	488	.get_version = _get_version,
fedc6769	489	.get_version_info = _get_version_info,
c08753bd AS	490	.generate_aik = _generate_aik,
c08753bd AS	491	.get_public = _get_public,
30d4989a AS	492	.read_pcr = _read_pcr,
	493	.extend_pcr = _extend_pcr,
	494	.quote = _quote,
c08753bd AS	495	.destroy = _destroy,
	496	},
	497	);
	498
	499	available = initialize_context(this);
	500	DBG1(DBG_PTS, "TPM 2.0 via TSS2 %savailable", available ? "" : "not ");
	501
	502	if (!available)
	503	{
	504	destroy(this);
	505	return NULL;
	506	}
	507	return &this->public;
	508	}
	509
	510	#else /* TSS_TSS2 */
	511
	512	tpm_tss_t *tpm_tss_tss2_create()
	513	{
	514	return NULL;
	515	}
	516
	517	#endif /* TSS_TSS2 */
	518
	519