projects / thirdparty / strongswan.git / blame
| Commit | Line | Data |
|---|---|---|
| c08753bd AS |
1 | /* |
| 2 | * Copyright (C) 2016 Andreas Steffen | |
| 3 | * HSR Hochschule fuer Technik Rapperswil | |
| 4 | * | |
| 5 | * This program is free software; you can redistribute it and/or modify it | |
| 6 | * under the terms of the GNU General Public License as published by the | |
| 7 | * Free Software Foundation; either version 2 of the License, or (at your | |
| 8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
| 9 | * | |
| 10 | * This program is distributed in the hope that it will be useful, but | |
| 11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
| 12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
| 13 | * for more details. | |
| 14 | */ | |
| 15 | ||
| 16 | #include "tpm_tss_tss2.h" | |
| 8301dc85 | 17 | #include "tpm_tss_tss2_names.h" |
| c08753bd AS |
18 | |
| 19 | #ifdef TSS_TSS2 | |
| 20 | ||
| 21 | #include <asn1/asn1.h> | |
| 22 | #include <asn1/oid.h> | |
| 23 | ||
| 24 | #include <tss2/tpm20.h> | |
| 25 | #include <tcti/tcti_socket.h> | |
| 26 | ||
| 27 | #define LABEL "TPM 2.0 -" | |
| 28 | ||
| 29 | typedef struct private_tpm_tss_tss2_t private_tpm_tss_tss2_t; | |
| 30 | ||
| 31 | /** | |
| 32 | * Private data of an tpm_tss_tss2_t object. | |
| 33 | */ | |
| 34 | struct private_tpm_tss_tss2_t { | |
| 35 | ||
| 36 | /** | |
| 37 | * Public tpm_tss_tss2_t interface. | |
| 38 | */ | |
| 39 | tpm_tss_t public; | |
| 40 | ||
| 41 | /** | |
| 42 | * TCTI context | |
| 43 | */ | |
| 44 | TSS2_TCTI_CONTEXT *tcti_context; | |
| 45 | ||
| 46 | /** | |
| 47 | * SYS context | |
| 48 | */ | |
| 49 | TSS2_SYS_CONTEXT *sys_context; | |
| 50 | ||
| bc67802a AS |
51 | /** |
| 52 | * Number of supported algorithms | |
| 53 | */ | |
| 54 | size_t supported_algs_count; | |
| 55 | ||
| 56 | /** | |
| 57 | * List of supported algorithms | |
| 58 | */ | |
| 59 | TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET]; | |
| c08753bd AS |
60 | }; |
| 61 | ||
| 62 | /** | |
| 63 | * Some symbols required by libtctisocket | |
| 64 | */ | |
| 65 | FILE *outFp; | |
| 66 | uint8_t simulator = 1; | |
| 67 | ||
| 68 | int TpmClientPrintf (uint8_t type, const char *format, ...) | |
| 69 | { | |
| 70 | return 0; | |
| 71 | } | |
| 72 | ||
| bc67802a AS |
73 | /** |
| 74 | * Convert hash algorithm to TPM_ALG_ID | |
| 75 | */ | |
| 76 | static TPM_ALG_ID hash_alg_to_tpm_alg_id(hash_algorithm_t alg) | |
| 77 | { | |
| 78 | switch (alg) | |
| 79 | { | |
| 80 | case HASH_SHA1: | |
| 81 | return TPM_ALG_SHA1; | |
| 82 | case HASH_SHA256: | |
| 83 | return TPM_ALG_SHA256; | |
| 84 | case HASH_SHA384: | |
| 85 | return TPM_ALG_SHA384; | |
| 86 | case HASH_SHA512: | |
| 87 | return TPM_ALG_SHA512; | |
| 88 | default: | |
| 89 | return TPM_ALG_ERROR; | |
| 90 | } | |
| 91 | } | |
| 92 | ||
| 93 | /** | |
| 94 | * Check if an algorithm given by its TPM_ALG_ID is supported by the TPM | |
| 95 | */ | |
| 96 | static bool is_supported_alg(private_tpm_tss_tss2_t *this, TPM_ALG_ID alg_id) | |
| 97 | { | |
| 98 | int i; | |
| 99 | ||
| 100 | if (alg_id == TPM_ALG_ERROR) | |
| 101 | { | |
| 102 | return FALSE; | |
| 103 | } | |
| 104 | ||
| 105 | for (i = 0; i < this->supported_algs_count; i++) | |
| 106 | { | |
| 107 | if (this->supported_algs[i] == alg_id) | |
| 108 | { | |
| 109 | return TRUE; | |
| 110 | } | |
| 111 | } | |
| 112 | ||
| 113 | return FALSE; | |
| 114 | } | |
| 115 | ||
| 8301dc85 AS |
116 | /** |
| 117 | * Get a list of supported algorithms | |
| 118 | */ | |
| 119 | static bool get_algs_capability(private_tpm_tss_tss2_t *this) | |
| 120 | { | |
| 121 | TPMS_CAPABILITY_DATA cap_data; | |
| 122 | TPMI_YES_NO more_data; | |
| bc67802a | 123 | TPM_ALG_ID alg; |
| 8301dc85 AS |
124 | uint32_t rval, i; |
| 125 | size_t len = BUF_LEN; | |
| 126 | char buf[BUF_LEN]; | |
| 127 | char *pos = buf; | |
| 128 | int written; | |
| 129 | ||
| 130 | /* get supported algorithms */ | |
| 131 | rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS, | |
| 132 | 0, TPM_PT_ALGORITHM_SET, &more_data, &cap_data, 0); | |
| 133 | if (rval != TPM_RC_SUCCESS) | |
| 134 | { | |
| 135 | DBG1(DBG_PTS, "%s GetCapability failed for TPM_CAP_ALGS: 0x%06x", | |
| 136 | LABEL, rval); | |
| 137 | return FALSE; | |
| 138 | } | |
| 139 | ||
| bc67802a AS |
140 | /* Number of supported algorithms */ |
| 141 | this->supported_algs_count = cap_data.data.algorithms.count; | |
| 142 | ||
| 143 | /* store and print supported algorithms */ | |
| 144 | for (i = 0; i < this->supported_algs_count; i++) | |
| 8301dc85 | 145 | { |
| bc67802a AS |
146 | alg = cap_data.data.algorithms.algProperties[i].alg; |
| 147 | this->supported_algs[i] = alg; | |
| 148 | ||
| 149 | written = snprintf(pos, len, " %N", tpm_alg_id_names, alg); | |
| 8301dc85 AS |
150 | if (written < 0 || written >= len) |
| 151 | { | |
| 152 | break; | |
| 153 | } | |
| 154 | pos += written; | |
| 155 | len -= written; | |
| 156 | } | |
| 157 | DBG2(DBG_PTS, "%s algorithms:%s", LABEL, buf); | |
| 158 | ||
| 159 | /* get supported ECC curves */ | |
| 160 | rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ECC_CURVES, | |
| 161 | 0, TPM_PT_LOADED_CURVES, &more_data, &cap_data, 0); | |
| 162 | if (rval != TPM_RC_SUCCESS) | |
| 163 | { | |
| 164 | DBG1(DBG_PTS, "%s GetCapability failed for TPM_ECC_CURVES: 0x%06x", | |
| 165 | LABEL, rval); | |
| 166 | return FALSE; | |
| 167 | } | |
| 168 | ||
| 169 | /* reset print buffer */ | |
| 170 | pos = buf; | |
| 171 | len = BUF_LEN; | |
| 172 | ||
| 173 | /* print supported ECC curves */ | |
| 174 | for (i = 0; i < cap_data.data.eccCurves.count; i++) | |
| 175 | { | |
| 176 | written = snprintf(pos, len, " %N", tpm_ecc_curve_names, | |
| 177 | cap_data.data.eccCurves.eccCurves[i]); | |
| 178 | if (written < 0 || written >= len) | |
| 179 | { | |
| 180 | break; | |
| 181 | } | |
| 182 | pos += written; | |
| 183 | len -= written; | |
| 184 | } | |
| 185 | DBG2(DBG_PTS, "%s ECC curves:%s", LABEL, buf); | |
| 186 | ||
| 187 | return TRUE; | |
| 188 | } | |
| 189 | ||
| c08753bd AS |
190 | /** |
| 191 | * Initialize TSS context | |
| 192 | */ | |
| 193 | static bool initialize_context(private_tpm_tss_tss2_t *this) | |
| 194 | { | |
| 195 | size_t tcti_context_size; | |
| 196 | uint32_t sys_context_size; | |
| 197 | uint32_t rval; | |
| 198 | ||
| 199 | TCTI_SOCKET_CONF rm_if_config = { DEFAULT_HOSTNAME, | |
| 200 | DEFAULT_RESMGR_TPM_PORT | |
| 201 | }; | |
| 202 | ||
| 203 | TSS2_ABI_VERSION abi_version = { TSSWG_INTEROP, | |
| 204 | TSS_SAPI_FIRST_FAMILY, | |
| 205 | TSS_SAPI_FIRST_LEVEL, | |
| 206 | TSS_SAPI_FIRST_VERSION | |
| 207 | }; | |
| 208 | ||
| 209 | /* determine size of tcti context */ | |
| 210 | rval = InitSocketTcti(NULL, &tcti_context_size, &rm_if_config, 0); | |
| 211 | if (rval != TSS2_RC_SUCCESS) | |
| 212 | { | |
| 213 | DBG1(DBG_PTS, "%s could not get tcti_context size: 0x%06x", | |
| 214 | LABEL, rval); | |
| 215 | return FALSE; | |
| 216 | } | |
| 217 | ||
| 218 | /* allocate memory for tcti context */ | |
| 219 | this->tcti_context = (TSS2_TCTI_CONTEXT*)malloc(tcti_context_size); | |
| 220 | ||
| 221 | /* initialize tcti context */ | |
| 222 | rval = InitSocketTcti(this->tcti_context, &tcti_context_size, | |
| 223 | &rm_if_config, 0); | |
| 224 | if (rval != TSS2_RC_SUCCESS) | |
| 225 | { | |
| 226 | DBG1(DBG_PTS, "%s could not get tcti_context: 0x%06x", | |
| 227 | LABEL, rval); | |
| 228 | return FALSE; | |
| 229 | } | |
| 230 | ||
| 231 | /* determine size of sys context */ | |
| 232 | sys_context_size = Tss2_Sys_GetContextSize(0); | |
| 233 | ||
| 234 | /* allocate memory for sys context */ | |
| 235 | this->sys_context = malloc(sys_context_size); | |
| 236 | ||
| 237 | /* initialize sys context */ | |
| 238 | rval = Tss2_Sys_Initialize(this->sys_context, sys_context_size, | |
| 239 | this->tcti_context, &abi_version); | |
| 240 | if (rval != TSS2_RC_SUCCESS) | |
| 241 | { | |
| 242 | DBG1(DBG_PTS, "%s could not get sys_context: 0x%06x", | |
| 243 | LABEL, rval); | |
| 244 | return FALSE; | |
| 245 | } | |
| 8301dc85 AS |
246 | |
| 247 | /* get a list of supported algorithms and ECC curves */ | |
| 248 | return get_algs_capability(this); | |
| c08753bd AS |
249 | } |
| 250 | ||
| 251 | /** | |
| 252 | * Finalize TSS context | |
| 253 | */ | |
| 254 | static void finalize_context(private_tpm_tss_tss2_t *this) | |
| 255 | { | |
| 256 | if (this->tcti_context) | |
| 257 | { | |
| 258 | TeardownSocketTcti(this->tcti_context); | |
| 259 | } | |
| 260 | if (this->sys_context) | |
| 261 | { | |
| 262 | Tss2_Sys_Finalize(this->sys_context); | |
| 263 | free(this->sys_context); | |
| 264 | } | |
| 265 | } | |
| 266 | ||
| 267 | METHOD(tpm_tss_t, get_version, tpm_version_t, | |
| 268 | private_tpm_tss_tss2_t *this) | |
| 269 | { | |
| 270 | return TPM_VERSION_2_0; | |
| 271 | } | |
| 272 | ||
| fedc6769 AS |
273 | METHOD(tpm_tss_t, get_version_info, chunk_t, |
| 274 | private_tpm_tss_tss2_t *this) | |
| 275 | { | |
| 276 | return chunk_empty; | |
| 277 | } | |
| 278 | ||
| c08753bd AS |
279 | /** |
| 280 | * read the public key portion of a TSS 2.0 AIK key from NVRAM | |
| 281 | */ | |
| 282 | bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle, | |
| 283 | TPM2B_PUBLIC *public) | |
| 284 | { | |
| 285 | uint32_t rval; | |
| 286 | ||
| 287 | TPM2B_NAME name = { { sizeof(TPM2B_NAME)-2, } }; | |
| 288 | TPM2B_NAME qualified_name = { { sizeof(TPM2B_NAME)-2, } }; | |
| 289 | ||
| 290 | TPMS_AUTH_RESPONSE session_data; | |
| 291 | TSS2_SYS_RSP_AUTHS sessions_data; | |
| 292 | TPMS_AUTH_RESPONSE *session_data_array[1]; | |
| 293 | ||
| 294 | session_data_array[0] = &session_data; | |
| 295 | sessions_data.rspAuths = &session_data_array[0]; | |
| 296 | sessions_data.rspAuthsCount = 1; | |
| 297 | ||
| 298 | /* always send simulator platform command, ignored by true RM */ | |
| 299 | PlatformCommand(this->tcti_context ,MS_SIM_POWER_ON ); | |
| 300 | PlatformCommand(this->tcti_context, MS_SIM_NV_ON ); | |
| 301 | ||
| 302 | /* read public key for a given object handle from TPM 2.0 NVRAM */ | |
| 303 | rval = Tss2_Sys_ReadPublic(this->sys_context, handle, 0, public, &name, | |
| 304 | &qualified_name, &sessions_data); | |
| 305 | ||
| 306 | PlatformCommand(this->tcti_context, MS_SIM_POWER_OFF); | |
| 307 | ||
| 308 | if (rval != TPM_RC_SUCCESS) | |
| 309 | { | |
| 310 | DBG1(DBG_PTS, "%s could not read public key from handle 0x%08x: 0x%06x", | |
| 311 | LABEL, handle, rval); | |
| 312 | return FALSE; | |
| 313 | } | |
| 314 | return TRUE; | |
| 315 | } | |
| 316 | ||
| 317 | METHOD(tpm_tss_t, generate_aik, bool, | |
| 318 | private_tpm_tss_tss2_t *this, chunk_t ca_modulus, chunk_t *aik_blob, | |
| 319 | chunk_t *aik_pubkey, chunk_t *identity_req) | |
| 320 | { | |
| 321 | return FALSE; | |
| 322 | } | |
| 323 | ||
| 324 | METHOD(tpm_tss_t, get_public, chunk_t, | |
| 325 | private_tpm_tss_tss2_t *this, uint32_t handle) | |
| 326 | { | |
| 327 | TPM2B_PUBLIC public = { { 0, } }; | |
| 328 | chunk_t aik_blob, aik_pubkey = chunk_empty; | |
| 329 | ||
| 330 | if (!read_public(this, handle, &public)) | |
| 331 | { | |
| 332 | return chunk_empty; | |
| 333 | } | |
| 334 | ||
| 335 | aik_blob = chunk_create((u_char*)&public, sizeof(public)); | |
| 336 | DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob); | |
| 337 | ||
| 338 | /* convert TSS 2.0 AIK public key blot into PKCS#1 format */ | |
| 339 | switch (public.t.publicArea.type) | |
| 340 | { | |
| 341 | case TPM_ALG_RSA: | |
| 342 | { | |
| 343 | TPM2B_PUBLIC_KEY_RSA *rsa; | |
| 344 | chunk_t aik_exponent, aik_modulus; | |
| 345 | ||
| 346 | rsa = &public.t.publicArea.unique.rsa; | |
| 347 | aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size); | |
| 348 | aik_exponent = chunk_from_chars(0x01, 0x00, 0x01); | |
| 349 | ||
| 350 | /* subjectPublicKeyInfo encoding of AIK RSA key */ | |
| 351 | if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER, | |
| 352 | NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus, | |
| 353 | CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END)) | |
| 354 | { | |
| 355 | DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key " | |
| 356 | "failed", LABEL); | |
| 357 | } | |
| 358 | break; | |
| 359 | } | |
| 360 | case TPM_ALG_ECC: | |
| 361 | { | |
| 362 | TPMS_ECC_POINT *ecc; | |
| 363 | chunk_t ecc_point; | |
| 364 | uint8_t *pos; | |
| 365 | ||
| 366 | ecc = &public.t.publicArea.unique.ecc; | |
| 367 | ||
| 368 | /* allocate space for bit string */ | |
| 369 | pos = asn1_build_object(&ecc_point, ASN1_BIT_STRING, | |
| 370 | 2 + ecc->x.t.size + ecc->y.t.size); | |
| 371 | /* bit string length is a multiple of octets */ | |
| 372 | *pos++ = 0x00; | |
| 373 | /* uncompressed ECC point format */ | |
| 374 | *pos++ = 0x04; | |
| 375 | /* copy x coordinate of ECC point */ | |
| 376 | memcpy(pos, ecc->x.t.buffer, ecc->x.t.size); | |
| 377 | pos += ecc->x.t.size; | |
| 378 | /* copy y coordinate of ECC point */ | |
| 379 | memcpy(pos, ecc->y.t.buffer, ecc->y.t.size); | |
| 380 | /* subjectPublicKeyInfo encoding of AIK ECC key */ | |
| 381 | aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm", | |
| 382 | asn1_wrap(ASN1_SEQUENCE, "mm", | |
| 383 | asn1_build_known_oid(OID_EC_PUBLICKEY), | |
| 384 | asn1_build_known_oid(ecc->x.t.size == 32 ? | |
| 385 | OID_PRIME256V1 : OID_SECT384R1)), | |
| 386 | ecc_point); | |
| 387 | break; | |
| 388 | } | |
| 389 | default: | |
| 390 | DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL); | |
| 391 | } | |
| 392 | ||
| 393 | return aik_pubkey; | |
| 394 | } | |
| 395 | ||
| 57e80492 AS |
396 | /** |
| 397 | * Configure a PCR Selection assuming a maximum of 24 registers | |
| 398 | */ | |
| 399 | static bool init_pcr_selection(private_tpm_tss_tss2_t *this, uint32_t pcrs, | |
| 400 | hash_algorithm_t alg, TPML_PCR_SELECTION *pcr_sel) | |
| 30d4989a | 401 | { |
| bc67802a | 402 | TPM_ALG_ID alg_id; |
| 57e80492 | 403 | uint32_t pcr; |
| bc67802a | 404 | |
| 57e80492 | 405 | /* check if hash algorithm is supported by TPM */ |
| bc67802a AS |
406 | alg_id = hash_alg_to_tpm_alg_id(alg); |
| 407 | if (!is_supported_alg(this, alg_id)) | |
| 408 | { | |
| 409 | DBG1(DBG_PTS, "%s %N hash algorithm not supported by TPM", | |
| 410 | LABEL, hash_algorithm_short_names, alg); | |
| 411 | return FALSE; | |
| 412 | } | |
| 413 | ||
| 57e80492 AS |
414 | /* initialize the PCR Selection structure,*/ |
| 415 | pcr_sel->count = 1; | |
| 416 | pcr_sel->pcrSelections[0].hash = alg_id; | |
| 417 | pcr_sel->pcrSelections[0].sizeofSelect = 3; | |
| 418 | pcr_sel->pcrSelections[0].pcrSelect[0] = 0; | |
| 419 | pcr_sel->pcrSelections[0].pcrSelect[1] = 0; | |
| 420 | pcr_sel->pcrSelections[0].pcrSelect[2] = 0; | |
| 421 | ||
| 422 | /* set the selected PCRs */ | |
| 423 | for (pcr = 0; pcr < PLATFORM_PCR; pcr++) | |
| 424 | { | |
| 425 | if (pcrs & (1 << pcr)) | |
| 426 | { | |
| 427 | pcr_sel->pcrSelections[0].pcrSelect[pcr / 8] |= ( 1 << (pcr % 8) ); | |
| 428 | } | |
| 429 | } | |
| 430 | return TRUE; | |
| 431 | } | |
| 432 | ||
| 433 | METHOD(tpm_tss_t, read_pcr, bool, | |
| 434 | private_tpm_tss_tss2_t *this, uint32_t pcr_num, chunk_t *pcr_value, | |
| 435 | hash_algorithm_t alg) | |
| 436 | { | |
| 437 | TPML_PCR_SELECTION pcr_selection; | |
| 438 | TPML_DIGEST pcr_values; | |
| 439 | ||
| 440 | uint32_t pcr_update_counter, rval; | |
| 441 | uint8_t *pcr_value_ptr; | |
| 442 | size_t pcr_value_len; | |
| 443 | ||
| bc67802a AS |
444 | if (pcr_num >= PLATFORM_PCR) |
| 445 | { | |
| 446 | DBG1(DBG_PTS, "%s maximum number of supported PCR is %d", | |
| 447 | LABEL, PLATFORM_PCR); | |
| 448 | return FALSE; | |
| 449 | } | |
| 450 | ||
| 57e80492 AS |
451 | if (!init_pcr_selection(this, (1 << pcr_num), alg, &pcr_selection)) |
| 452 | { | |
| 453 | return FALSE; | |
| 454 | } | |
| bc67802a AS |
455 | |
| 456 | /* initialize the PCR Digest structure */ | |
| 457 | memset(&pcr_values, 0, sizeof(TPML_DIGEST)); | |
| 458 | ||
| 459 | /* read the PCR value */ | |
| 57e80492 AS |
460 | rval = Tss2_Sys_PCR_Read(this->sys_context, 0, &pcr_selection, |
| 461 | &pcr_update_counter, &pcr_selection, &pcr_values, 0); | |
| bc67802a AS |
462 | if (rval != TPM_RC_SUCCESS) |
| 463 | { | |
| 464 | DBG1(DBG_PTS, "%s PCR bank could not be read: 0x%60x", | |
| 465 | LABEL, rval); | |
| 466 | return FALSE; | |
| 467 | } | |
| 468 | pcr_value_ptr = (uint8_t *)pcr_values.digests[0].t.buffer; | |
| 469 | pcr_value_len = (size_t) pcr_values.digests[0].t.size; | |
| 470 | ||
| 471 | *pcr_value = chunk_clone(chunk_create(pcr_value_ptr, pcr_value_len)); | |
| 472 | ||
| 473 | return TRUE; | |
| 30d4989a AS |
474 | } |
| 475 | ||
| 476 | METHOD(tpm_tss_t, extend_pcr, bool, | |
| 477 | private_tpm_tss_tss2_t *this, uint32_t pcr_num, chunk_t *pcr_value, | |
| 478 | chunk_t data, hash_algorithm_t alg) | |
| 479 | { | |
| 480 | /* TODO */ | |
| 481 | return FALSE; | |
| 482 | } | |
| 483 | ||
| 484 | METHOD(tpm_tss_t, quote, bool, | |
| 485 | private_tpm_tss_tss2_t *this, uint32_t aik_handle, uint32_t pcr_sel, | |
| 486 | hash_algorithm_t alg, chunk_t data, tpm_quote_mode_t mode, chunk_t *pcr_comp, | |
| 487 | chunk_t *quote_sig) | |
| 488 | { | |
| 57e80492 AS |
489 | chunk_t quote_info; |
| 490 | uint32_t rval; | |
| 491 | ||
| 492 | TPM2B_DATA qualifying_data; | |
| 493 | TPML_PCR_SELECTION pcr_selection; | |
| 494 | TPMS_ATTEST *attest; | |
| 495 | TPM2B_ATTEST quoted = { { sizeof(TPM2B_ATTEST)-2, } }; | |
| 496 | TPM2B_DIGEST digest; | |
| 497 | TPMT_SIGNATURE sig; | |
| 498 | TPMT_SIG_SCHEME scheme; | |
| 499 | TPMS_AUTH_COMMAND session_data_cmd; | |
| 500 | TPMS_AUTH_RESPONSE session_data_rsp; | |
| 501 | TSS2_SYS_CMD_AUTHS sessions_data_cmd; | |
| 502 | TSS2_SYS_RSP_AUTHS sessions_data_rsp; | |
| 503 | TPMS_AUTH_COMMAND *session_data_cmd_array[1]; | |
| 504 | TPMS_AUTH_RESPONSE *session_data_rsp_array[1]; | |
| 505 | ||
| 506 | session_data_cmd_array[0] = &session_data_cmd; | |
| 507 | session_data_rsp_array[0] = &session_data_rsp; | |
| 508 | ||
| 509 | sessions_data_cmd.cmdAuths = &session_data_cmd_array[0]; | |
| 510 | sessions_data_rsp.rspAuths = &session_data_rsp_array[0]; | |
| 511 | ||
| 512 | sessions_data_cmd.cmdAuthsCount = 1; | |
| 513 | sessions_data_rsp.rspAuthsCount = 1; | |
| 514 | ||
| 515 | session_data_cmd.sessionHandle = TPM_RS_PW; | |
| 516 | session_data_cmd.hmac.t.size = 0; | |
| 517 | session_data_cmd.nonce.t.size = 0; | |
| 518 | ||
| 519 | *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; | |
| 520 | ||
| 521 | qualifying_data.t.size = data.len; | |
| 522 | memcpy(qualifying_data.t.buffer, data.ptr, data.len); | |
| 523 | ||
| 524 | scheme.scheme = TPM_ALG_NULL; | |
| 525 | memset(&sig, 0x00, sizeof(sig)); | |
| 526 | ||
| 527 | if (mode == TPM_QUOTE || mode == TPM_QUOTE2_VERSION_INFO) | |
| 528 | { | |
| 529 | DBG1(DBG_PTS, "%s TPM Quote mode not supported", LABEL); | |
| 530 | return FALSE; | |
| 531 | } | |
| 532 | ||
| 533 | if (!init_pcr_selection(this, pcr_sel, alg, &pcr_selection)) | |
| 534 | { | |
| 535 | return FALSE; | |
| 536 | } | |
| 537 | ||
| 538 | rval = Tss2_Sys_Quote(this->sys_context, aik_handle, &sessions_data_cmd, | |
| 539 | &qualifying_data, &scheme, &pcr_selection, "ed, | |
| 540 | &sig, &sessions_data_rsp); | |
| 541 | if (rval != TPM_RC_SUCCESS) | |
| 542 | { | |
| 543 | DBG1(DBG_PTS,"%s Tss2_Sys_Quote failed: 0x%06x", LABEL, rval); | |
| 544 | return FALSE; | |
| 545 | } | |
| 546 | ||
| 547 | attest = (TPMS_ATTEST *)quoted.t.attestationData; | |
| 548 | digest = attest->attested.quote.pcrDigest; | |
| 549 | *pcr_comp = chunk_clone(chunk_create(digest.t.buffer, digest.t.size)); | |
| 550 | DBG2(DBG_PTS, "Hash of PCR Composite: %#B", pcr_comp); | |
| 551 | ||
| 552 | quote_info = chunk_create(quoted.t.attestationData, quoted.t.size); | |
| 553 | DBG2(DBG_PTS, "TPM Quote Info: %B","e_info); | |
| 554 | ||
| 555 | /* extract signature */ | |
| 556 | switch (sig.sigAlg) | |
| 557 | { | |
| 558 | case TPM_ALG_RSASSA: | |
| 559 | case TPM_ALG_RSAPSS: | |
| 560 | *quote_sig = chunk_clone( | |
| 561 | chunk_create( | |
| 562 | sig.signature.rsassa.sig.t.buffer, | |
| 563 | sig.signature.rsassa.sig.t.size)); | |
| 564 | break; | |
| 565 | case TPM_ALG_ECDSA: | |
| 566 | case TPM_ALG_ECDAA: | |
| 567 | case TPM_ALG_SM2: | |
| 568 | case TPM_ALG_ECSCHNORR: | |
| 569 | *quote_sig = chunk_cat("cc", | |
| 570 | chunk_create( | |
| 571 | sig.signature.ecdsa.signatureR.t.buffer, | |
| 572 | sig.signature.ecdsa.signatureR.t.size), | |
| 573 | chunk_create( | |
| 574 | sig.signature.ecdsa.signatureS.t.buffer, | |
| 575 | sig.signature.ecdsa.signatureS.t.size)); | |
| 576 | break; | |
| 577 | default: | |
| 578 | DBG1(DBG_PTS, "%s unsupported %N signature algorithm", | |
| 579 | LABEL, tpm_alg_id_names, sig.sigAlg); | |
| 580 | return FALSE; | |
| 581 | }; | |
| 582 | DBG2(DBG_PTS, "TPM Quote Signature: %B", quote_sig); | |
| 583 | ||
| 584 | return TRUE; | |
| 30d4989a AS |
585 | } |
| 586 | ||
| c08753bd AS |
587 | METHOD(tpm_tss_t, destroy, void, |
| 588 | private_tpm_tss_tss2_t *this) | |
| 589 | { | |
| 590 | finalize_context(this); | |
| 591 | free(this); | |
| 592 | } | |
| 593 | ||
| 594 | /** | |
| 595 | * See header | |
| 596 | */ | |
| 597 | tpm_tss_t *tpm_tss_tss2_create() | |
| 598 | { | |
| 599 | private_tpm_tss_tss2_t *this; | |
| 600 | bool available; | |
| 601 | ||
| 602 | INIT(this, | |
| 603 | .public = { | |
| 604 | .get_version = _get_version, | |
| fedc6769 | 605 | .get_version_info = _get_version_info, |
| c08753bd AS |
606 | .generate_aik = _generate_aik, |
| 607 | .get_public = _get_public, | |
| 30d4989a AS |
608 | .read_pcr = _read_pcr, |
| 609 | .extend_pcr = _extend_pcr, | |
| 610 | .quote = _quote, | |
| c08753bd AS |
611 | .destroy = _destroy, |
| 612 | }, | |
| 613 | ); | |
| 614 | ||
| 615 | available = initialize_context(this); | |
| 616 | DBG1(DBG_PTS, "TPM 2.0 via TSS2 %savailable", available ? "" : "not "); | |
| 617 | ||
| 618 | if (!available) | |
| 619 | { | |
| 620 | destroy(this); | |
| 621 | return NULL; | |
| 622 | } | |
| 623 | return &this->public; | |
| 624 | } | |
| 625 | ||
| 626 | #else /* TSS_TSS2 */ | |
| 627 | ||
| 628 | tpm_tss_t *tpm_tss_tss2_create() | |
| 629 | { | |
| 630 | return NULL; | |
| 631 | } | |
| 632 | ||
| 633 | #endif /* TSS_TSS2 */ | |
| 634 | ||
| 635 |