From: Andreas Steffen Date: Tue, 12 Dec 2017 16:42:08 +0000 (+0100) Subject: tpm_extendpcr: Extend digests into a TPM PCR X-Git-Tag: 5.6.2dr3~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fb293fc91eca7e59a11fd6fc3e5b4333365f732;p=thirdparty%2Fstrongswan.git tpm_extendpcr: Extend digests into a TPM PCR --- diff --git a/configure.ac b/configure.ac index 511e914626..b497147cf0 100644 --- a/configure.ac +++ b/configure.ac @@ -1991,6 +1991,7 @@ AC_CONFIG_FILES([ src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile + src/tpm_extendpcr/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile diff --git a/src/Makefile.am b/src/Makefile.am index 7bef1a5dd1..e2747c300a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -143,3 +143,7 @@ endif if USE_AIKGEN SUBDIRS += aikgen endif + +if USE_TPM + SUBDIRS += tpm_extendpcr +endif diff --git a/src/libtpmtss/Makefile.am b/src/libtpmtss/Makefile.am index 5f3a97a99b..1b3a9706fa 100644 --- a/src/libtpmtss/Makefile.am +++ b/src/libtpmtss/Makefile.am @@ -48,5 +48,3 @@ if MONOLITHIC libtpmtss_la_LIBADD += plugins/tpm/libstrongswan-tpm.la endif endif - - diff --git a/src/libtpmtss/tpm_tss_tss2.c b/src/libtpmtss/tpm_tss_tss2.c index 2e33589c1b..d2fd995614 100644 --- a/src/libtpmtss/tpm_tss_tss2.c +++ b/src/libtpmtss/tpm_tss_tss2.c @@ -604,8 +604,93 @@ METHOD(tpm_tss_t, extend_pcr, bool, private_tpm_tss_tss2_t *this, uint32_t pcr_num, chunk_t *pcr_value, chunk_t data, hash_algorithm_t alg) { - /* TODO */ - return FALSE; + uint32_t rval; + TPM_ALG_ID alg_id; + TPML_DIGEST_VALUES digest_values; + TPMS_AUTH_COMMAND session_data_cmd; + TPMS_AUTH_RESPONSE session_data_rsp; + TSS2_SYS_CMD_AUTHS sessions_data_cmd; + TSS2_SYS_RSP_AUTHS sessions_data_rsp; + TPMS_AUTH_COMMAND *session_data_cmd_array[1]; + TPMS_AUTH_RESPONSE *session_data_rsp_array[1]; + + session_data_cmd_array[0] = &session_data_cmd; + session_data_rsp_array[0] = &session_data_rsp; + + sessions_data_cmd.cmdAuths = &session_data_cmd_array[0]; + sessions_data_rsp.rspAuths = &session_data_rsp_array[0]; + + sessions_data_cmd.cmdAuthsCount = 1; + sessions_data_rsp.rspAuthsCount = 1; + + session_data_cmd.sessionHandle = TPM_RS_PW; + session_data_cmd.hmac.t.size = 0; + session_data_cmd.nonce.t.size = 0; + + *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; + + /* check if hash algorithm is supported by TPM */ + alg_id = hash_alg_to_tpm_alg_id(alg); + if (!is_supported_alg(this, alg_id)) + { + DBG1(DBG_PTS, "%s %N hash algorithm not supported by TPM", + LABEL, hash_algorithm_short_names, alg); + return FALSE; + } + + digest_values.count = 1; + digest_values.digests[0].hashAlg = alg_id; + + switch (alg) + { + case HASH_SHA1: + if (data.len != HASH_SIZE_SHA1) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha1, data.ptr, + HASH_SIZE_SHA1); + break; + case HASH_SHA256: + if (data.len != HASH_SIZE_SHA256) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha256, data.ptr, + HASH_SIZE_SHA256); + break; + case HASH_SHA384: + if (data.len != HASH_SIZE_SHA384) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha384, data.ptr, + HASH_SIZE_SHA384); + break; + case HASH_SHA512: + if (data.len != HASH_SIZE_SHA512) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha512, data.ptr, + HASH_SIZE_SHA512); + break; + default: + return FALSE; + } + + /* extend PCR */ + rval = Tss2_Sys_PCR_Extend(this->sys_context, pcr_num, &sessions_data_cmd, + &digest_values, &sessions_data_rsp); + if (rval != TPM_RC_SUCCESS) + { + DBG1(DBG_PTS, "%s PCR %02u could not be extended: 0x%06x", + LABEL, pcr_num, rval); + return FALSE; + } + + /* get updated PCR value */ + return read_pcr(this, pcr_num, pcr_value, alg); } METHOD(tpm_tss_t, quote, bool, diff --git a/src/tpm_extendpcr/.gitignore b/src/tpm_extendpcr/.gitignore new file mode 100644 index 0000000000..56298017ec --- /dev/null +++ b/src/tpm_extendpcr/.gitignore @@ -0,0 +1 @@ +tpm_extendpcr diff --git a/src/tpm_extendpcr/Makefile.am b/src/tpm_extendpcr/Makefile.am new file mode 100644 index 0000000000..2e24744185 --- /dev/null +++ b/src/tpm_extendpcr/Makefile.am @@ -0,0 +1,14 @@ +bin_PROGRAMS = tpm_extendpcr + +tpm_extendpcr_SOURCES = tpm_extendpcr.c + +tpm_extendpcr_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtpmtss/libtpmtss.la + +tpm_extendpcr.o : $(top_builddir)/config.status + +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtpmtss \ + -DIPSEC_CONFDIR=\"${sysconfdir}\" diff --git a/src/tpm_extendpcr/tpm_extendpcr.c b/src/tpm_extendpcr/tpm_extendpcr.c new file mode 100644 index 0000000000..31d0d3d252 --- /dev/null +++ b/src/tpm_extendpcr/tpm_extendpcr.c @@ -0,0 +1,317 @@ +/* + * Copyright (C) 2017 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include +#include +#include + +#include +#include +#include + + +/* logging */ +static bool log_to_stderr = TRUE; +static bool log_to_syslog = TRUE; +static level_t default_loglevel = 1; + +/* global variables */ +tpm_tss_t *tpm; +chunk_t digest; +chunk_t pcr_value; + +/** + * logging function for tpm_extendpcr + */ +static void tpm_extendpcr_dbg(debug_t group, level_t level, char *fmt, ...) +{ + char buffer[8192]; + char *current = buffer, *next; + va_list args; + + if (level <= default_loglevel) + { + if (log_to_stderr) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + va_end(args); + fprintf(stderr, "\n"); + } + if (log_to_syslog) + { + /* write in memory buffer first */ + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + + /* do a syslog with every line */ + while (current) + { + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(LOG_INFO, "%s\n", current); + current = next; + } + } + } +} + +/** + * Initialize logging to stderr/syslog + */ +static void init_log(const char *program) +{ + dbg = tpm_extendpcr_dbg; + + if (log_to_stderr) + { + setbuf(stderr, NULL); + } + if (log_to_syslog) + { + openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); + } +} + +/** + * @brief exit tpm_extendpcr + * + * @param status 0 = OK, -1 = general discomfort + */ +static void exit_tpm_extendpcr(err_t message, ...) +{ + int status = 0; + + DESTROY_IF(tpm); + chunk_free(&digest); + chunk_free(&pcr_value); + + /* print any error message to stderr */ + if (message != NULL && *message != '\0') + { + va_list args; + char m[8192]; + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + fprintf(stderr, "tpm_extendpcr error: %s\n", m); + status = -1; + } + library_deinit(); + exit(status); +} + +/** + * @brief prints the usage of the program to the stderr output + * + * If message is set, program is exited with 1 (error) + * @param message message in case of an error + */ +static void usage(const char *message) +{ + fprintf(stderr, + "Usage: tpm_extendpcr [--alg ] --pcr --digest |--in" + " \n" + " [--hash] [--out ] [--quiet]" + " [--debug ]\n" + " tpm_extendpcr --help\n" + "\n" + "Options:\n" + " --alg (-a) hash algorithm (sha1|sha256)\n" + " --pcr (-p) platform configuration register (0..23)\n" + " --digest (-d) digest in hex format to be extended\n" + " --in (-i) binary input file with digest to be extended\n" + " --hash (-x) prehash the input file to create digest\n" + " --out (-o) binary output file with updated PCR value\n" + " --help (-h) show usage and exit\n" + "\n" + "Debugging output:\n" + " --debug (-l) changes the log level (-1..4, default: 1)\n" + " --quiet (-q) do not write log output to stderr\n" + ); + exit_tpm_extendpcr(message); +} + +/** + * @brief main of tpm_extendpcr which extends digest into a PCR + * + * @param argc number of arguments + * @param argv pointer to the argument values + */ +int main(int argc, char *argv[]) +{ + hash_algorithm_t alg = HASH_SHA1; + hasher_t *hasher = NULL; + char *infile = NULL, *outfile = NULL; + uint32_t pcr = 16; + bool hash = FALSE; + + atexit(library_deinit); + if (!library_init(NULL, "tpm_extendpcr")) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "tpm_extendpcr", argv[0])) + { + fprintf(stderr, "integrity check of tpm_extendpcr failed\n"); + exit(SS_RC_DAEMON_INTEGRITY); + } + + for (;;) + { + static const struct option long_opts[] = { + /* name, has_arg, flag, val */ + { "help", no_argument, NULL, 'h' }, + { "alg", required_argument, NULL, 'a' }, + { "pcr", required_argument, NULL, 'p' }, + { "digest", required_argument, NULL, 'd' }, + { "in", required_argument, NULL, 'i' }, + { "hash", no_argument, NULL, 'x' }, + { "out", required_argument, NULL, 'o' }, + { "quiet", no_argument, NULL, 'q' }, + { "debug", required_argument, NULL, 'l' }, + { 0,0,0,0 } + }; + + /* parse next option */ + int c = getopt_long(argc, argv, "ha:p:d:i:xo:ql:", long_opts, NULL); + + switch (c) + { + case EOF: /* end of flags */ + break; + + case 'h': /* --help */ + usage(NULL); + + case 'a': /* --alg */ + if (!enum_from_name(hash_algorithm_short_names, optarg, &alg)) + { + usage("unsupported hash algorithm"); + } + continue; + case 'p': /* --pcr */ + pcr = atoi(optarg); + continue; + + case 'd': /* --digest */ + digest = chunk_from_hex(chunk_from_str(optarg), NULL); + continue; + + case 'i': /* --in */ + infile = optarg; + continue; + + case 'x': /* --hash */ + hash = TRUE; + continue; + + case 'o': /* --out */ + outfile = optarg; + continue; + + case 'q': /* --quiet */ + log_to_stderr = FALSE; + continue; + + case 'l': /* --debug */ + default_loglevel = atoi(optarg); + continue; + + default: + usage("unknown option"); + } + /* break from loop */ + break; + } + + init_log("tpm_extendpcr"); + + if (!lib->plugins->load(lib->plugins, + lib->settings->get_str(lib->settings, "tpm_extendpcr.load", + "tpm sha1 sha2"))) + { + exit_tpm_extendpcr("plugin loading failed"); + } + + /* try to find a TPM */ + tpm = tpm_tss_probe(TPM_VERSION_ANY); + if (!tpm) + { + exit_tpm_extendpcr("no TPM found"); + } + + /* read digest from file */ + if (digest.len == 0) + { + chunk_t *chunk; + + if (!infile) + { + exit_tpm_extendpcr("--digest or --in option required"); + } + chunk = chunk_map(infile, FALSE); + if (!chunk) + { + exit_tpm_extendpcr("reading input file failed"); + } + if (hash) + { + hasher = lib->crypto->create_hasher(lib->crypto, alg); + if (!hasher || !hasher->allocate_hash(hasher, *chunk, &digest)) + { + DESTROY_IF(hasher); + chunk_unmap(chunk); + exit_tpm_extendpcr("prehashing infile failed"); + } + hasher->destroy(hasher); + } + else + { + digest = chunk_clone(*chunk); + } + chunk_unmap(chunk); + } + DBG1(DBG_PTS, "Digest: %#B", &digest); + + /* extend digest into PCR */ + if (!tpm->extend_pcr(tpm, pcr, &pcr_value, digest, alg)) + { + exit_tpm_extendpcr("extending PCR failed"); + } + DBG1(DBG_PTS, "PCR %02u: %#B", pcr, &pcr_value); + + /* write PCR value to file */ + if (outfile) + { + if (!chunk_write(pcr_value, outfile, 022, TRUE)) + { + DBG1(DBG_PTS, "writing '%s' failed", outfile); + } + } + chunk_free(&pcr_value); + + exit_tpm_extendpcr(NULL); + return -1; /* should never be reached */ +}