diff --git a/recipes-core/initrdscripts/initramfs-framework/tpm2 b/recipes-core/initrdscripts/initramfs-framework/tpm2 index bc898afd69..71d0168beb 100644 --- a/recipes-core/initrdscripts/initramfs-framework/tpm2 +++ b/recipes-core/initrdscripts/initramfs-framework/tpm2 @@ -22,16 +22,18 @@ # THE SOFTWARE. # +# Set TCTI to use direct device communication +export TPM2TOOLS_TCTI="device" + #listpcrs sample output: #Supported Bank/Algorithm: TPM_ALG_SHA1(0x0004) TPM_ALG_SHA256(0x000b) #Cuts and for loop isolate "TPM_ALG_" and compare against input pcr_bank_exists () { local alg_in=$1 - banks=$(tpm2_pcrlist -s | cut -d ':' -f 2) + banks=$(tpm2_pcrread | cut -d ':' -f 1 | grep -i "sha") for bank in $banks; do - alg=$(echo $bank | cut -d '(' -f 1) - if [ "$alg" = $alg_in ]; then + if [ "$bank" = $alg_in ]; then return 0 fi done @@ -75,15 +77,15 @@ tpm2_run() { info -n "Measuring rootfs device..." if pcr_bank_exists "sha256"; then local digest="$(sha256sum $bootparam_root | head -c64)" - local algid="0xB" + local algid="sha256" else local digest="$(sha1sum $bootparam_root | head -c40)" - local algid="0x4" + local algid="sha1" fi info "done" info -n "Extending TPM PCR..." - tpm2_extendpcr -c 15 -g ${algid} -s ${digest} + tpm2_pcrextend 15:${algid}=${digest} if [ $? -ne 0 ]; then info "PCR-15 extend failed" return diff --git a/recipes-core/initrdscripts/initramfs-framework_%.bbappend b/recipes-core/initrdscripts/initramfs-framework_%.bbappend index bb5776ea4c..4953ec0d1b 100644 --- a/recipes-core/initrdscripts/initramfs-framework_%.bbappend +++ b/recipes-core/initrdscripts/initramfs-framework_%.bbappend @@ -57,7 +57,7 @@ RDEPENDS_initramfs-module-tpm = "${PN}-base initramfs-module-bootfs tpm-tools-sa FILES_initramfs-module-tpm = "/init.d/92-tpm" SUMMARY_initramfs-module-tpm2 = "initramfs support for tpm2" -RDEPENDS_initramfs-module-tpm2 = "${PN}-base initramfs-module-bootfs tpm2-tools-initrd" +RDEPENDS_initramfs-module-tpm2 = "${PN}-base initramfs-module-bootfs tpm2-tools-pcr tpm2-tss-pcr" FILES_initramfs-module-tpm2 = "/init.d/92-tpm2" SUMMARY_initramfs-module-selinux = "initramfs support for selinux" diff --git a/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions b/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions index 59185596b9..a9c0490b54 100755 --- a/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions +++ b/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions @@ -681,7 +681,7 @@ write_config_pcrs() { } # Function to configure measured launch on platform. The next boot will cause -# init-root.ro to perform first sealing operation. +# init.root-ro to perform first sealing operation. # parameter 0: mount point for rootfs # parameter 1: key to unlock partition # parameter 2: device path for partition diff --git a/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/seal-system b/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/seal-system index cdefe22d98..ddf3b53d51 100755 --- a/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/seal-system +++ b/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/seal-system @@ -156,21 +156,48 @@ forward) pcr_forward=() if ! contains_only "${pcr8}" "0"; then # PCR4 is first extended with the digest of EV_SEPARATOR + # It may also first extend the "Calling EFI Application from Boot Option" string, depending on the system # See TCG EFI Protocol Specification 5.2 Crypto Agile Log Entry Format ev_separator="$(tpm_get_ev_separator)" - pcr4=$(hash_extend 0 "${ev_separator}" "${hashalg}") + # Get current PCR4 value to check if ev_string should be extended + current_pcr4="$(tpm_get_pcr 4)" + + # Calculate PCR4 with ev_string extension + ev_string="$(printf "Calling EFI Application from Boot Option" | sha256sum | awk '{print $1}')" + pcr4_with_ev=$(hash_extend 0 "${ev_string}" "${hashalg}") + pcr4_with_ev=$(hash_extend "${pcr4_with_ev}" "${ev_separator}" "${hashalg}") hash=$(pesign -h -d "${hashalg}" -i "${pcr4_objs[0]}" | awk '{ print $2 }') - pcr4=$(hash_extend "${pcr4}" "${hash}" "${hashalg}") || + pcr4_with_ev=$(hash_extend "${pcr4_with_ev}" "${hash}" "${hashalg}") || err "failed to calculate pcr4" for o in ${pcr4_objs[@]:1}; do hash=$(${hashalg}sum "${o}" | awk '{ print $1 }') - pcr4=$(hash_extend "${pcr4}" "${hash}" "${hashalg}") || + pcr4_with_ev=$(hash_extend "${pcr4_with_ev}" "${hash}" "${hashalg}") || err "failed to calculate pcr4" done + # Use the PCR4 calculation with string extended only if it matches the current PCR value + # Rather than checking the value and "guessing", it would be better to check the PCR4 event log to see if the ev_string was extended. + # This log is currently not available to us, but it may be worth it in the future to investigate this further. + if [[ "${pcr4_with_ev}" == *"${current_pcr4}"* ]]; then + pcr4="${pcr4_with_ev}" + else + # Calculate PCR4 without ev_string extension + pcr4=$(hash_extend 0 "${ev_separator}" "${hashalg}") + + hash=$(pesign -h -d "${hashalg}" -i "${pcr4_objs[0]}" | awk '{ print $2 }') + pcr4=$(hash_extend "${pcr4}" "${hash}" "${hashalg}") || + err "failed to calculate pcr4" + + for o in ${pcr4_objs[@]:1}; do + hash=$(${hashalg}sum "${o}" | awk '{ print $1 }') + pcr4=$(hash_extend "${pcr4}" "${hash}" "${hashalg}") || + err "failed to calculate pcr4" + done + fi + pcr8="0" for o in ${pcr8_objs[@]}; do @@ -186,8 +213,8 @@ forward) err "failed to calculate pcr8" done - pcr_forward[4]=":${pcr4}" - pcr_forward[8]=":${pcr8}" + pcr_forward[4]="=${pcr4}" + pcr_forward[8]="=${pcr8}" fi if pcr_in_selection 15 ; then @@ -208,7 +235,7 @@ forward) pcr15=$(hash_extend 0 ${root_hash} ${hashalg}) || err "failed to hash root device" - pcr_forward[15]=":${pcr15}" + pcr_forward[15]="=${pcr15}" fi # Calculate DRTM PCRs if set (ie. PCR17 is not all f) @@ -225,9 +252,9 @@ forward) pcr18=$(echo $pcrs | awk '{ print $2 }') pcr19=$(echo $pcrs | awk '{ print $3 }') - pcr_forward[17]=":${pcr17}" - pcr_forward[18]=":${pcr18}" - pcr_forward[19]=":${pcr19}" + pcr_forward[17]="=${pcr17}" + pcr_forward[18]="=${pcr18}" + pcr_forward[19]="=${pcr19}" fi rm -f /boot/system/tpm/forward_pcr.lst diff --git a/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro b/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro index 1ed92d5d65..55873d3234 100755 --- a/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro +++ b/recipes-openxt/xenclient-root-ro/xenclient-root-ro/init.root-ro @@ -287,7 +287,7 @@ unlock_config() local sig=$(dd if="${lv_path}" bs=4 count=1 2>/dev/null) case "${sig}" in LUKS) - if [ -e /boot/system/tpm/enabled ]; then + if [ -e ${SYS_TPM_DIR}/enabled ]; then # This will seal/reboot or fail/halt if [ -e ${SYS_TPM_DIR}/setup ]; then # create a small tmpfs to use for sealing, then remove @@ -432,8 +432,8 @@ then #cap pcr 15 in all available banks. This is a cheap operation and works for all cases sha256cap=$(echo -n "MEASUREDLAUNCHCLOSED"|sha256sum|cut -f1 -d\ |tr -d "\n") sha1cap=$(echo -n "MEASUREDLAUNCHCLOSED"|sha1sum|cut -f1 -d\ |tr -d "\n") - pcr_bank_exists "sha256" && tpm2_extendpcr -c 15 -g 0xB -s "${sha256cap}" - pcr_bank_exists "sha1" && tpm2_extendpcr -c 15 -g 0x4 -s "${sha1cap}" + pcr_bank_exists "sha256" && tpm2_pcrextend -Q 15:sha256="${sha256cap}" + pcr_bank_exists "sha1" && tpm2_pcrextend -Q 15:sha1="${sha1cap}" else echo -n "MEASUREDLAUNCHCLOSED" | TCSD_LOG_OFF=yes tpm_extendpcr_sa -p 15 fi diff --git a/recipes-openxt/xenclient-tpm-scripts/xenclient-tpm-scripts/tpm-functions b/recipes-openxt/xenclient-tpm-scripts/xenclient-tpm-scripts/tpm-functions index 5fba1cf8e5..7212404f88 100644 --- a/recipes-openxt/xenclient-tpm-scripts/xenclient-tpm-scripts/tpm-functions +++ b/recipes-openxt/xenclient-tpm-scripts/xenclient-tpm-scripts/tpm-functions @@ -57,11 +57,10 @@ is_tpm_2_0 () { pcr_bank_exists () { local alg_in="$1" local bank - local banks="$(tpm2_pcrlist -s | cut -d ':' -f 2)" + local banks=$(tpm2_pcrread | cut -d ':' -f 1 | grep -i "sha") for bank in $banks; do - local alg="$(echo "${bank}" | cut -d '(' -f 1)" - if [ "${alg}" = "${alg_in}" ]; then + if [ "${bank}" = "${alg_in}" ]; then return 0 fi done @@ -177,13 +176,13 @@ tpm_is_active() { local val if is_tpm_2_0 ; then - msg=$(tpm2_getcap --capability=properties-variable 2>&1) || \ + msg=$(tpm2_getcap properties-variable 2>&1) || \ return 2 # Ensure Hierarchies are enabled; otherwise the TPM2 is unusable. for v in phEnable shEnable ehEnable phEnableNV; do val="$( echo "${msg}" | awk "/${v}:/ { print \$2 }" )" - [ "${val}" = "set" ] || return 1 + [ "${val}" = "1" ] || return 1 done return 0 @@ -206,7 +205,7 @@ tpm_is_enabled() { local state="" if is_tpm_2_0 ; then - tpm2_getcap --capability=properties-fixed 1>/dev/null 2>&1 + tpm2_getcap properties-fixed 1>/dev/null 2>&1 return $? else state=$(cat ${tpm}/enabled) @@ -226,15 +225,18 @@ tpm_is_enabled() { # 2 if the handle is incorrect tpm2_handle_defined() { local oxt_handle="$1" - local handles=$( tpm2_listpersistent ) - local handle=$( echo "${handles}" | \ - sed -nr "/persistent-handle\[[0-9]+\]:${oxt_handle}/p" ) - if [ -z "${handle}" ]; then + local handles=$(tpm2_getcap handles-persistent) + local handle_str=$(echo "${handles}" | grep -w "${oxt_handle}") + if [ -z "${handle_str}" ]; then return 1 fi - local h_type=$( echo "${handles}" | cut -d ' ' -f 2 | cut -d ':' -f 2 ) - local alg=$( echo "${handles}" | cut -d ' ' -f 3 | cut -d ':' -f 2) + # Get handle value + local handle=$( echo "${handle_str}" | cut -d ' ' -f 2) + + # Parse handle alg and type + local alg=$( echo "${handle}" | grep -A1 '^name-alg:' | grep 'value:' | awk '{print $2}') + local h_type=$( echo "${handle}" | grep -A1 '^type:' | grep 'value:' | awk '{print $2}') if [ "${h_type}" != "$( handle_type "${oxt_handle}" )" -o \ "${alg}" != "$( handle_alg "${oxt_handle}" )" ]; then @@ -249,7 +251,7 @@ tpm2_handle_defined() { # 1 if the handles are not defined # 2 if the handles are incorrect tpm2_handles_defined() { - local num_handles=$( tpm2_listpersistent | wc -l ) + local num_handles=$( tpm2_getcap handles-persistent | wc -l ) if [ "${num_handles}" -eq 0 ]; then return 1 @@ -279,10 +281,10 @@ tpm_handles_defined() { } tpm2_clear_handle() { - local passwd="$( cat $1 )" + local passwd="$(cat "$1")" local handle="$2" - tpm2_evictcontrol -A o -H "${handle}" -S "${handle}" -P "${passwd}" + tpm2_evictcontrol -C o -c "${handle}" -P "${passwd}" } # Clear out all the TPM handles. This should help avoid issues with a TPM2's @@ -294,9 +296,9 @@ tpm_clear_handles() { is_tpm_2_0 || return 0 - handles=$( tpm2_listpersistent | \ - cut -d ' ' -f 1 | \ - cut -d ':' -f 2 ) + # Expected output format: "- " + # Extract just the handle + handles=$( tpm2_getcap handles-persistent | cut -d ' ' -f 2 ) for handle in ${handles} ; do tpm2_clear_handle "${passwd}" "${handle}" done @@ -335,7 +337,7 @@ tpm_is_owned() { local tpm2=$? if [ "${tpm2}" -eq 0 ]; then - tpm2_getcap --capability=properties-variable | grep -q 'ownerAuthSet:[[:space:]]\+set' + tpm2_getcap properties-variable | grep -q 'ownerAuthSet:[[:space:]]*1' ret=$? if [ "${ret}" -eq 0 ]; then state=1 @@ -386,26 +388,30 @@ tpm2_check_password() { local passwd="$1" local msg - msg=$( tpm2_takeownership -O $(cat "${passwd}") -o $(cat "${passwd}") \ - -E $(cat "${passwd}") -e $(cat "${passwd}") \ - -L $(cat "${passwd}") -l $(cat "${passwd}") \ - 2>&1 | head -n 1 ) - [ $? -eq 0 ] && return 0 + # Validate owner password by setting + err=$(tpm2_changeauth -c owner "${passwd}" -p "${passwd}" 2>&1) + ret=$? + if [ ${ret} -ne 0 ]; then + echo "Failed to set owner auth: ${err}" >&2 + return ${ret} + fi - msg=${msg#*TPM Error:} - case "${msg}" in - 0x9a2) #TPM_RC_BAD_AUTH - return 1 - ;; - 0x98e) #TPM_RC_AUTH_FAIL - return 1 - ;; - 0x921) #TPM_RC_LOCKOUT DA protection - return 3 - ;; - esac + # Validate endorsement password by setting + err=$(tpm2_changeauth -c endorsement "${passwd}" -p "${passwd}" 2>&1) + ret=$? + if [ ${ret} -ne 0 ]; then + echo "Failed to set endorsement auth: ${err}" >&2 + return ${ret} + fi - return 2 + # Validate lockout password by setting + err=$(tpm2_changeauth -c lockout "${passwd}" -p "${passwd}" 2>&1) + ret=$? + if [ ${ret} -ne 0 ]; then + echo "Failed to set lockout auth: ${err}" >&2 + return ${ret} + fi + return 0 } # Function to determine if we have the TPM owner password @@ -503,27 +509,60 @@ tpm_has_ek() { #Taking ownership for tpm2 is slightly more complicated. Encapsulate this process #in its own function, checking err after each critical operation. tpm2_ownership () { - local passwd=$( cat $1 ) + local passwd=$(cat "$1") + # Set owner password + err=$(tpm2_changeauth -c owner "${passwd}" 2>&1) + ret=$? + if [ ${ret} -ne 0 ]; then + echo "Failed to set owner auth: ${err}" >&2 + return ${ret} + fi - #Taking endoresement password AND lockout password to fully own tpm - err=$(tpm2_takeownership -o "${passwd}" -e "${passwd}" -l "${passwd}" 2>&1) + # Set endorsement password + err=$(tpm2_changeauth -c endorsement "${passwd}" 2>&1) ret=$? - [ ${ret} -ne 0 ] && echo ${err} && return ${ret} + if [ ${ret} -ne 0 ]; then + echo "Failed to set endorsement auth: ${err}" >&2 + return ${ret} + fi - tpm2_create_handle $1 + # Set lockout password + err=$(tpm2_changeauth -c lockout "${passwd}" 2>&1) + ret=$? + if [ ${ret} -ne 0 ]; then + echo "Failed to set lockout auth: ${err}" >&2 + return ${ret} + fi + tpm_clear_handles "${passwd}" + tpm2_create_handle "$1" } tpm2_create_handle() { - local passwd=$( cat $1 ) + local passwd=$(cat "$1") + + # Create our primary object for SHA256 alg + local type="$( handle_type "${OXT_HANDLE_SHA256}" )" + local alg="$( handle_alg "${OXT_HANDLE_SHA256}" )" + local h_ctx="/tmp/handle.ctx" + + handle=$(tpm2_createprimary -C o -c ${h_ctx} -g ${alg} -G ${type} -P "${passwd}") + + if [ $? -ne 0 ] || [ ! -f ${h_ctx}]; then + echo "Failed to create primary" + return 1 + fi - #Create our primary object - handle=$(echo -n "${passwd}" | tpm2_createprimary -H o -g ${TPM_ALG_SHA256} -G ${TPM_ALG_RSA} -P | grep Handle | cut -d ':' -f 2) - ret=$? - [ ${ret} -ne 0 ] && echo "Failed to create primary" && return ${ret} #Make it permanent for this measured install - err=$(tpm2_evictcontrol -A o -H ${handle} -S $(alg_to_handle "${TPM_ALG_SHA256}") -P "${passwd}" 2>&1) + err=$(tpm2_evictcontrol -C o -c ${h_ctx} -P "${passwd}" \ + $(alg_to_handle "${TPM_ALG_SHA256}") 2>&1) ret=$? - [ ${ret} -ne 0 ] && echo ${err} && return ${ret} + rm -f ${h_ctx} + + if [ $ret -ne 0 ]; then + echo "${err}" + return ${ret} + fi + return 0 } @@ -609,41 +648,49 @@ tpm2_write_tboot_policy() { TPMA_NV_TPMA_NV_OWNERREAD | \ TPMA_NV_TPMA_NV_AUTHREAD )) )" - local idx=$( tpm2_nvlist | sed -n "/${tboot_idx}:/,/^$/p" | sed "/^$/d" ) - local attr=$( echo "${idx}" | \ + # Check if index exis + if tpm2_getcap handles-nv-index | grep -q "${tboot_idx}"; then + local idx=$(tpm2_nvreadpublic ${tboot_idx}) + local attr=$( echo "${idx}" | \ sed -n "/attributes:/,/value:/p" | \ awk -F: '/value:/ { print $2 }' | \ tr -d ' ' ) - local size=$( echo "${idx}" | \ + local size=$( echo "${idx}" | \ awk -F: '/size:/ { print $2 }' | \ tr -d ' ' ) - # Read the current contents into a temp file. - # tpm2_nvread could fail, and this ends up being a big pipeline to - # create an empty file, but that is fine for below. - tpm2_nvread -x "${tboot_idx}" -a "${TPM_RH_OWNER}" -P "${password}" \ - -s "${size}" -o 0 2>/dev/null \ - | tail -n 1 | tr -d ' ' | hex2bin > "${old_policy}" + # Read the current contents into a temp file. + # tpm2_nvread could fail, and this ends up being a big pipeline to + # create an empty file, but that is fine for below. + tpm2_nvread "${tboot_idx}" -C "${TPM_RH_OWNER}" -P "${password}" \ + -s "${size}" -o "${old_policy}" >/dev/null 2>&1 || true - if diff -q "${old_policy}" "${policy}" ; then - rm "${old_policy}" + if cmp -s "${old_policy}" "${policy}"; then + rm -f "${old_policy}" return 0 - fi >/dev/null 2>&1 - - rm "${old_policy}" - - if [ "${size}" != "${polsize}" -o \ - "$( tpm2_normalize $(( attr & ~TPMA_NV_TPMA_NV_WRITTEN )) )" != \ - "${TBOOT_NV_ATTRIB}" ]; then - tpm2_nvrelease -x "${tboot_idx}" -a "${TPM_RH_OWNER}" -P "${password}" \ - >/dev/null 2>&1 - tpm2_nvdefine -x "${tboot_idx}" -a "${TPM_RH_OWNER}" -P "${password}" \ - -s "${polsize}" -t "${TBOOT_NV_ATTRIB}" >/dev/null 2>&1 \ - || return 1 + fi + rm -f "${old_policy}" + + # If size or attributes mismatch, undefine + if [ "${size}" != "${polsize}" ] || \ + [ "$( tpm2_normalize $(( attr & ~TPMA_NV_TPMA_NV_WRITTEN )) )" != "${TBOOT_NV_ATTRIB}" ]; then + tpm2_nvundefine "${tboot_idx}" -C "${TPM_RH_OWNER}" \ + -P "${password}" >/dev/null 2>&1 || true + fi fi - tpm2_nvwrite -x "${tboot_idx}" -a "${TPM_RH_OWNER}" -P "${password}" \ - "${policy}" >/dev/null 2>&1 + # Define the index + tpm2_nvdefine "${tboot_idx}" \ + -C "${TPM_RH_OWNER}" \ + -P "${password}" \ + -s "${polsize}" \ + -a "${TBOOT_NV_ATTRIB}" >/dev/null 2>&1 || return 1 + + # Write the policy + tpm2_nvwrite "${tboot_idx}" \ + -C "${TPM_RH_OWNER}" \ + -P "${password}" \ + -i "${policy}" >/dev/null 2>&1 } # Usage: tpm_get_syspath [TPM-DEVICE-ID] @@ -667,7 +714,7 @@ tpm_get_ev_separator() { local evs if is_tpm_2_0; then - # TPM 2.0: `printf "\xff\xff\xff\xff" | sha256sum`, best guess... + # TPM 2.0: `printf "\x00\x00\x00\x00" | sha256sum`, best guess... evs="df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119" else # TPM 1.2 will expose a securityfs node with ASCII values. @@ -684,7 +731,7 @@ tpm_get_ev_separator() { # Print all the PCR values of the first TPM on stdout. tpm_list_pcrs() { if is_tpm_2_0; then - tpm2_pcrlist + tpm2_pcrread else cat "$(tpm_get_syspath)/device/pcrs" fi @@ -697,10 +744,11 @@ tpm_pcrlist_save() { local file="$1" shift 1 local pcrlist="" + local p # Sanity check list of number in PCR id range ([0-23]) for p in "$@"; do - pcrid="${p%%:*}" + pcrid="${p%%=*}" if [ "$(expr "${pcrid}" : '^[[:digit:]]\+$')" -a \ "${pcrid}" -gt 23 -o "${pcrid}" -lt 0 ]; then return 1 @@ -717,26 +765,29 @@ tpm_pcrlist_save() { tpm_pcrs_to_opts() { local tss_opt local pcr_opts + local p if is_tpm_2_0; then - tss_opt="-r" + pcr_opts="sha256:$1" + shift + tss_opt="," else - tss_opt="-p" + tss_opt=" -p" fi for p in "$@"; do - pcr_opts="${pcr_opts} ${tss_opt} ${p}" + pcr_opts="$pcr_opts$tss_opt$p" done echo "${pcr_opts}" } # Usage: tpm_pcr_value_normalize PCR-VALUE # Print the PCR-VALUE, from TPM-TSS output, normalized on stdout. -# Normalized here means no space, all lowercase, no PCR identifier, and only +# Normalized here means no space, all lowercase, no PCR identifier, no 0x prefix, and only # the last line. # This is relevant for to be consistent across TSS versions and keeps format # sanitizing in one centralized place, should it require to be amended. tpm_pcr_value_normalize() { - echo "$1" | awk -F ':' 'END{ gsub(" ", "", $2); print tolower($2) }' + echo "$1" | awk -F ':' 'END{ gsub(" ", "", $2); gsub("^0x", "", $2); print tolower($2) }' } # Usage: tpm_get_hash_algorithm @@ -760,7 +811,7 @@ tpm_get_pcr() { local hashalg="$(tpm_get_hash_algorithm)" if is_tpm_2_0; then - tpm_pcr_value_normalize "$(tpm2_pcrlist -L ${hashalg}:${pcr})" + tpm_pcr_value_normalize "$(tpm2_pcrread ${hashalg}:${pcr})" else tpm_pcr_value_normalize "$(grep "$(printf "PCR-%02d" "$pcr")" "$(tpm_get_syspath)/device/pcrs")" fi @@ -850,27 +901,46 @@ tpm_seal() { fi tpm_save_keyfiles "${tss}" - allout="$(tpm2_sealdata -H "${handle}" -I "${secret}" \ - -O "${tss}.${hashalg}" -o "${tss}.pub.${hashalg}" -g "${alg}" \ - -G "${TPM_ALG_KEYEDHASH}" -b "${OXT_SEAL_ATTR}" \ - ${pcr_opts} 2>&1)" + + # Create PCR-bound policy + local policy_file="${tss}.policy.dat" + local session_ctx="${tss}.session.ctx" + + tpm2_startauthsession -S "${session_ctx}" > /dev/null + if [ $? -ne 0 ]; then + echo "tpm_seal: Failed to start policy session" >&2 + tpm_restore_keyfiles "${tss}" + return 1 + fi + + tpm2_policypcr -S "${session_ctx}" -l "${pcr_opts}" -L "${policy_file}" > /dev/null if [ $? -ne 0 ]; then - echo "tpm_seal: Failed to seal data (TPM 2.0) "\ - "using ${hashalg} algorithm:" >&2 + echo "tpm_seal: Failed to bind PCRs to policy" >&2 + tpm2_flushcontext "${session_ctx}" > /dev/null + tpm_restore_keyfiles "${tss}" + return 1 + fi + + tpm2_flushcontext "${session_ctx}" > /dev/null + + # Seal the data using the policy + local out_priv="${tss}.priv.${hashalg}" + local out_pub="${tss}.pub.${hashalg}" + + allout="$(tpm2_create -C "${handle}" -i "${secret}" -u "${out_pub}" -r "${out_priv}" -L "${policy_file}" 2>&1)" + if [ $? -ne 0 ]; then + echo "tpm_seal: Failed to seal data (TPM 2.0):" >&2 echo "${allout}" >&2 tpm_restore_keyfiles "${tss}" return 1 fi else local tss_bin="tpm_sealdata" - - # Use the standalone binary if tcsd is not running. if ! tcsd_running; then tss_bin="${tss_bin}_sa" fi tpm_save_keyfiles "${tss}" - allout="$(${tss_bin} -i "${secret}" -o "${tss}.sha1" \ - -z ${pcr_opts} 2>&1)" + allout="$(${tss_bin} -i "${secret}" -o "${tss}.sha1" -z ${pcr_opts} 2>&1)" if [ $? -ne 0 ]; then echo "tpm_seal: Failed to seal data (TPM 1.2):" >&2 echo "${allout}" >&2 @@ -907,25 +977,33 @@ tpm_unseal() { shift $((OPTIND-1)) local tss="${root}/$1" + local pcr_opts="$(tpm_pcrs_to_opts $(cat "${tss}.pcrs"))" if is_tpm_2_0; then local alg="$(hashalg_to_alg "${hashalg}")" local handle="$(alg_to_handle "${alg}")" - if [ -z "${alg}" -o -z "${handle}" ] || \ - ! pcr_bank_exists "${hashalg}"; then + if [ -z "${alg}" ] || ! pcr_bank_exists "${hashalg}"; then echo "tpm_unseal: Algorithm \"${hashalg}\" is not supported." >&2 return 1 fi + + # Load the sealed object + local obj_ctx="${tss}.sealed.ctx" + local session_ctx="${tss}.session.ctx" + tpm2_load -C "${handle}" -u "${tss}.pub.${hashalg}" -r "${tss}.priv.${hashalg}" -c "${obj_ctx}" > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "tpm_unseal: Failed to load sealed object" >&2 + return 1 + fi - { stderr="$(tpm2_unsealdata -H "${handle}" \ - -n "${tss}.${hashalg}" -u "${tss}.pub.${hashalg}" \ - -g "${alg}" ${pcr_opts} 2>&1 1>&3 3>&-)"; } 3>&1 - if [ "$?" -ne 0 ]; then - echo "tpm_unseal: Failed to unseal data (TPM 2.0) "\ - "using ${hashalg} algorithm:" >&2 - echo "${stderr}" >&2 + # Unseal + tpm2_startauthsession --policy-session -S "${tss}.session.ctx" + tpm2_policypcr -S "${session_ctx}" -l "${pcr_opts}" -L "${tss}.policy.dat" > /dev/null + { stderr="$(tpm2_unseal -psession:${session_ctx} -c "${obj_ctx}" 2>&1 1>&3 3>&-)"; } 3>&1 + if [ $? -ne 0 ]; then + echo "tpm_unseal: Failed to unseal data (TPM 2.0) using ${hashalg} algorithm, ${stderr}" >&2 return 1 fi else diff --git a/recipes-security/tss2/tpm2-tools/tpm2-extendpcr-support.patch b/recipes-security/tss2/tpm2-tools/tpm2-extendpcr-support.patch deleted file mode 100644 index 4fe2517964..0000000000 --- a/recipes-security/tss2/tpm2-tools/tpm2-extendpcr-support.patch +++ /dev/null @@ -1,244 +0,0 @@ -################################################################################ -SHORT DESCRIPTION: -################################################################################ -Add tpm2_extendpcr binary. - -################################################################################ -LONG DESCRIPTION: -################################################################################ - -################################################################################ -CHANGELOG -################################################################################ -Add tpm2_extendpcr: Chris Rogers -Uprev from v2.0.0 to v3.1.3: Nicholas Tsirakis - -################################################################################ -REMOVAL -################################################################################ -The upstream tpm2-tools added their own tpm2_pcrextend tool in -version 3.X.Y. This patch can be removed if that tool provides -the same functionality, though it is currently untested. - -################################################################################ -UPSTREAM PLAN -################################################################################ - -################################################################################ -INTERNAL DEPENDENCIES -################################################################################ - -################################################################################ -PATCHES -################################################################################ - -commit 3978a8c5f05f5b35c34bd63e974493044ae4df6e -Author: Nicholas Tsirakis -Date: Thu May 24 16:05:16 2018 -0400 - - Apply tpm2-extendpcr-support patch - ---- a/Makefile.am -+++ b/Makefile.am -@@ -75,7 +75,6 @@ bin_PROGRAMS = \ - tools/tpm2_nvrelease \ - tools/tpm2_nvwrite \ - tools/tpm2_pcrevent \ -- tools/tpm2_pcrextend \ - tools/tpm2_pcrlist \ - tools/tpm2_quote \ - tools/tpm2_rc_decode \ -@@ -169,7 +168,6 @@ tools_tpm2_rsaencrypt_SOURCES = tools/tp - tools_tpm2_sign_SOURCES = tools/tpm2_sign.c $(TOOL_SRC) - tools_tpm2_unseal_SOURCES = tools/tpm2_unseal.c $(TOOL_SRC) - tools_tpm2_dictionarylockout_SOURCES = tools/tpm2_dictionarylockout.c $(TOOL_SRC) --tools_tpm2_pcrextend_SOURCES = tools/tpm2_pcrextend.c $(TOOL_SRC) - tools_tpm2_pcrevent_SOURCES = tools/tpm2_pcrevent.c $(TOOL_SRC) - tools_tpm2_rc_decode_SOURCES = tools/tpm2_rc_decode.c $(TOOL_SRC) - tools_tpm2_extendpcr_SOURCES = tools/tpm2_extendpcr.c $(TOOL_SRC) ---- /dev/null -+++ b/tools/tpm2_extendpcr.c -@@ -0,0 +1,183 @@ -+//**********************************************************************; -+// Copyright (c) 2015, Intel Corporation -+// Copyright (c) 2017, Assured Information Security -+// All rights reserved. -+// -+// Redistribution and use in source and binary forms, with or without -+// modification, are permitted provided that the following conditions are met: -+// -+// 1. Redistributions of source code must retain the above copyright notice, -+// this list of conditions and the following disclaimer. -+// -+// 2. Redistributions in binary form must reproduce the above copyright notice, -+// this list of conditions and the following disclaimer in the documentation -+// and/or other materials provided with the distribution. -+// -+// 3. Neither the name of Intel Corporation nor the names of its contributors -+// may be used to endorse or promote products derived from this software without -+// specific prior written permission. -+// -+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE -+// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -+// THE POSSIBILITY OF SUCH DAMAGE. -+//**********************************************************************; -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include "pcr.h" -+#include "log.h" -+#include "tpm_session.h" -+#include "tpm2_options.h" -+#include "tpm2_util.h" -+ -+typedef struct tpm_extendpcr_ctx tpm_extendpcr_ctx; -+struct tpm_extendpcr_ctx { -+ BYTE byteHash[TPM2_SHA512_DIGEST_SIZE]; -+ TPMI_ALG_HASH algorithmId; -+ UINT32 pcr; -+ -+ struct { -+ UINT16 g : 1; -+ UINT16 s : 1; -+ UINT16 c : 1; -+ } flags; -+}; -+ -+static tpm_extendpcr_ctx ctx = { -+ .algorithmId = 0, -+ .pcr = -1 -+}; -+ -+int pcr_extend(TSS2_SYS_CONTEXT *sapi_context) { -+ TPMS_AUTH_COMMAND sessionData = TPMS_AUTH_COMMAND_INIT(TPM2_RS_PW); -+ TSS2L_SYS_AUTH_COMMAND sessionsData; -+ TPML_PCR_SELECTION pcrSelection; -+ TPML_DIGEST_VALUES digests; -+ TSS2_RC rval; -+ -+ digests.count = 1; -+ digests.digests[0].hashAlg = ctx.algorithmId; -+ -+ switch (ctx.algorithmId) { -+ -+ case TPM2_ALG_SHA1: -+ memcpy(digests.digests[0].digest.sha1, ctx.byteHash, TPM2_SHA1_DIGEST_SIZE); -+ break; -+ case TPM2_ALG_SHA256: -+ memcpy(digests.digests[0].digest.sha256, ctx.byteHash, TPM2_SHA256_DIGEST_SIZE); -+ break; -+ case TPM2_ALG_SHA384: -+ memcpy(digests.digests[0].digest.sha384, ctx.byteHash, TPM2_SHA384_DIGEST_SIZE); -+ break; -+ case TPM2_ALG_SHA512: -+ memcpy(digests.digests[0].digest.sha512, ctx.byteHash, TPM2_SHA512_DIGEST_SIZE); -+ break; -+ case TPM2_ALG_SM3_256: -+ memcpy(digests.digests[0].digest.sha1, ctx.byteHash, TPM2_SM3_256_DIGEST_SIZE); -+ break; -+ default: -+ LOG_ERR("Invalid algorithm. Exiting"); -+ return -1; -+ } -+ -+ pcrSelection.count = 1; -+ pcrSelection.pcrSelections[0].hash = ctx.algorithmId; -+ pcrSelection.pcrSelections[0].sizeofSelect = 3; -+ -+ CLEAR_PCR_SELECT_BITS(pcrSelection.pcrSelections[0]); -+ -+ SET_PCR_SELECT_BIT(pcrSelection.pcrSelections[0], ctx.pcr); -+ -+ sessionsData.count = 1; -+ sessionsData.auths[0] = sessionData; -+ -+ rval = Tss2_Sys_PCR_Extend( sapi_context, ctx.pcr, &sessionsData, &digests, 0 ); -+ if( rval != TPM2_RC_SUCCESS) { -+ LOG_ERR("Failed to extend PCR: %d\n", ctx.pcr); -+ return -2; -+ } -+ return 0; -+} -+ -+static bool on_option(char key, char *value) { -+ -+ UINT16 size; -+ -+ switch(key) { -+ case 's': -+ size = strlen(value); //set initial size of hash, hex2Byte will fail if size is wrong -+ if(tpm2_util_hex_to_byte_structure(value, &size, ctx.byteHash) != 0) { -+ LOG_ERR("Invalid hex value.\n"); -+ return false; -+ } -+ ctx.flags.s = 1; -+ break; -+ case 'c': -+ if (pcr_get_id(value, &ctx.pcr)) { -+ LOG_ERR("Invalid pcr value.\n"); -+ return false; -+ } -+ ctx.flags.c = 1; -+ break; -+ case 'g': -+ if(!tpm2_util_string_to_uint16(value, &ctx.algorithmId)) { -+ return false; -+ } -+ ctx.flags.g = 1; -+ break; -+ case ':': -+ return false; -+ case '?': -+ return false; -+ } -+ -+ return true; -+} -+ -+bool tpm2_tool_onstart(tpm2_options **opts) { -+ -+ const struct option topts[] = { -+ {"algorithm", required_argument, NULL, 'g'}, -+ {"hash", required_argument, NULL, 's'}, -+ {"pcr", required_argument, NULL, 'c'} -+ }; -+ -+ *opts = tpm2_options_new("g:s:c:", ARRAY_LEN(topts), topts, -+ on_option, NULL, TPM2_OPTIONS_SHOW_USAGE); -+ -+ return *opts != NULL; -+} -+ -+int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) { -+ -+ UNUSED(flags); -+ -+ int returnVal; -+ int flagCnt = 0; -+ flagCnt = ctx.flags.g + ctx.flags.s + ctx.flags.c; -+ -+ if(flagCnt < 3) { -+ return -10; -+ } -+ -+ returnVal = pcr_extend(sapi_context); -+ -+ return returnVal; -+} diff --git a/recipes-security/tss2/tpm2-tools/tpm2-nvlist-drop-ntoh.patch b/recipes-security/tss2/tpm2-tools/tpm2-nvlist-drop-ntoh.patch deleted file mode 100644 index 638001ade9..0000000000 --- a/recipes-security/tss2/tpm2-tools/tpm2-nvlist-drop-ntoh.patch +++ /dev/null @@ -1,45 +0,0 @@ -From c5bca074ca9ecf5da470fae00ca7fae509260fd5 Mon Sep 17 00:00:00 2001 -From: William Roberts -Date: Thu, 14 Jul 2022 09:32:06 -0500 -Subject: [PATCH] nvreadpublic: drop ntoh on attributes - -The attributes get marshalled to correct endianess by libmu and don't -need to be changed again. - -For example: -tpm2_define -tpm2_nvreadpublic - - attributes: - friendly: ownerwrite|authwrite|ownerread|authread - value: 0x6000600 - -tpm2_nvdefine 0x6000600 <-- fails - -Drop NTOH -tpm2_nvreadpublic - - attributes: - friendly: ownerwrite|authwrite|ownerread|authread - value: 0x60006 - - -tpm2_nvdefine -a 0x60006 <-- works - -Fixes: #3053 - -Signed-off-by: William Roberts ---- -Made to apply to 3.x where tpm2_nvreadpublic.c is tpm2_nvlist.c - ---- a/tools/tpm2_nvlist.c -+++ b/tools/tpm2_nvlist.c -@@ -63,7 +63,7 @@ static void print_nv_public(TPM2B_NV_PUB - tpm2_tool_output(" attributes:\n"); - tpm2_tool_output(" friendly: %s\n", attrs); - tpm2_tool_output(" value: 0x%X\n", -- tpm2_util_ntoh_32(nv_public->nvPublic.attributes)); -+ nv_public->nvPublic.attributes); - - tpm2_tool_output(" size: %d\n", - nv_public->nvPublic.dataSize); diff --git a/recipes-security/tss2/tpm2-tools/tpm2-sealing-support.patch b/recipes-security/tss2/tpm2-tools/tpm2-sealing-support.patch deleted file mode 100644 index af9da6943c..0000000000 --- a/recipes-security/tss2/tpm2-tools/tpm2-sealing-support.patch +++ /dev/null @@ -1,651 +0,0 @@ -################################################################################ -SHORT DESCRIPTION: -################################################################################ -Add tpm2_sealdata binary. - -################################################################################ -LONG DESCRIPTION: -################################################################################ -Add tpm2_sealdata binary and convert tpm2_create from a commandline binary -to a library. The latter was necessary as each tool is a standalone -binary that cannot be used by other tools, and tpm2_sealdata needs -tpm2_create's functionality. - -Note that this patch absorbed the tools/tpm2_sealdata.c and lib/build-policy.c -changes from the old tpm2-fix-forward-seal.patch. - -################################################################################ -CHANGELOG -################################################################################ -Add tpm2_sealdata: Chris Rogers -Uprev from v2.0.0 to v3.1.3: Nicholas Tsirakis - -################################################################################ -REMOVAL -################################################################################ - -################################################################################ -UPSTREAM PLAN -################################################################################ - -################################################################################ -INTERNAL DEPENDENCIES -################################################################################ - -################################################################################ -PATCHES -################################################################################ - -commit 931fd721177789154b128d9d1f16854d1a919a6b -Author: Nicholas Tsirakis -Date: Tue May 22 16:18:54 2018 -0400 - - Apply tpm2-sealing-support patch - ---- a/lib/build-policy.c -+++ b/lib/build-policy.c -@@ -4,7 +4,7 @@ - #include - #include "tpm_session.h" - #include "tpm_hash.h" --#include "string-bytes.h" -+#include "tpm2_util.h" - #include "pcr.h" - - #define INIT_SIMPLE_TPM2B_SIZE( type ) (type).size = sizeof( type ) - 2; -@@ -25,12 +25,11 @@ int build_pcr_policy( TSS2_SYS_CONTEXT * - { - TPM2B_DIGEST pcrDigest; - TPML_DIGEST tmpPcrValues; -- TPM2B_MAX_BUFFER pcrValues[24]; -+ TPM2B_DIGEST pcrValues[24]; - TPML_PCR_SELECTION pcrs, pcrsTmp, pcrSelectionOut; - UINT32 pcrUpdateCounter; - - TPM2_RC rval = TPM2_RC_SUCCESS; -- char empty[32] = {0}; - zero_pcr_selection(&pcrs, nameAlg); - - //Init the pcr selection we will use for the PCRPolicy call -@@ -40,7 +39,7 @@ int build_pcr_policy( TSS2_SYS_CONTEXT * - for(int i = 0; i < pcrCountIn; i++) - { - //No forward hash provided, need to read this pcr -- if(!memcmp(pcrList[i]->forwardHash, empty, 32)) { -+ if(!pcrList[i]->hash_set) { - zero_pcr_selection(&pcrsTmp, nameAlg); - SET_PCR_SELECT_BIT(pcrsTmp.pcrSelections[0], pcrList[i]->pcr); - memset(&tmpPcrValues, 0, sizeof(TPML_DIGEST)); -@@ -52,6 +51,7 @@ int build_pcr_policy( TSS2_SYS_CONTEXT * - memcpy(pcrValues[i].buffer, tmpPcrValues.digests[0].buffer, tmpPcrValues.digests[0].size); - } else { - //Forward hash provided, copy into digest buffer -+ pcrValues[i].size = sizeof(pcrList[i]->forwardHash); - memcpy(pcrValues[i].buffer, pcrList[i]->forwardHash, sizeof(pcrList[i]->forwardHash)); - } - } -@@ -116,9 +116,7 @@ int build_policy_external(TSS2_SYS_CONTE - return rval; - - // And remove the session from sessions table. -- rval = tpm_session_auth_end( *policySession ); -- if( rval != TPM2_RC_SUCCESS ) -- return rval; -+ tpm_session_auth_end( *policySession ); - } - - memcpy(policyDigestOut->buffer, policyDigest.buffer, policyDigest.size); ---- a/tools/shared.h -+++ b/tools/shared.h -@@ -6,9 +6,7 @@ - #include "tpm_session.h" - #include "pcr.h" - --int setup_alg(TPMI_ALG_PUBLIC type, TPMI_ALG_HASH nameAlg, TPM2B_PUBLIC *in_public, int I_flag); -- --int create(TSS2_SYS_CONTEXT *sysContext, TPMI_DH_OBJECT parent_handle, TPM2B_PUBLIC *in_public, TPM2B_SENSITIVE_CREATE *in_sensitive, TPMI_ALG_PUBLIC type, TPMI_ALG_HASH nameAlg, const char *opu_path, const char *opr_path, int o_flag, int O_flag, int I_flag, int A_flag, UINT32 objectAttributes); -+int create(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT parent_handle, TPM2B_PUBLIC *in_public, TPM2B_SENSITIVE_CREATE *in_sensitive, TPMI_ALG_PUBLIC type, TPMI_ALG_HASH nameAlg, char *input, char *opu_path, char *opr_path, int H_flag, int g_flag, int G_flag, int I_flag, int o_flag, int O_flag, int A_flag, TPMA_OBJECT objectAttributes); - - int build_policy_external(TSS2_SYS_CONTEXT *sysContext, SESSION **policySession, int trial, pcr_struct **pcrList, INT32 pcrCount, TPM2B_DIGEST *policyDigestOut, TPMI_ALG_HASH nameAlg); - ---- a/tools/tpm2_create.c -+++ b/tools/tpm2_create.c -@@ -49,6 +49,7 @@ - #include "tpm2_password_util.h" - #include "tpm2_tool.h" - #include "tpm2_util.h" -+#include "shared.h" - - typedef struct tpm_create_ctx tpm_create_ctx; - struct tpm_create_ctx { -@@ -62,6 +63,7 @@ struct tpm_create_ctx { - char *opu_path; - char *opr_path; - char *context_parent_path; -+ TPMA_OBJECT objectAttributes; - struct { - UINT16 H : 1; - UINT16 P : 1; -@@ -113,6 +115,8 @@ int setup_alg() - return -1; - } - -+ ctx.in_public.publicArea.type = ctx.type; -+ - switch(ctx.in_public.publicArea.type) { - case TPM2_ALG_RSA: - ctx.in_public.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM2_ALG_NULL; -@@ -164,7 +168,7 @@ int setup_alg() - return 0; - } - --int create(TSS2_SYS_CONTEXT *sapi_context) -+int create_internal(TSS2_SYS_CONTEXT *sapi_context) - { - TSS2_RC rval; - TSS2L_SYS_AUTH_COMMAND sessionsData; -@@ -187,6 +191,10 @@ int create(TSS2_SYS_CONTEXT *sapi_contex - if(setup_alg()) - return -1; - -+ if (ctx.flags.A) { -+ ctx.in_public.publicArea.objectAttributes = ctx.objectAttributes; -+ } -+ - creationPCR.count = 0; - - rval = TSS2_RETRY_EXP(Tss2_Sys_Create(sapi_context, ctx.parent_handle, &sessionsData, &ctx.in_sensitive, -@@ -216,135 +224,6 @@ int create(TSS2_SYS_CONTEXT *sapi_contex - return 0; - } - --static bool on_option(char key, char *value) { -- -- bool res; -- -- switch(key) { -- case 'H': -- if(!tpm2_util_string_to_uint32(value, &ctx.parent_handle)) { -- LOG_ERR("Invalid parent handle, got\"%s\"", value); -- return false; -- } -- ctx.flags.H = 1; -- break; -- case 'P': -- res = tpm2_password_util_from_optarg(value, &ctx.session_data.hmac); -- if (!res) { -- LOG_ERR("Invalid parent key password, got\"%s\"", value); -- return false; -- } -- ctx.flags.P = 1; -- break; -- case 'K': -- res = tpm2_password_util_from_optarg(value, &ctx.in_sensitive.sensitive.userAuth); -- if (!res) { -- LOG_ERR("Invalid key password, got\"%s\"", value); -- return false; -- } -- ctx.flags.K = 1; -- ctx.in_public.publicArea.objectAttributes |= TPMA_OBJECT_USERWITHAUTH; -- break; -- case 'g': -- ctx.nameAlg = tpm2_alg_util_from_optarg(value); -- if(ctx.nameAlg == TPM2_ALG_ERROR) { -- LOG_ERR("Invalid hash algorithm, got\"%s\"", value); -- return false; -- } -- ctx.flags.g = 1; -- break; -- case 'G': -- ctx.in_public.publicArea.type = tpm2_alg_util_from_optarg(value); -- if(ctx.in_public.publicArea.type == TPM2_ALG_ERROR) { -- LOG_ERR("Invalid key algorithm, got\"%s\"", value); -- return false; -- } -- -- ctx.flags.G = 1; -- break; -- case 'A': { -- bool res = tpm2_attr_util_obj_from_optarg(value, -- &ctx.in_public.publicArea.objectAttributes); -- if(!res) { -- LOG_ERR("Invalid object attribute, got\"%s\"", value); -- return false; -- } -- ctx.flags.A = 1; -- } break; -- case 'I': -- ctx.input = strcmp("-", value) ? value : NULL; -- ctx.flags.I = 1; -- break; -- case 'L': -- ctx.in_public.publicArea.authPolicy.size = sizeof(ctx.in_public.publicArea.authPolicy) - 2; -- if(!files_load_bytes_from_path(value, ctx.in_public.publicArea.authPolicy.buffer, -- &ctx.in_public.publicArea.authPolicy.size)) { -- return false; -- } -- ctx.flags.L = 1; -- if (!ctx.flags.K) { -- ctx.in_public.publicArea.objectAttributes &= ~TPMA_OBJECT_USERWITHAUTH; -- } -- break; -- case 'S': -- if (!tpm2_util_string_to_uint32(value, &ctx.session_data.sessionHandle)) { -- LOG_ERR("Could not convert session handle to number, got: \"%s\"", -- value); -- return false; -- } -- break; -- case 'u': -- ctx.opu_path = value; -- if(files_does_file_exist(ctx.opu_path) != 0) { -- return false; -- } -- ctx.flags.o = 1; -- break; -- case 'r': -- ctx.opr_path = value; -- if(files_does_file_exist(ctx.opr_path) != 0) { -- return false; -- } -- ctx.flags.O = 1; -- break; -- case 'c': -- ctx.context_parent_path = value; -- if(ctx.context_parent_path == NULL || ctx.context_parent_path[0] == '\0') { -- return false; -- } -- ctx.flags.c = 1; -- break; -- }; -- -- return true; --} -- --bool tpm2_tool_onstart(tpm2_options **opts) { -- -- static struct option topts[] = { -- {"parent",1,NULL,'H'}, -- {"pwdp",1,NULL,'P'}, -- {"pwdk",1,NULL,'K'}, -- {"halg",1,NULL,'g'}, -- {"kalg",1,NULL,'G'}, -- {"object-attributes",1,NULL,'A'}, -- {"in-file",1,NULL,'I'}, -- {"policy-file",1,NULL,'L'}, -- {"pubfile",1,NULL,'u'}, -- {"privfile",1,NULL,'r'}, -- {"context-parent",1,NULL,'c'}, -- {"input-session-handle",1,NULL,'S'}, -- }; -- -- setbuf(stdout, NULL); -- setvbuf (stdout, NULL, _IONBF, BUFSIZ); -- -- *opts = tpm2_options_new("H:P:K:g:G:A:I:L:u:r:c:S:", ARRAY_LEN(topts), -- topts, on_option, NULL, TPM2_OPTIONS_SHOW_USAGE); -- -- return *opts != NULL; --} -- - static bool load_sensitive(void) { - - ctx.in_sensitive.sensitive.data.size = BUFFER_SIZE(typeof(ctx.in_sensitive.sensitive.data), buffer); -@@ -352,10 +231,32 @@ static bool load_sensitive(void) { - &ctx.in_sensitive.sensitive.data.size, ctx.in_sensitive.sensitive.data.buffer); - } - --int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) { -- -- UNUSED(flags); -+// tpm2_create used to be a commandline tool, but now it's just a library. -+// This wrapper allows us to build the tpm_create context from the args and -+// skirt the new tpm2_tool option parsing scheme. -+// -+// Calls create_internal(), which was the original create() -+// Note that some flags (e.g. P) are currently unused -+int create(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT parent_handle, TPM2B_PUBLIC *in_public, TPM2B_SENSITIVE_CREATE *in_sensitive, TPMI_ALG_PUBLIC type, TPMI_ALG_HASH nameAlg, char *input, char *opu_path, char *opr_path, int H_flag, int g_flag, int G_flag, int I_flag, int o_flag, int O_flag, int A_flag, TPMA_OBJECT objectAttributes) { -+ -+ ctx.parent_handle = parent_handle; -+ ctx.in_public = *in_public; -+ ctx.in_sensitive = *in_sensitive; -+ ctx.type = type; -+ ctx.nameAlg = nameAlg; -+ ctx.input = input; -+ ctx.opu_path = opu_path; -+ ctx.opr_path = opr_path; -+ ctx.objectAttributes = objectAttributes; -+ ctx.flags.H = H_flag; -+ ctx.flags.g = g_flag; -+ ctx.flags.G = G_flag; -+ ctx.flags.I = I_flag; -+ ctx.flags.o = o_flag; -+ ctx.flags.O = O_flag; -+ ctx.flags.A = A_flag; - -+ // Everything below used to be tpm2_tool_onrun - int returnVal = 0; - int flagCnt = 0; - -@@ -369,7 +270,7 @@ int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sa - } - } - -- if (ctx.flags.I && ctx.in_public.publicArea.type != TPM2_ALG_KEYEDHASH) { -+ if (ctx.flags.I && ctx.type != TPM2_ALG_KEYEDHASH) { - LOG_ERR("Only TPM2_ALG_KEYEDHASH algorithm is allowed when sealing data"); - return 1; - } -@@ -382,8 +283,9 @@ int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sa - if(ctx.flags.c) - returnVal = files_load_tpm_context_from_file(sapi_context, - &ctx.parent_handle, ctx.context_parent_path) != true; -+ - if(returnVal == 0) -- returnVal = create(sapi_context); -+ returnVal = create_internal(sapi_context); - - if(returnVal) - return 1; ---- a/tools/tpm2_createprimary.c -+++ b/tools/tpm2_createprimary.c -@@ -191,6 +191,8 @@ int create_primary(TSS2_SYS_CONTEXT *sap - static bool on_option(char key, char *value) { - - bool res; -+ char pass[40]; -+ char *index = NULL; - - switch(key) { - case 'H': -@@ -209,7 +211,15 @@ static bool on_option(char key, char *va - ctx.flags.A = 1; - break; - case 'P': -- res = tpm2_password_util_from_optarg(value, &ctx.session_data.hmac); -+ if (fgets(pass, 40, stdin)) { -+ index = strchr(pass, '\n'); -+ if (index) -+ *index = '\0'; -+ } else { -+ LOG_ERR("No password provided"); -+ return false; -+ } -+ res = tpm2_password_util_from_optarg(pass, &ctx.session_data.hmac); - if (!res) { - LOG_ERR("Invalid parent key password, got\"%s\"", value); - return false; -@@ -290,7 +300,7 @@ bool tpm2_tool_onstart(tpm2_options **op - setbuf(stdout, NULL); - setvbuf (stdout, NULL, _IONBF, BUFSIZ); - -- *opts = tpm2_options_new("A:P:K:g:G:C:L:S:H:", ARRAY_LEN(topts), topts, -+ *opts = tpm2_options_new("A:PK:g:G:C:L:S:H:", ARRAY_LEN(topts), topts, - on_option, NULL, TPM2_OPTIONS_SHOW_USAGE); - - return *opts != NULL; ---- /dev/null -+++ b/tools/tpm2_sealdata.c -@@ -0,0 +1,262 @@ -+ -+//**********************************************************************; -+// Copyright (c) 2015, Intel Corporation -+// Copyright (c) 2017, Assured Information Security -+// All rights reserved. -+// -+// Redistribution and use in source and binary forms, with or without -+// modification, are permitted provided that the following conditions are met: -+// -+// 1. Redistributions of source code must retain the above copyright notice, -+// this list of conditions and the following disclaimer. -+// -+// 2. Redistributions in binary form must reproduce the above copyright notice, -+// this list of conditions and the following disclaimer in the documentation -+// and/or other materials provided with the distribution. -+// -+// 3. Neither the name of Intel Corporation nor the names of its contributors -+// may be used to endorse or promote products derived from this software without -+// specific prior written permission. -+// -+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE -+// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -+// THE POSSIBILITY OF SUCH DAMAGE. -+//**********************************************************************; -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include "pcr.h" -+#include "log.h" -+#include "tpm_session.h" -+#include "tpm2_options.h" -+#include "tpm2_util.h" -+#include "tpm2_attr_util.h" -+#include "tpm2_alg_util.h" -+#include "files.h" -+#include "shared.h" -+ -+//Define the context object for tpm2_sealdata -+typedef struct tpm_sealdata_ctx tpm_sealdata_ctx; -+struct tpm_sealdata_ctx { -+ TPMI_DH_OBJECT handle2048rsa; -+ TPM2B_SENSITIVE_CREATE inSensitive; -+ TPMI_ALG_PUBLIC type; -+ TPMI_ALG_HASH nameAlg; -+ TPMA_OBJECT objectAttributes; -+ char * input; -+ char * opu_path; -+ char * opr_path; -+ -+ UINT32 pcr; -+ INT32 pcrCount; -+ pcr_struct* pcrList[24]; -+ BYTE forwardHash[32]; -+ bool hash_set; -+ -+ struct { -+ UINT16 H : 1; -+ UINT16 K : 1; -+ UINT16 g : 1; -+ UINT16 G : 1; -+ UINT16 I : 1; -+ UINT16 o : 1; -+ UINT16 O : 1; -+ UINT16 b : 1; -+ UINT16 r : 1; -+ } flags; -+}; -+ -+//Initialize the context object -+static tpm_sealdata_ctx ctx = { -+ .objectAttributes = 0, -+ .opu_path = NULL, -+ .opr_path = NULL, -+ .pcr = -1, -+ .pcrCount = 0, -+ .hash_set = false, -+ .forwardHash = {0} -+}; -+ -+int seal(TSS2_SYS_CONTEXT *sapi_context) -+{ -+ UINT32 rval; -+ SESSION *policySession; -+ TPM2B_PUBLIC inPublic; -+ TPM2B_DIGEST policyDigest; -+ -+ //Build a trial policy gated by the provided PCR -+ rval = build_policy_external(sapi_context, &policySession, true, ctx.pcrList, ctx.pcrCount, &policyDigest, ctx.nameAlg); -+ if(rval != TPM2_RC_SUCCESS) { -+ LOG_ERR("build_policy failed, ec: 0x%x\n", rval); -+ return rval; -+ } -+ -+ inPublic.publicArea.authPolicy.size = policyDigest.size; -+ memcpy(inPublic.publicArea.authPolicy.buffer, policyDigest.buffer, policyDigest.size); -+ -+ //Seal the provided data -+ rval = create(sapi_context, ctx.handle2048rsa, &inPublic, &ctx.inSensitive, ctx.type, ctx.nameAlg, ctx.input, ctx.opu_path, ctx.opr_path, ctx.flags.H, ctx.flags.g, ctx.flags.G, ctx.flags.I, ctx.flags.o, ctx.flags.O, ctx.flags.b, ctx.objectAttributes); -+ if(rval != TPM2_RC_SUCCESS) { -+ LOG_ERR("create() failed, ec: 0x%x\n", rval); -+ return rval; -+ } -+ -+ return rval; -+ -+} -+ -+static bool on_option(char key, char *value) { -+ -+ ctx.inSensitive.sensitive.data.size = 0; -+ -+ switch (key) { -+ case 'K': -+ ctx.inSensitive.sensitive.userAuth.size = sizeof(ctx.inSensitive.sensitive.userAuth) - 2; -+ if(tpm2_util_hex_to_byte_structure(value, &ctx.inSensitive.sensitive.userAuth.size, ctx.inSensitive.sensitive.userAuth.buffer) != 0) { -+ return false; -+ } -+ ctx.flags.K = 1; -+ break; -+ case 'g': -+ ctx.nameAlg = tpm2_alg_util_from_optarg(value); -+ if(ctx.nameAlg == TPM2_ALG_ERROR) { -+ return false; -+ } -+ LOG_INFO("nameAlg = 0x%4.4x\n", ctx.nameAlg); -+ ctx.flags.g = 1; -+ break; -+ case 'G': -+ ctx.type = tpm2_alg_util_from_optarg(value); -+ if(ctx.type == TPM2_ALG_ERROR) { -+ return false; -+ } -+ LOG_INFO("type = 0x%4.4x\n", ctx.type); -+ ctx.flags.G = 1; -+ break; -+ case 'b': -+ if(!tpm2_attr_util_obj_from_optarg(value, &ctx.objectAttributes)) { -+ return false; -+ } -+ ctx.flags.b = 1; -+ break; -+ case 'I': -+ ctx.input = strcmp("-", value) ? value : NULL; -+ ctx.flags.I = 1; -+ LOG_INFO("ctx.inSensitive.sensitive.data.size = %d\n", ctx.inSensitive.sensitive.data.size); -+ break; -+ case 'o': -+ ctx.opu_path = value; -+ if(files_does_file_exist(ctx.opu_path) != 0) { -+ return false; -+ } -+ ctx.flags.o = 1; -+ break; -+ case 'O': -+ ctx.opr_path = value; -+ //Allow output file to be overwritten -+ ctx.flags.O = 1; -+ break; -+ case 'H': -+ if (!tpm2_util_string_to_uint32(value, &ctx.handle2048rsa)) { -+ LOG_ERR( -+ "Could not convert object handle to a number, got: \"%s\"", -+ value); -+ return false; -+ } -+ ctx.flags.H = 1; -+ break; -+ case 'r': -+ if ( pcr_parse_arg(value, &ctx.pcr, ctx.forwardHash, &ctx.hash_set) ) { -+ LOG_ERR("Invalid pcr value.\n"); -+ return false; -+ } -+ pcr_struct *new_pcr = (pcr_struct *) malloc(sizeof(pcr_struct)); -+ new_pcr->pcr = ctx.pcr; -+ new_pcr->hash_set = ctx.hash_set; -+ memcpy(new_pcr->forwardHash, ctx.forwardHash, 32); -+ memset(ctx.forwardHash, 0, 32); -+ ctx.pcrList[ctx.pcrCount] = new_pcr; -+ ctx.pcrCount++; -+ -+ ctx.flags.r = 1; -+ break; -+ } -+ -+ return true; -+} -+ -+bool tpm2_tool_onstart(tpm2_options **opts) { -+ -+ const struct option topts[] = { -+ {"pwdk", required_argument, NULL, 'K'}, -+ {"halg", required_argument, NULL, 'g'}, -+ {"kalg", required_argument, NULL, 'G'}, -+ {"objectAttributes", required_argument, NULL, 'b'}, -+ {"pcr", required_argument, NULL, 'r'}, -+ {"inFile", required_argument, NULL, 'I'}, -+ {"opu", required_argument, NULL, 'o'}, -+ {"opr", required_argument, NULL, 'O'}, -+ {"handle", required_argument, NULL, 'H'} -+ }; -+ -+ *opts = tpm2_options_new("H:K:g:G:I:o:O:b:r:", ARRAY_LEN(topts), topts, -+ on_option, NULL, TPM2_OPTIONS_SHOW_USAGE); -+ -+ return *opts != NULL; -+} -+ -+int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) { -+ -+ UNUSED(flags); -+ -+ int returnVal = 0; -+ int flagCnt = 0; -+ -+ if(ctx.flags.K == 0) -+ ctx.inSensitive.sensitive.userAuth.size = 0; -+ -+ flagCnt = ctx.flags.g + ctx.flags.G + ctx.flags.I + ctx.flags.r; -+ if(flagCnt == 1) { -+ returnVal = -16; -+ goto out; -+ } else if(flagCnt >= 4 && ctx.flags.I == 1 && ctx.flags.g == 1 && ctx.flags.G == 1 && ctx.flags.r == 1 && ctx.flags.H == 1) { -+ if(returnVal == 0) { -+ returnVal = seal(sapi_context); -+ } -+ -+ if(returnVal) -+ goto out; -+ -+ //clean up pcr objects -+ for(int i = 0; i < ctx.pcrCount; i++) -+ free(ctx.pcrList[i]); -+ } else { -+ returnVal = -18; -+ goto out; -+ } -+ -+out: -+ //clean up handle -+ if(Tss2_Sys_FlushContext(sapi_context, ctx.handle2048rsa) != TPM2_RC_SUCCESS) -+ LOG_WARN("FlushContext failed for handle, non-fatal\n"); -+ return returnVal; -+} -+ diff --git a/recipes-security/tss2/tpm2-tools/tpm2-tools-lib-support.patch b/recipes-security/tss2/tpm2-tools/tpm2-tools-lib-support.patch deleted file mode 100644 index d78b42778c..0000000000 --- a/recipes-security/tss2/tpm2-tools/tpm2-tools-lib-support.patch +++ /dev/null @@ -1,394 +0,0 @@ -################################################################################ -SHORT DESCRIPTION: -################################################################################ -Provide supporting changes for tpm2_sealdata, tpm2_unsealdata, and -tpm2_extendpcr. - -################################################################################ -LONG DESCRIPTION: -################################################################################ -Prep repository for new binaries by adding/modifying Make targets, adding -useful shared library functions, and creating a new pcr policy library for -building and exporting policies. - -Note that this patch absorbed the lib/pcr.* changes from the old -tpm2-fix-forward-seal.patch. - -################################################################################ -CHANGELOG -################################################################################ -Add supporting changes: Chris Rogers -Uprev from v2.0.0 to v3.1.3: Nicholas Tsirakis - -################################################################################ -REMOVAL -################################################################################ - -################################################################################ -UPSTREAM PLAN -################################################################################ - -################################################################################ -INTERNAL DEPENDENCIES -################################################################################ - -################################################################################ -PATCHES -################################################################################ - -commit 34e920e2af5f16b9fe4d7302deb34409270024a7 -Author: Nicholas Tsirakis -Date: Mon May 21 14:34:00 2018 -0400 - - Apply tpm2-tools-lib-support patch - ---- a/Makefile.am -+++ b/Makefile.am -@@ -29,8 +29,6 @@ - # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF - # THE POSSIBILITY OF SUCH DAMAGE. - #;**********************************************************************; --@CODE_COVERAGE_RULES@ -- - ACLOCAL_AMFLAGS = -I m4 - - INCLUDE_DIRS = -I$(top_srcdir)/tools -I$(top_srcdir)/lib -@@ -53,13 +51,13 @@ LDADD = \ - bin_PROGRAMS = \ - tools/tpm2_activatecredential \ - tools/tpm2_certify \ -- tools/tpm2_create \ - tools/tpm2_createpolicy \ - tools/tpm2_createprimary \ - tools/tpm2_dictionarylockout \ - tools/tpm2_getcap \ - tools/tpm2_encryptdecrypt \ - tools/tpm2_evictcontrol \ -+ tools/tpm2_extendpcr \ - tools/tpm2_getmanufec \ - tools/tpm2_getpubak \ - tools/tpm2_getpubek \ -@@ -84,11 +82,13 @@ bin_PROGRAMS = \ - tools/tpm2_readpublic \ - tools/tpm2_rsadecrypt \ - tools/tpm2_rsaencrypt \ -+ tools/tpm2_sealdata \ - tools/tpm2_send \ - tools/tpm2_sign \ - tools/tpm2_startup \ - tools/tpm2_takeownership \ - tools/tpm2_unseal \ -+ tools/tpm2_unsealdata \ - tools/tpm2_verifysignature - - noinst_LIBRARIES = $(LIB_COMMON) -@@ -132,7 +132,7 @@ lib_libcommon_a_SOURCES = \ - - TOOL_SRC := tools/tpm2_tool.c tools/tpm2_tool.h - --tools_tpm2_create_SOURCES = tools/tpm2_create.c $(TOOL_SRC) -+tools_tpm2_createpolicy_SOURCES = tools/tpm2_createpolicy.c $(TOOL_SRC) - tools_tpm2_createprimary_SOURCES = tools/tpm2_createprimary.c $(TOOL_SRC) - tools_tpm2_getcap_SOURCES = tools/tpm2_getcap.c $(TOOL_SRC) - tools_tpm2_pcrlist_SOURCES = tools/tpm2_pcrlist.c $(TOOL_SRC) -@@ -169,10 +169,12 @@ tools_tpm2_rsaencrypt_SOURCES = tools/tp - tools_tpm2_sign_SOURCES = tools/tpm2_sign.c $(TOOL_SRC) - tools_tpm2_unseal_SOURCES = tools/tpm2_unseal.c $(TOOL_SRC) - tools_tpm2_dictionarylockout_SOURCES = tools/tpm2_dictionarylockout.c $(TOOL_SRC) --tools_tpm2_createpolicy_SOURCES = tools/tpm2_createpolicy.c $(TOOL_SRC) - tools_tpm2_pcrextend_SOURCES = tools/tpm2_pcrextend.c $(TOOL_SRC) - tools_tpm2_pcrevent_SOURCES = tools/tpm2_pcrevent.c $(TOOL_SRC) - tools_tpm2_rc_decode_SOURCES = tools/tpm2_rc_decode.c $(TOOL_SRC) -+tools_tpm2_extendpcr_SOURCES = tools/tpm2_extendpcr.c $(TOOL_SRC) -+tools_tpm2_sealdata_SOURCES = tools/tpm2_sealdata.c $(TOOL_SRC) tools/tpm2_create.c lib/build-policy.c -+tools_tpm2_unsealdata_SOURCES = tools/tpm2_unsealdata.c $(TOOL_SRC) lib/build-policy.c - - if UNIT - TESTS = $(check_PROGRAMS) ---- /dev/null -+++ b/lib/build-policy.c -@@ -0,0 +1,129 @@ -+#include -+#include -+#include -+#include -+#include "tpm_session.h" -+#include "tpm_hash.h" -+#include "string-bytes.h" -+#include "pcr.h" -+ -+#define INIT_SIMPLE_TPM2B_SIZE( type ) (type).size = sizeof( type ) - 2; -+ -+void zero_pcr_selection(TPML_PCR_SELECTION *pcrsIn, TPMI_ALG_HASH nameAlg) -+{ -+ memset(&pcrsIn->pcrSelections[0], 0, sizeof(TPMS_PCR_SELECTION)); -+ pcrsIn->count = 1; //This describes the size of pcrSelections -+ pcrsIn->pcrSelections[0].hash = nameAlg; -+ pcrsIn->pcrSelections[0].sizeofSelect = 3; -+ pcrsIn->pcrSelections[0].pcrSelect[0] = 0; -+ pcrsIn->pcrSelections[0].pcrSelect[1] = 0; -+ pcrsIn->pcrSelections[0].pcrSelect[2] = 0; -+ -+} -+ -+int build_pcr_policy( TSS2_SYS_CONTEXT *sysContext, SESSION *policySession, pcr_struct **pcrList, INT32 pcrCountIn, TPMI_ALG_HASH nameAlg) -+{ -+ TPM2B_DIGEST pcrDigest; -+ TPML_DIGEST tmpPcrValues; -+ TPM2B_MAX_BUFFER pcrValues[24]; -+ TPML_PCR_SELECTION pcrs, pcrsTmp, pcrSelectionOut; -+ UINT32 pcrUpdateCounter; -+ -+ TPM2_RC rval = TPM2_RC_SUCCESS; -+ char empty[32] = {0}; -+ zero_pcr_selection(&pcrs, nameAlg); -+ -+ //Init the pcr selection we will use for the PCRPolicy call -+ for(int i = 0; i < pcrCountIn; i++) -+ SET_PCR_SELECT_BIT( pcrs.pcrSelections[0], pcrList[i]->pcr ); -+ -+ for(int i = 0; i < pcrCountIn; i++) -+ { -+ //No forward hash provided, need to read this pcr -+ if(!memcmp(pcrList[i]->forwardHash, empty, 32)) { -+ zero_pcr_selection(&pcrsTmp, nameAlg); -+ SET_PCR_SELECT_BIT(pcrsTmp.pcrSelections[0], pcrList[i]->pcr); -+ memset(&tmpPcrValues, 0, sizeof(TPML_DIGEST)); -+ rval = Tss2_Sys_PCR_Read( sysContext, 0, &pcrsTmp, &pcrUpdateCounter, &pcrSelectionOut, &tmpPcrValues, 0 ); -+ if( rval != TPM2_RC_SUCCESS ) -+ return rval; -+ -+ pcrValues[i].size = tmpPcrValues.digests[0].size; -+ memcpy(pcrValues[i].buffer, tmpPcrValues.digests[0].buffer, tmpPcrValues.digests[0].size); -+ } else { -+ //Forward hash provided, copy into digest buffer -+ memcpy(pcrValues[i].buffer, pcrList[i]->forwardHash, sizeof(pcrList[i]->forwardHash)); -+ } -+ } -+ -+ // Hash them together -+ INIT_SIMPLE_TPM2B_SIZE( pcrDigest ); -+ rval = tpm_hash_sequence( sysContext, policySession->authHash, TPM2_RH_NULL, pcrCountIn, &pcrValues[0], &pcrDigest, NULL ); -+ if( rval != TPM2_RC_SUCCESS ) -+ return rval; -+ -+ rval = Tss2_Sys_PolicyPCR( sysContext, policySession->sessionHandle, 0, &pcrDigest, &pcrs, 0 ); -+ if( rval != TPM2_RC_SUCCESS ) -+ return rval; -+ -+ return rval; -+} -+ -+int build_policy_external(TSS2_SYS_CONTEXT *sysContext, SESSION **policySession, int trial, pcr_struct **pcrList, INT32 pcrCount, TPM2B_DIGEST *policyDigestOut, TPMI_ALG_HASH nameAlg) -+{ -+ TPM2B_DIGEST policyDigest; -+ TPM2B_ENCRYPTED_SECRET encryptedSalt = { 0, }; -+ TPMT_SYM_DEF symmetric; -+ TPM2_RC rval; -+ TPM2B_NONCE nonceCaller; -+ -+ nonceCaller.size = 0; -+ policyDigest.size = 0; -+ -+ // Start policy session. -+ symmetric.algorithm = TPM2_ALG_NULL; -+ rval = tpm_session_start_auth_with_params(sysContext, policySession, TPM2_RH_NULL, 0, TPM2_RH_NULL, 0, &nonceCaller, &encryptedSalt, -+ trial ? TPM2_SE_TRIAL : TPM2_SE_POLICY, &symmetric, nameAlg); -+ if( rval != TPM2_RC_SUCCESS ) -+ { -+ printf("build_policy_external, Unable to Start Auth Session, Error Code: 0x%x\n", rval); -+ return rval; -+ } -+ -+ // Send policy command. -+ rval = build_pcr_policy( sysContext, *policySession, pcrList, pcrCount, nameAlg); -+ if( rval != TPM2_RC_SUCCESS ) -+ { -+ printf("build_pcr_policy, Error Code: 0x%x\n", rval); -+ return rval; -+ } -+ -+ // Get policy hash. -+ INIT_SIMPLE_TPM2B_SIZE( policyDigest ); -+ rval = Tss2_Sys_PolicyGetDigest( sysContext, (*policySession)->sessionHandle, -+ 0, &policyDigest, 0 ); -+ if( rval != TPM2_RC_SUCCESS ) -+ { -+ printf("PolicyGetDigest, Error Code: 0x%x\n", rval); -+ return rval; -+ } -+ -+ if( trial ) -+ { -+ // Need to flush the session here. -+ rval = Tss2_Sys_FlushContext( sysContext, (*policySession)->sessionHandle ); -+ if( rval != TPM2_RC_SUCCESS ) -+ return rval; -+ -+ // And remove the session from sessions table. -+ rval = tpm_session_auth_end( *policySession ); -+ if( rval != TPM2_RC_SUCCESS ) -+ return rval; -+ } -+ -+ memcpy(policyDigestOut->buffer, policyDigest.buffer, policyDigest.size); -+ policyDigestOut->size = policyDigest.size; -+ return rval; -+ -+} -+ ---- a/lib/pcr.c -+++ b/lib/pcr.c -@@ -40,7 +40,7 @@ - #include "tpm2_util.h" - #include "tpm2_alg_util.h" - --static int pcr_get_id(const char *arg, UINT32 *pcrId) -+int pcr_get_id(const char *arg, UINT32 *pcrId) - { - UINT32 n = 0; - -@@ -96,6 +96,29 @@ static bool pcr_parse_selection(const ch - return true; - } - -+int pcr_parse_arg(char *arg, UINT32 *pcrId, BYTE *forwardHash, bool *hash_set) -+{ -+ char * pstr; -+ UINT16 length; -+ int ret = 0; -+ -+ *hash_set = (strchr(arg, ':') != NULL); -+ if (*hash_set) { -+ //read forward hash and convert to hex to byte -+ pstr = strtok(arg, ":"); -+ if (pstr) -+ ret = pcr_get_id(pstr, pcrId); -+ -+ pstr = strtok(NULL, ":"); -+ if (pstr) { -+ length = sizeof(BYTE)*32; -+ tpm2_util_hex_to_byte_structure(pstr, &length, forwardHash); -+ } -+ } else { -+ ret = pcr_get_id(arg, pcrId); -+ } -+ return ret; -+} - - bool pcr_parse_selections(const char *arg, TPML_PCR_SELECTION *pcrSels) { - const char *strLeft = arg; ---- a/lib/pcr.h -+++ b/lib/pcr.h -@@ -39,4 +39,27 @@ bool pcr_parse_selections(const char *ar - bool pcr_parse_list(const char *str, size_t len, TPMS_PCR_SELECTION *pcrSel); - TSS2_RC get_max_supported_pcrs(TSS2_SYS_CONTEXT *sapi_context, UINT32 *max_pcrs); - -+int pcr_get_id(const char *arg, UINT32 *pcrId); -+int pcr_parse_arg(char *arg, UINT32 *pcrId, BYTE *forwardHash, bool *hash_set); -+ -+typedef struct pcr_struct { -+ UINT32 pcr; -+ BYTE forwardHash[32]; -+ bool hash_set; -+} pcr_struct; -+ -+#define SET_PCR_SELECT_BIT( pcrSelection, pcr ) \ -+ (pcrSelection).pcrSelect[( (pcr)/8 )] |= ( 1 << ( (pcr) % 8) ); -+ -+#define CLEAR_PCR_SELECT_BITS( pcrSelection ) \ -+ (pcrSelection).pcrSelect[0] = 0; \ -+ (pcrSelection).pcrSelect[1] = 0; \ -+ (pcrSelection).pcrSelect[2] = 0; -+ -+#define SET_PCR_SELECT_SIZE( pcrSelection, size ) \ -+ (pcrSelection).sizeofSelect = size; -+ -+#define TEST_PCR_SELECT_BIT( pcrSelection, pcr ) \ -+ ((pcrSelection).pcrSelect[( (pcr)/8 )] & ( 1 << ( (pcr) % 8) )) -+ - #endif /* SRC_PCR_H_ */ ---- a/lib/tpm2_util.h -+++ b/lib/tpm2_util.h -@@ -108,8 +108,7 @@ struct TPM2B { - } while ((__result & 0x0000ffff) == TPM2_RC_RETRY); \ - __result; \ - }) -- --int tpm2_util_hex_to_byte_structure(const char *inStr, UINT16 *byteLenth, BYTE *byteBuffer); -+int tpm2_util_hex_to_byte_structure(const char *inStr, UINT16 *byteLength, BYTE *byteBuffer); - - /** - * Appends a TPM2B_DIGEST buffer to a TPM2B_MAX buffer. ---- a/lib/tpm_hash.c -+++ b/lib/tpm_hash.c -@@ -30,6 +30,7 @@ - //**********************************************************************; - #include - #include -+#include - - #include - -@@ -64,6 +65,7 @@ TSS2_RC tpm_hash_sequence(TSS2_SYS_CONTE - UINT32 rval = Tss2_Sys_HashSequenceStart(sapi_context, 0, &null_auth, - hash_alg, &sequence_handle, 0); - if (rval != TPM2_RC_SUCCESS) { -+ printf("HashSequenceStart failed, rc=%x\n", rval); - return rval; - } - -@@ -74,6 +76,7 @@ TSS2_RC tpm_hash_sequence(TSS2_SYS_CONTE - &cmd_auth_array, (TPM2B_MAX_BUFFER *) &buffer_list[i], 0); - - if (rval != TPM2_RC_SUCCESS) { -+ printf("SequenceUpdate failed, i=%d rc=%x\n", i, rval); - return rval; - } - } -@@ -123,6 +126,7 @@ TSS2_RC tpm_hash_file(TSS2_SYS_CONTEXT * - halg, &sequenceHandle, NULL); - if (rval != TPM2_RC_SUCCESS) { - LOG_ERR("Tss2_Sys_HashSequenceStart failed: 0x%X", rval); -+ printf("SequenceComplete failed, rc=%x\n", rval); - return rval; - } - ---- a/lib/tpm_hash.h -+++ b/lib/tpm_hash.h -@@ -103,4 +103,6 @@ TSS2_RC tpm_hash_file(TSS2_SYS_CONTEXT * - TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *result, - TPMT_TK_HASHCHECK *validation); - -+UINT32 tpm_hash(TSS2_SYS_CONTEXT *sapi_context, TPMI_ALG_HASH hashAlg, UINT16 size, BYTE *data, TPM2B_DIGEST *result); -+ - #endif /* SRC_TPM_HASH_H_ */ ---- /dev/null -+++ b/tools/shared.h -@@ -0,0 +1,15 @@ -+#ifndef SRC_SHARED_H -+#define SRC_SHARED_H -+ -+#include -+ -+#include "tpm_session.h" -+#include "pcr.h" -+ -+int setup_alg(TPMI_ALG_PUBLIC type, TPMI_ALG_HASH nameAlg, TPM2B_PUBLIC *in_public, int I_flag); -+ -+int create(TSS2_SYS_CONTEXT *sysContext, TPMI_DH_OBJECT parent_handle, TPM2B_PUBLIC *in_public, TPM2B_SENSITIVE_CREATE *in_sensitive, TPMI_ALG_PUBLIC type, TPMI_ALG_HASH nameAlg, const char *opu_path, const char *opr_path, int o_flag, int O_flag, int I_flag, int A_flag, UINT32 objectAttributes); -+ -+int build_policy_external(TSS2_SYS_CONTEXT *sysContext, SESSION **policySession, int trial, pcr_struct **pcrList, INT32 pcrCount, TPM2B_DIGEST *policyDigestOut, TPMI_ALG_HASH nameAlg); -+ -+#endif /* SRC_SHARED_H */ ---- a/tools/tpm2_tool.c -+++ b/tools/tpm2_tool.c -@@ -80,7 +80,7 @@ static TSS2_SYS_CONTEXT* sapi_ctx_init(T - - TSS2_ABI_VERSION abi_version = SUPPORTED_ABI_VERSION; - -- size_t size = Tss2_Sys_GetContextSize(0); -+ size_t size = Tss2_Sys_GetContextSize(12000); - TSS2_SYS_CONTEXT *sapi_ctx = (TSS2_SYS_CONTEXT*) calloc(1, size); - if (sapi_ctx == NULL) { - LOG_ERR("Failed to allocate 0x%zx bytes for the SAPI context\n", diff --git a/recipes-security/tss2/tpm2-tools/tpm2-unsealing-support.patch b/recipes-security/tss2/tpm2-tools/tpm2-unsealing-support.patch deleted file mode 100644 index ba0edd000a..0000000000 --- a/recipes-security/tss2/tpm2-tools/tpm2-unsealing-support.patch +++ /dev/null @@ -1,337 +0,0 @@ -################################################################################ -SHORT DESCRIPTION: -################################################################################ -Add tpm2_unsealdata binary. - -################################################################################ -LONG DESCRIPTION: -################################################################################ - -Add tpm2_unsealdata binary to unseal data that was sealed with -tpm2_sealdata. - -Note that this patch absorbed the tools/tpm2_unsealdata.c changes -from the old tpm2-fix-forward-seal.patch. - -################################################################################ -CHANGELOG -################################################################################ -Add tpm2_unsealdata: Chris Rogers -Uprev from v2.0.0 to v3.1.3: Nicholas Tsirakis - -################################################################################ -REMOVAL -################################################################################ -The upstream tpm2-tools added their own tpm2_unseal tool in -version 3.X.Y. This patch can be removed if that tool provides -the same functionality, though it is currently untested. - -################################################################################ -UPSTREAM PLAN -################################################################################ - -################################################################################ -INTERNAL DEPENDENCIES -################################################################################ - -################################################################################ -PATCHES -################################################################################ - -commit 022bdc2cfb6fb672c5278d18030b8a593e03e75b -Author: Nicholas Tsirakis -Date: Tue May 22 18:14:27 2018 -0400 - - Apply tpm2-unsealing-support patch - ---- /dev/null -+++ b/tools/tpm2_unsealdata.c -@@ -0,0 +1,288 @@ -+//**********************************************************************; -+// Copyright (c) 2015, Intel Corporation -+// Copyright (c) 2017, Assured Information Security -+// All rights reserved. -+// -+// Redistribution and use in source and binary forms, with or without -+// modification, are permitted provided that the following conditions are met: -+// -+// 1. Redistributions of source code must retain the above copyright notice, -+// this list of conditions and the following disclaimer. -+// -+// 2. Redistributions in binary form must reproduce the above copyright notice, -+// this list of conditions and the following disclaimer in the documentation -+// and/or other materials provided with the distribution. -+// -+// 3. Neither the name of Intel Corporation nor the names of its contributors -+// may be used to endorse or promote products derived from this software without -+// specific prior written permission. -+// -+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE -+// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -+// THE POSSIBILITY OF SUCH DAMAGE. -+//**********************************************************************; -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include "pcr.h" -+#include "log.h" -+#include "tpm2_options.h" -+#include "tpm2_util.h" -+#include "tpm2_alg_util.h" -+#include "tpm_session.h" -+#include "shared.h" -+#include "files.h" -+ -+TPM2_HANDLE handle2048rsa; -+ -+typedef struct tpm_unsealdata_ctx tpm_unsealdata_ctx; -+struct tpm_unsealdata_ctx { -+ TPMI_ALG_HASH nameAlg; -+ TPMI_DH_OBJECT itemHandle; -+ TPMS_AUTH_COMMAND session_data; -+ TPM2B_PUBLIC in_public; -+ TPM2B_PRIVATE in_private; -+ UINT32 pcr; -+ INT32 pcrCount; -+ pcr_struct * pcrList[24]; -+ bool hash_set; -+ bool hexPasswd; -+ -+ struct { -+ UINT16 H : 1; -+ UINT16 P : 1; -+ UINT16 r : 1; -+ UINT16 u : 1; -+ UINT16 g : 1; -+ UINT16 n : 1; -+ UINT16 X : 1; -+ } flags; -+}; -+ -+static tpm_unsealdata_ctx ctx = { -+ .session_data = TPMS_AUTH_COMMAND_INIT(TPM2_RS_PW), -+ .pcr = -1, -+ .pcrCount = 0, -+ .hash_set = false, -+ .hexPasswd = false -+}; -+ -+UINT32 load(TSS2_SYS_CONTEXT *sapi_context) -+{ -+ UINT32 rval; -+ TSS2L_SYS_AUTH_COMMAND sessionsData; -+ TSS2L_SYS_AUTH_RESPONSE sessionsDataOut; -+ -+ TPM2B_NAME nameExt = TPM2B_TYPE_INIT(TPM2B_NAME, name); -+ -+ sessionsData.count = 1; -+ sessionsData.auths[0] = ctx.session_data; -+ -+ ctx.session_data.sessionAttributes |= TPMA_SESSION_CONTINUESESSION; -+ if(ctx.flags.P == 0) -+ ctx.session_data.hmac.size = 0; -+ if (ctx.session_data.hmac.size > 0 && ctx.hexPasswd) { -+ ctx.session_data.hmac.size = sizeof(ctx.session_data.hmac) - 2; -+ if (tpm2_util_hex_to_byte_structure( -+ (char *)ctx.session_data.hmac.buffer, -+ &ctx.session_data.hmac.size, -+ ctx.session_data.hmac.buffer) != 0) { -+ LOG_ERR( "Failed to convert Hex format password for item Passwd.\n"); -+ return -1; -+ } -+ } -+ -+ rval = TSS2_RETRY_EXP(Tss2_Sys_Load(sapi_context, -+ ctx.itemHandle, &sessionsData, -+ &ctx.in_private, &ctx.in_public, &handle2048rsa, &nameExt, -+ &sessionsDataOut)); -+ if (rval != TPM2_RC_SUCCESS) { -+ LOG_ERR("\nLoad Object Failed ! ErrorCode: 0x%0x\n\n",rval); -+ return rval; -+ } -+ -+ return 0; -+ -+} -+ -+UINT32 unseal(TSS2_SYS_CONTEXT *sapi_context) -+{ -+ UINT32 rval; -+ SESSION *policySession; -+ TPM2B_DIGEST policyDigest; //unused for now here but build_policy_external needs to return the policy for sealdata. -+ -+ rval = build_policy_external(sapi_context, &policySession, false, ctx.pcrList, ctx.pcrCount, &policyDigest, ctx.nameAlg); //Build real policy, don't write to file -+ -+ if(rval != TPM2_RC_SUCCESS) { -+ LOG_ERR("build_policy() failed, ec: 0x%x\n", rval); -+ Tss2_Sys_FlushContext( sapi_context, policySession->sessionHandle); -+ tpm_session_auth_end(policySession); -+ -+ return rval; -+ } -+ -+ rval = load(sapi_context); -+ if(rval != TPM2_RC_SUCCESS) { -+ LOG_ERR("load() failed, ec: 0x%x\n", rval); -+ Tss2_Sys_FlushContext( sapi_context, policySession->sessionHandle); -+ tpm_session_auth_end(policySession); -+ -+ return rval; -+ } -+ -+ // reset the session data attributes -+ ctx.session_data.nonce.size = 0; -+ ctx.session_data.sessionAttributes = 0; -+ -+ ctx.session_data.sessionHandle = policySession->sessionHandle; -+ -+ TSS2L_SYS_AUTH_COMMAND sessionsData = { 1, { ctx.session_data }}; -+ TSS2L_SYS_AUTH_RESPONSE sessionsDataOut; -+ -+ TPM2B_SENSITIVE_DATA outData = TPM2B_TYPE_INIT(TPM2B_SENSITIVE_DATA, buffer); -+ -+ rval = TSS2_RETRY_EXP(Tss2_Sys_Unseal(sapi_context, handle2048rsa, &sessionsData, &outData, &sessionsDataOut)); -+ if(rval != TPM2_RC_SUCCESS) { -+ LOG_ERR("unseal() failed. ec: 0x%x\n", rval); -+ Tss2_Sys_FlushContext( sapi_context, policySession->sessionHandle); -+ tpm_session_auth_end(policySession); -+ -+ return rval; -+ } -+ -+ //Write data directly to stdout, to be consumed by the caller -+ fwrite(outData.buffer, 1, outData.size, stdout); -+ -+ Tss2_Sys_FlushContext( sapi_context, policySession->sessionHandle); -+ -+ tpm_session_auth_end(policySession); -+ -+ return 0; -+} -+ -+static bool on_option(char key, char *value) { -+ -+ switch(key) { -+ case 'H': -+ if(!tpm2_util_string_to_uint32(value, &ctx.itemHandle)) { -+ return false; -+ } -+ ctx.flags.H = 1; -+ break; -+ case 'P': -+ ctx.session_data.hmac.size = sizeof(ctx.session_data.hmac) - 2; -+ if(tpm2_util_hex_to_byte_structure(value,&ctx.session_data.hmac.size,ctx.session_data.hmac.buffer) != 0) { -+ return false; -+ } -+ ctx.flags.P = 1; -+ break; -+ case 'u': -+ if(!files_load_public(value, &ctx.in_public)) { -+ return false; -+ } -+ ctx.flags.u = 1; -+ break; -+ case 'n': -+ if(!files_load_private(value, &ctx.in_private)) { -+ return false; -+ } -+ ctx.flags.n = 1; -+ break; -+ case 'g': -+ ctx.nameAlg = tpm2_alg_util_from_optarg(value); -+ if(ctx.nameAlg == TPM2_ALG_ERROR) { -+ return false; -+ } -+ ctx.flags.g = 1; -+ break; -+ case 'r': -+ if (pcr_parse_arg(value, &ctx.pcr, NULL, &ctx.hash_set)) { -+ LOG_ERR("Invalid pcr value.\n"); -+ return false; -+ } -+ ctx.flags.r = 1; -+ pcr_struct *new_pcr = (pcr_struct *) malloc(sizeof(pcr_struct)); -+ new_pcr->pcr = ctx.pcr; -+ new_pcr->hash_set = false; -+ ctx.pcrList[ctx.pcrCount] = new_pcr; -+ ctx.pcrCount++; -+ break; -+ case 'X': -+ ctx.hexPasswd = true; -+ break; -+ case ':': -+ break; -+ case '?': -+ break; -+ } -+ -+ return true; -+} -+ -+bool tpm2_tool_onstart(tpm2_options **opts) { -+ -+ const struct option topts[] = { -+ {"item", required_argument, NULL, 'H'}, -+ {"pwdi", required_argument, NULL, 'P'}, -+ {"pubfile", required_argument, NULL, 'u'}, -+ {"privfile", required_argument, NULL, 'n'}, -+ {"halg", required_argument, NULL, 'g'}, -+ {"pcr", required_argument, NULL, 'r'}, -+ {"loadContext", required_argument, NULL, 'C'}, -+ {"passwdInHex", required_argument, NULL, 'X'} -+ }; -+ -+ *opts = tpm2_options_new("H:P:r:u:g:n:X", ARRAY_LEN(topts), topts, -+ on_option, NULL, TPM2_OPTIONS_SHOW_USAGE); -+ -+ return *opts != NULL; -+} -+ -+int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) { -+ -+ UNUSED(flags); -+ -+ int returnVal = 0; -+ int flagCnt = 0; -+ -+ flagCnt = ctx.flags.H + ctx.flags.n + ctx.flags.u + ctx.flags.g + ctx.flags.r; -+ if(flagCnt == 1) { -+ return -14; -+ } else if(flagCnt >= 4 && ctx.flags.H == 1 && ctx.flags.n == 1 && ctx.flags.u == 1 && ctx.flags.r == 1) { -+ if (returnVal == 0) -+ returnVal = unseal(sapi_context); -+ -+ //clean up pcr objects -+ for(int i = 0; i < ctx.pcrCount; i++) -+ free(ctx.pcrList[i]); -+ -+ Tss2_Sys_FlushContext(sapi_context, ctx.itemHandle); -+ -+ //make sure handle2048 rsa is always cleaned -+ Tss2_Sys_FlushContext(sapi_context, handle2048rsa); -+ if(returnVal) -+ return -15; -+ } else { -+ return -16; -+ } -+ -+ return 0; -+} diff --git a/recipes-security/tss2/tpm2-tools_3.1.3.bb b/recipes-security/tss2/tpm2-tools_3.1.3.bb deleted file mode 100644 index d8a25afa57..0000000000 --- a/recipes-security/tss2/tpm2-tools_3.1.3.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2-tools" -SECTION = "tpm" - -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=91b7c548d73ea16537799e8060cea819" -DEPENDS = "tpm2-tss openssl curl autoconf-archive pkgconfig libgcrypt" - -SRCREV = "74ba065e5914bc5d713ca3709d62a5751b097369" -SRC_URI = "git://github.com/01org/tpm2-tools.git;protocol=https;branch=3.X \ - file://tpm2-tools-lib-support.patch \ - file://tpm2-sealing-support.patch \ - file://tpm2-unsealing-support.patch \ - file://tpm2-extendpcr-support.patch \ - file://tpm2-nvlist-drop-ntoh.patch \ -" - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig - -PACKAGES =+ "tpm2-tools-initrd" -FILES_${PN}-initrd = " \ - ${bindir}/tpm2_pcrlist \ - ${bindir}/tpm2_extendpcr \ -" -RDEPENDS_${PN} += "${PN}-initrd" diff --git a/recipes-security/tss2/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/recipes-security/tss2/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch deleted file mode 100644 index a552f0ee28..0000000000 --- a/recipes-security/tss2/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 648fa841fa2f2bb6f8fdda02c36ac0abb45f5329 Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Mon, 7 Jan 2019 22:15:06 +0100 -Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 - -@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. -Also includes a compatibility switch for older versions of the file. - -Signed-off-by: Jonas Witschel ---- - .gitignore | 1 + - .travis.yml | 10 +++++----- - Makefile.am | 6 ++++++ - configure.ac | 3 +++ - 4 files changed, 15 insertions(+), 5 deletions(-) - ---- a/.gitignore -+++ b/.gitignore -@@ -26,6 +26,7 @@ - AUTHORS - tags - aclocal.m4 -+aminclude_static.am - autom4te.cache/ - [Bb]uild/ - [Dd]ebug/ ---- a/.travis.yml -+++ b/.travis.yml -@@ -54,10 +54,11 @@ install: - - make - - make install - - cd ../../ -- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz -- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 -- - tar xJf autoconf-archive-2017.09.28.tar.xz -- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ -+ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz -+ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 -+ - tar xJf autoconf-archive-2019.01.06.tar.xz -+ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ -+ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ - - before_script: - - ./bootstrap ---- a/Makefile.am -+++ b/Makefile.am -@@ -42,7 +42,13 @@ noinst_PROGRAMS = - - ### Add ax_* rules ### - # ax_code_coverage -+if AUTOCONF_CODE_COVERAGE_2019_01_06 -+include $(top_srcdir)/aminclude_static.am -+clean-local: code-coverage-clean -+dist-clean-local: code-coverage-dist-clean -+else - @CODE_COVERAGE_RULES@ -+endif - - # ax_doxygen - @DX_RULES@ ---- a/configure.ac -+++ b/configure.ac -@@ -206,6 +206,9 @@ DX_INIT_DOXYGEN($PACKAGE_NAME, [Doxyfile - AM_CONDITIONAL(DOXYMAN, [test $DX_FLAG_man -eq 1]) - - AX_CODE_COVERAGE -+m4_ifdef([_AX_CODE_COVERAGE_RULES], -+ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], -+ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) - - AC_OUTPUT - diff --git a/recipes-security/tss2/tpm2-tss_2.0.0.bb b/recipes-security/tss2/tpm2-tss_2.0.0.bb deleted file mode 100644 index 1213d96767..0000000000 --- a/recipes-security/tss2/tpm2-tss_2.0.0.bb +++ /dev/null @@ -1,34 +0,0 @@ -SUMMARY = "Software stack for TPM2." -DESCRIPTION = "tpm2-tss for interfacing with tpm2.0 device" -SECTION = "tpm" - -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0b1d631c4218b72f6b05cb58613606f4" - -DEPENDS = "autoconf-archive autoconf pkgconfig libgcrypt gnome-common" - -SRCREV = "ced20c209397f58d81da79810f49976ba2d36566" - -SRC_URI = " \ - file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch \ - git://github.com/01org/tpm2-tss.git;protocol=https;branch=master \ -" - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig - -PACKAGES =+ " \ - resourcemgr \ -" -FILES_resourcemgr = " \ - ${sbindir}/resourcemgr \ -" - -do_configure_prepend () { - # Creates the src_vars.mk file used by automake to handle source-files for - # each component. Modified to not call autotools and let OE handle that. - cd ${S} - AUTORECONF=true ./bootstrap - cd - -} diff --git a/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb b/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb new file mode 100644 index 0000000000..d78063b0f6 --- /dev/null +++ b/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb @@ -0,0 +1,23 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2-tools" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=a846608d090aa64494c45fc147cc12e3" +SECTION = "tpm" + +DEPENDS = "tpm2-tss openssl curl autoconf-archive" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "3810d36b5079256f4f2f7ce552e22213d43b1031c131538df8a2dbc3c570983a" + +inherit autotools pkgconfig bash-completion + +PACKAGES =+ "tpm2-tools-pcr" +FILES_${PN}-pcr = " \ + ${bindir}/tpm2_pcrread \ + ${bindir}/tpm2_pcrextend \ +" + +# TPM binaries need tss-esys +RDEPENDS:${PN} = "${PN}-pcr" +RDEPENDS:${PN}-pcr = "libgcrypt tpm2-tss-pcr" diff --git a/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch b/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch new file mode 100644 index 0000000000..450698ff64 --- /dev/null +++ b/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch @@ -0,0 +1,29 @@ +revert configure: add checks for all tools used by make install + +Not appropriate for cross build env. + +Upstream-Status: OE [inappropriate] +Signed-off-by: Armin Kuster + +Index: tpm2-tss-3.2.0/configure.ac +=================================================================== +--- tpm2-tss-3.2.0.orig/configure.ac ++++ tpm2-tss-3.2.0/configure.ac +@@ -488,17 +488,6 @@ + AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes) + AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes") + +-# Check all tools used by make install +-AS_IF([test "$HOSTOS" = "Linux"], +- [ AC_CHECK_PROG(useradd, useradd, yes) +- AC_CHECK_PROG(groupadd, groupadd, yes) +- AC_CHECK_PROG(adduser, adduser, yes) +- AC_CHECK_PROG(addgroup, addgroup, yes) +- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ], +- [AC_MSG_ERROR([addgroup or groupadd are needed.])]) +- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ], +- [AC_MSG_ERROR([adduser or useradd are needed.])])]) +- + AC_SUBST([PATH]) + + dnl --------- Doxy Gen ----------------------- diff --git a/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.3.bb b/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.3.bb new file mode 100644 index 0000000000..2cc04107b0 --- /dev/null +++ b/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.3.bb @@ -0,0 +1,99 @@ +SUMMARY = "Software stack for TPM2." +DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) " +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" +SECTION = "tpm" + +DEPENDS = "autoconf-archive-native libgcrypt openssl" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ + file://fixup_hosttools.patch \ + " + +SRC_URI[sha256sum] = "6279a9a1983ea6ffe41925067b7f0de3a6ed95020a30e7c97d80fa2754259534" + +inherit autotools pkgconfig systemd useradd + +PACKAGECONFIG ??= "" +PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " +PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c " + +EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/" +EXTRA_OECONF += "--with-runstatedir=/run" +EXTRA_OECONF:remove = " --disable-static" + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system tss" +USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" + +do_install:append() { + # Remove /run as it is created on startup + rm -rf ${D}/run +} + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + ${PN} \ + ${PN}-dbg \ + ${PN}-doc \ + ${PN}-pcr \ + libtss2-mu \ + libtss2-mu-dev \ + libtss2-mu-staticdev \ + libtss2-tcti-device \ + libtss2-tcti-device-dev \ + libtss2-tcti-device-staticdev \ + libtss2-tcti-mssim \ + libtss2-tcti-mssim-dev \ + libtss2-tcti-mssim-staticdev \ + libtss2 \ + libtss2-dev \ + libtss2-staticdev \ +" + +FILES:libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" +FILES:libtss2-tcti-device-dev = " \ + ${includedir}/tss2/tss2_tcti_device.h \ + ${libdir}/pkgconfig/tss2-tcti-device.pc \ + ${libdir}/libtss2-tcti-device.so" +FILES:libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" + +FILES:libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" +FILES:libtss2-tcti-mssim-dev = " \ + ${includedir}/tss2/tss2_tcti_mssim.h \ + ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ + ${libdir}/libtss2-tcti-mssim.so" +FILES:libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" + +FILES:libtss2-mu = "${libdir}/libtss2-mu.so.*" +FILES:libtss2-mu-dev = " \ + ${includedir}/tss2/tss2_mu.h \ + ${libdir}/pkgconfig/tss2-mu.pc \ + ${libdir}/libtss2-mu.so" +FILES:libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" + +FILES:libtss2 = "${libdir}/libtss2*so.*" +FILES:libtss2-dev = " \ + ${includedir} \ + ${libdir}/pkgconfig \ + ${libdir}/libtss2*so" +FILES:libtss2-staticdev = "${libdir}/libtss*a" + +FILES:${PN} = "\ + ${libdir}/udev \ + /var/lib/tpm2-tss \ + /var/run \ + ${nonarch_base_libdir}/udev \ + ${sysconfdir}/tmpfiles.d \ + ${sysconfdir}/tpm2-tss \ + ${sysconfdir}/sysusers.d" + +RDEPENDS:libtss2 = "libgcrypt" + +# This is patched in 3.2.2, NVD DB was not updated to reflect this backport +CVE_CHECK_IGNORE += "CVE-2023-22745" + +# Minimal TSS2 package for initramfs (required libraries for pcr binaries) +FILES:${PN}-pcr = "${libdir}/libtss2-tcti-device.so.*" + +RDEPENDS:${PN}-pcr = "libgcrypt libtss2"