2 * This file is part of the OpenPTS project.
4 * The Initial Developer of the Original Code is International
5 * Business Machines Corporation. Portions created by IBM
6 * Corporation are Copyright (C) 2007, 2010 International Business
7 * Machines Corporation. All Rights Reserved.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the Common Public License as published by
11 * IBM Corporation; either version 1 of the License, or (at your option)
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * Common Public License for more details.
19 * You should have received a copy of the Common Public License
20 * along with this program; if not, a copy can be viewed at
21 * http://www.opensource.org/licenses/cpl1.0.php.
27 * @author Seiji Munetoh <munetoh@users.sourceforge.jp>
29 * refactoring 2011-02-15 SM
30 * cleanup 2011-10-07 SM
37 * uuit_t uuid/uuid.h typedef unsigned char uuid_t[16];
38 * TSS_UUID tss/tss_structs.h 16-bytes struct
50 #include <trousers/tss.h>
53 #include <tss_defines.h>
54 #include <tss_typedef.h>
55 #include <tss_structs.h>
56 #include <tss_error.h>
61 #include <openssl/sha.h>
62 #include <openssl/rsa.h>
63 #include <openssl/bn.h>
64 #include <openssl/objects.h>
65 #include <openssl/err.h>
72 #define TSS_PS_TYPE_BLOB (0) // not defined by TSS
75 #define TPMSIGKEY_SECRET "password"
78 /* ONLY for verifier side */
79 int printTssKeyList(int ps_type) {
84 int createTssSignKey(PTS_UUID *uuid, int ps_type, char *filename, int force, int srk_password_mode) {
89 int deleteTssKey(PTS_UUID *uuid, int ps_type) {
94 int getTpmVersion(TSS_VERSION *version) {
101 TODO("createAIK - TBD\n");
107 int ps_type, int srk_password_mode,
108 int resetdalock, char *filename, int *pubkey_length, BYTE **pubkey) {
117 int srk_password_mode,
124 TSS_VALIDATION *validationData) {
133 int srk_password_mode,
140 TSS_VALIDATION *validationData) {
145 int getRandom(BYTE *out, int size) {
149 for (i = 0; i < size; i++) {
150 out[i] = rand_r(&seed); // TODO use rand_r
156 int extendEvent(TSS_PCR_EVENT* event) {
161 int readPcr(int pcr_index, BYTE *pcr) {
166 #else // CONFIG_NO_TSS
167 /* TSS - Collector side */
169 BYTE null_srk_auth[1] = {0}; // ""
170 BYTE known_srk_auth[20] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
171 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
176 int getTpmStatus(TSS_FLAG flag, TSS_BOOL *value, int tpm_password_mode) {
178 TSS_HCONTEXT hContext;
180 TSS_HPOLICY hTPMPolicy;
181 UINT32 tpm_auth_mode = TSS_SECRET_MODE_PLAIN;
183 int tpm_auth_len = 0;
185 /* Connect to TCSD */
186 result = Tspi_Context_Create(&hContext);
187 if (result != TSS_SUCCESS) {
188 ERROR("Tspi_Context_Create failed rc=0x%x\n",
190 if (result == 0x3011) {
191 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
196 result = Tspi_Context_Connect(hContext, SERVER);
197 if (result != TSS_SUCCESS) {
198 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
204 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
205 if (result != TSS_SUCCESS) {
206 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n",
212 result = Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hTPMPolicy);
213 if (result != TSS_SUCCESS) {
214 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
220 if (tpm_password_mode == 1) {
221 tpm_auth_mode = TSS_SECRET_MODE_SHA1;
222 tpm_auth = known_srk_auth;
224 } else if (tpm_password_mode == 0) {
225 tpm_auth_mode = TSS_SECRET_MODE_PLAIN;
226 tpm_auth = null_srk_auth;
229 ERROR("TPM secret\n");
230 result = PTS_INTERNAL_ERROR; // TODO
233 result = Tspi_Policy_SetSecret(
238 if (result != TSS_SUCCESS) {
239 ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
246 result = Tspi_TPM_GetStatus(
250 if (result != TSS_SUCCESS) {
251 ERROR("Tspi_TPM_GetStatus failed rc=0x%x\n",
258 Tspi_Context_Close(hContext);
263 * reset TPM DA lock flag
264 * to avoid 0x803 Error
265 * TODO resetTpmLock -> setTpmStatus
267 int setTpmStatus(TSS_FLAG flag, TSS_BOOL value, int tpm_password_mode) {
269 TSS_HCONTEXT hContext;
271 TSS_HPOLICY hTPMPolicy;
272 UINT32 tpm_auth_mode = TSS_SECRET_MODE_PLAIN;
274 int tpm_auth_len = 0;
276 /* Connect to TCSD */
277 result = Tspi_Context_Create(&hContext);
278 if (result != TSS_SUCCESS) {
279 ERROR("Tspi_Context_Create failed rc=0x%x\n",
281 if (result == 0x3011) {
282 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
287 result = Tspi_Context_Connect(hContext, SERVER);
288 if (result != TSS_SUCCESS) {
289 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
295 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
296 if (result != TSS_SUCCESS) {
297 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n",
303 result = Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hTPMPolicy);
304 if (result != TSS_SUCCESS) {
305 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
311 if (tpm_password_mode == 1) {
312 tpm_auth_mode = TSS_SECRET_MODE_SHA1;
313 tpm_auth = known_srk_auth;
315 } else if (tpm_password_mode == 0) {
316 tpm_auth_mode = TSS_SECRET_MODE_PLAIN;
317 tpm_auth = null_srk_auth;
320 ERROR("TPM secret\n");
321 result = PTS_INTERNAL_ERROR; // TODO
324 result = Tspi_Policy_SetSecret(
329 if (result != TSS_SUCCESS) {
330 ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
337 result = Tspi_TPM_SetStatus(
339 flag, // TSS_TPMSTATUS_RESETLOCK,
341 if (result != TSS_SUCCESS) {
342 ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
349 Tspi_Context_Close(hContext);
357 int printTssKeyList(int ps_type) {
358 TSS_RESULT result = 0;
359 TSS_HCONTEXT hContext;
360 UINT32 ulKeyHierarchySize;
362 TSS_UUID SRK_UUID = TSS_UUID_SRK;
364 TSS_KM_KEYINFO *info = NULL;
367 result = Tspi_Context_Create(&hContext);
368 if (result != TSS_SUCCESS) {
369 ERROR("Tspi_Context_Create failed rc=0x%x\n",
374 result = Tspi_Context_Connect(hContext, SERVER);
375 if (result != TSS_SUCCESS) {
376 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
382 // buf = (BYTE *) & SRK_UUID;
383 // printhex("SRK uuid: ", buf, 16);
385 result = Tspi_Context_GetRegisteredKeysByUUID(
387 (UINT32) ps_type, // TSS_PS_TYPE_SYSTEM,
391 if (result != TSS_SUCCESS) {
392 ERROR("Tspi_Context_GetRegisteredKeysByUUID failed rc=0x%x\n",
397 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_KEY_NUM, "Key number: %d\n"), ulKeyHierarchySize);
398 for (i = 0; i < (int)ulKeyHierarchySize; i++) {
399 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_KEY, "Key %d\n"), i);
405 Tspi_Context_Close(hContext);
414 * UUID : uuid of ptscd
417 * srk_password_mode 0: SHA1("") 1: 0x00 x 20
419 * TODO return PUBKEY blog
421 int createTssSignKey(
423 int key_storage_type,
427 int srk_password_mode)
429 TSS_RESULT result = 0;
430 TSS_HCONTEXT hContext;
432 TSS_UUID SRK_UUID = TSS_UUID_SRK;
434 TSS_HPOLICY hSRKPolicy;
435 UINT32 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
437 int srk_auth_len = 0;
441 TSS_HPOLICY hKeyPolicy;
446 result = Tspi_Context_Create(&hContext);
447 if (result != TSS_SUCCESS) {
448 ERROR("Tspi_Context_Create failed rc=0x%x\n",
453 result = Tspi_Context_Connect(hContext, SERVER);
454 if (result != TSS_SUCCESS) {
455 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
460 /* get TPM handles */
461 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
462 if (result != TSS_SUCCESS) {
463 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n",
469 result = Tspi_Context_LoadKeyByUUID(hContext,
470 TSS_PS_TYPE_SYSTEM, SRK_UUID,
472 if (result != TSS_SUCCESS) {
473 ERROR("Tspi_Context_LoadKeyByUUID (SRK) failed rc=0x%x\n",
475 if (result == 0x2020) {
476 ERROR("Your key storage of tcsd is damaged or missing. \n");
481 /* SRK Policy objects */
482 result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hSRKPolicy);
483 if (result != TSS_SUCCESS) {
484 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
489 /* SRK Auth Secret */
490 if (srk_password_mode == 1) {
491 srk_auth_mode = TSS_SECRET_MODE_SHA1;
492 srk_auth = known_srk_auth;
495 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
496 srk_auth = null_srk_auth;
500 result = Tspi_Policy_SetSecret(
505 if (result != TSS_SUCCESS) {
506 ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
512 memcpy(&tss_uuid, uuid, sizeof(TSS_UUID));
516 if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
517 TODO("auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON");
518 /* Create New Key object */
519 result = Tspi_Context_CreateObject(
521 TSS_OBJECT_TYPE_RSAKEY,
522 TSS_KEY_AUTHORIZATION | TSS_KEY_SIZE_2048 | TSS_KEY_TYPE_SIGNING,
524 if (result != TSS_SUCCESS) {
525 ERROR("Tspi_Context_CreateObject failed rc=0x%x\n",
530 // Noauth => uses Dummy Auth secret
531 result = Tspi_Context_CreateObject(
533 TSS_OBJECT_TYPE_POLICY,
536 if (result != TSS_SUCCESS) {
538 ("ERROR: Tspi_Context_CreateObject failed rc=0x%x\n",
543 result = Tspi_Policy_SetSecret(
545 TSS_SECRET_MODE_PLAIN,
546 strlen(TPMSIGKEY_SECRET),
547 (BYTE *)TPMSIGKEY_SECRET);
548 if (result != TSS_SUCCESS) {
550 ("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
555 result = Tspi_Policy_AssignToObject(hKeyPolicy, hKey);
557 if (result != TSS_SUCCESS) {
559 ("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
564 /* Create New Key object */
565 TODO("auth_type != OPENPTS_AIK_AUTH_TYPE_COMMON");
566 result = Tspi_Context_CreateObject(
568 TSS_OBJECT_TYPE_RSAKEY,
569 TSS_KEY_SIZE_2048 | TSS_KEY_TYPE_SIGNING,
571 if (result != TSS_SUCCESS) {
572 ERROR("Tspi_Context_CreateObject failed rc=0x%x\n",
579 result = Tspi_Key_CreateKey(hKey, hSRK, 0);
580 if (result != TSS_SUCCESS) {
581 ERROR("Tspi_Key_CreateKey failed rc=0x%04x\n",
583 if (result == 0x12) {
584 ERROR("TPM_NOSRK error, take the TPM ownership before initialize ptsc");
590 if (key_storage_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
594 if (filename == NULL) {
595 ERROR("key blob filename is NULL\n");
596 result = TSS_E_KEY_NOT_LOADED;
600 fp = fopen(filename, "w");
602 ERROR("file open fail, key blob file is %s",filename);
603 result = TSS_E_KEY_NOT_LOADED;
607 result = Tspi_GetAttribData(
609 TSS_TSPATTRIB_KEY_BLOB,
610 TSS_TSPATTRIB_KEYBLOB_BLOB,
613 if (result != TSS_SUCCESS) {
614 ERROR("Tspi_GetAttribData failed rc=0x%04x\n",
620 for (i = 0; i< (int)keyLength; i++) {
621 fprintf(fp, "%c", keyBlob[i]);
629 result = Tspi_Context_RegisterKey(hContext,
636 if (result != TSS_SUCCESS) {
637 if (result == 0x2008) {
638 // key is already registerd
643 Tspi_Context_UnregisterKey(hContext,
647 if (result != TSS_SUCCESS) {
648 ERROR("Tspi_Context_UnregisterKey failed rc=0x%x\n",
651 /* try regkey again */
655 ERROR("Tspi_Context_RegisterKey failed rc=0x%x\n",
657 ERROR(" TSS_E_KEY_ALREADY_REGISTERED\n");
660 ERROR("spi_Context_RegisterKey failed rc=0x%x\n",
662 // 0x3003 TEE_E_BAD_PARAMETOR
672 Tspi_Context_Close(hContext);
681 TODO("createAIK - TBD\n");
688 int deleteTssKey(PTS_UUID *uuid, int ps_type) {
689 TSS_RESULT result = 0;
690 TSS_HCONTEXT hContext;
695 result = Tspi_Context_Create(&hContext);
696 if (result != TSS_SUCCESS) {
697 ERROR("Tspi_Context_Create failed rc=0x%x\n",
702 result = Tspi_Context_Connect(hContext, SERVER);
703 if (result != TSS_SUCCESS) {
704 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
710 memcpy(&tss_uuid, uuid, sizeof(TSS_UUID));
714 Tspi_Context_UnregisterKey(hContext,
715 (UINT32) ps_type, // TSS_PS_TYPE_SYSTEM,
718 if (result != TSS_SUCCESS) {
719 ERROR("Tspi_Context_UnregisterKey failed rc=0x%x\n",
725 Tspi_Context_Close(hContext);
731 #define KEY_BLOB_SIZE 1024
736 * conf->pubkey_length
742 int srk_password_mode,
746 int *pubkey_length, BYTE **pubkey) {
747 TSS_RESULT result = 0;
748 TSS_HCONTEXT hContext;
751 BYTE *buf; // TODO for pubkey
753 TSS_HPOLICY hSRKPolicy;
754 TSS_UUID SRK_UUID = TSS_UUID_SRK;
755 UINT32 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
757 int srk_auth_len = 0;
758 TSS_HPOLICY hKeyPolicy;
760 if (resetdalock == 1) {
761 // 2011-03-03 SM WEC TPM locks well.
762 // TSS_TPMSTATUS_RESETLOCK is read only. no way to get this FLAG before 0x803 Error? :-(
763 // Thus, control by ptsc.conf
764 DEBUG("TSS_TPMSTATUS_RESETLOCK\n");
765 setTpmStatus(TSS_TPMSTATUS_RESETLOCK, TRUE, srk_password_mode);
770 result = Tspi_Context_Create(&hContext);
771 if (result != TSS_SUCCESS) {
772 ERROR("Tspi_Context_Create failed rc=0x%x\n",
777 result = Tspi_Context_Connect(hContext, SERVER);
778 if (result != TSS_SUCCESS) {
779 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
785 memcpy(&tss_uuid, uuid, sizeof(TSS_UUID));
788 /* Get SRK handles */
789 result = Tspi_Context_LoadKeyByUUID(
794 if (result != TSS_SUCCESS) {
795 ERROR("Tspi_Context_LoadKeyByUUID (SRK) failed rc=0x%x\n",
797 if (result == 0x2020) {
798 ERROR(" TSS_E_PS_KEY_NOT_FOUND.\n");
799 fprintf(stderr, NLS(MS_OPENPTS, OPENPTS_TSS_CHECK_SETTING,
800 "Please check your system_ps_file setting in /etc/security/tss/tcsd.conf. "
801 "(The default is /var/tss/lib/tpm/system.data)\n"
802 "If system_ps_file size is zero then it does not contain the SRK info\n"));
809 /* SRK Policy objects */
810 result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hSRKPolicy);
811 if (result != TSS_SUCCESS) {
812 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
817 /* SRK Auth Secret */
818 if (srk_password_mode == 1) {
819 srk_auth_mode = TSS_SECRET_MODE_SHA1;
820 srk_auth = known_srk_auth;
823 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
824 srk_auth = null_srk_auth;
829 result = Tspi_Policy_SetSecret(
834 if (result != TSS_SUCCESS) {
835 ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
842 /* Load AIK or Sign key */
843 if (ps_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
846 BYTE blob[KEY_BLOB_SIZE];
849 fp = fopen(filename, "r");
851 ERROR("file open fail, key blob file is %s",filename);
852 result = TSS_E_KEY_NOT_LOADED;
855 len = fread(blob, 1, KEY_BLOB_SIZE, fp);
859 result = Tspi_Context_LoadKeyByBlob(
865 if (result != TSS_SUCCESS) {
866 ERROR("Tspi_Context_LoadKeyByBlob (Key) failed rc=0x%x\n",
872 result = Tspi_Context_LoadKeyByUUID(
874 (UINT32) ps_type, // TSS_PS_TYPE_SYSTEM,
877 if (result == 0x803) {
878 fprintf(stderr, NLS(MS_OPENPTS, OPENPTS_TSS_TPM_LOCKED,
879 "The TPM is locked. Please use the 'tpm_resetdalock' command to clear the lock\n"
880 "For the ptscd daemon please set the flag 'tpm.resetdalock=on' in /etc/ptsc.conf\n"));
882 } else if (result != TSS_SUCCESS) {
883 ERROR("Tspi_Context_LoadKeyByUUID (Key) failed rc=0x%x\n", result);
884 debugHex("\t\tUUID", (BYTE*)&tss_uuid, 16, "\n");
891 result = Tspi_GetPolicyObject(hKey, TSS_POLICY_USAGE, &hKeyPolicy);
892 if (result != TSS_SUCCESS) {
893 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
901 // result = Tspi_Policy_SetSecret(
903 // TSS_SECRET_MODE_PLAIN,
906 // if (result != TSS_SUCCESS) {
907 // ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
911 if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
912 /* Set Policy - Dummy Secret */
913 // 2011-11-26 Munetoh - This fail with Infineon TPM(v1.2)
914 result = Tspi_Policy_SetSecret(
916 TSS_SECRET_MODE_PLAIN,
917 strlen(TPMSIGKEY_SECRET),
918 (BYTE *)TPMSIGKEY_SECRET);
919 if (result != TSS_SUCCESS) {
920 printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
925 /* Set Policy - Null Secret */
926 // Atmel, Winbond, STM
927 BYTE key_auth[1] = {0};
929 result = Tspi_Policy_SetSecret(
931 TSS_SECRET_MODE_PLAIN,
934 if (result != TSS_SUCCESS) {
935 printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
939 //>>>>>>> 042e40b0979f3e44e75200271e4d1282ce08f72c
944 // TODO shared at enroll phase
945 result = Tspi_GetAttribData(hKey,
946 TSS_TSPATTRIB_KEY_BLOB,
947 TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY,
948 // (UINT32 *) &conf->pubkey_length,
949 (UINT32 *) pubkey_length,
951 if (result != TSS_SUCCESS) {
952 ERROR("Tspi_GetAttribData failed rc=0x%x\n",
957 if (*pubkey != NULL) {
958 // DEBUG("realloc conf->pubkey\n"); // TODO realloc happen
961 *pubkey = xmalloc_assert(*pubkey_length);
962 memcpy(*pubkey, buf, *pubkey_length);
966 Tspi_Context_FreeMemory(hContext, NULL);
967 Tspi_Context_CloseObject(hContext, hKey);
968 Tspi_Context_CloseObject(hContext, hSRK);
972 Tspi_Context_Close(hContext);
980 int getTpmVersion(TSS_VERSION *version) {
981 int rc = TSS_SUCCESS;
983 TSS_HCONTEXT hContext;
988 /* Connect to TCSD */
989 result = Tspi_Context_Create(&hContext);
990 if (result != TSS_SUCCESS) {
991 ERROR("Tspi_Context_Create failed rc=0x%x\n",
993 if (result == 0x3011) {
994 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
1000 result = Tspi_Context_Connect(hContext, SERVER);
1001 if (result != TSS_SUCCESS) {
1002 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
1008 /* Get TPM handle */
1009 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
1010 if (result != TSS_SUCCESS) {
1011 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n",
1017 /* Get TPM Version via Capability */
1019 result = Tspi_TPM_GetCapability(
1026 if (result != TSS_SUCCESS) {
1027 ERROR("Tspi_TPM_GetCapability failed rc=0x%x\n",
1033 if (data_len != 4) {
1034 ERROR("bad TPM version\n");
1040 version->bMajor = data[0];
1041 version->bMinor = data[1];
1042 version->bRevMajor = data[2];
1043 version->bRevMinor = data[3];
1047 Tspi_Context_Close(hContext);
1054 * Get Quote Signature
1061 int srk_password_mode,
1069 TSS_VALIDATION *validationData) {
1071 TSS_HCONTEXT hContext;
1074 TSS_HPOLICY hSRKPolicy;
1075 TSS_UUID SRK_UUID = TSS_UUID_SRK;
1076 UINT32 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
1077 BYTE *srk_auth = NULL;
1078 int srk_auth_len = 0;
1081 TSS_HPOLICY hKeyPolicy;
1083 TSS_HPCRS hPcrComposite;
1084 TSS_VALIDATION validation_data; // local
1086 UINT32 ulSubCapLength;
1088 UINT32 pulRespDataLength;
1092 int pcrSelectCount = 0;
1095 memcpy(&tss_uuid, uuid, sizeof(TSS_UUID));
1097 /* Connect to TCSD */
1098 result = Tspi_Context_Create(&hContext);
1099 if (result != TSS_SUCCESS) {
1100 ERROR("Tspi_Context_Create failed rc=0x%x\n",
1102 if (result == 0x3011) {
1103 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
1109 result = Tspi_Context_Connect(hContext, SERVER);
1110 if (result != TSS_SUCCESS) {
1111 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
1116 /* Get TPM handle */
1117 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
1118 if (result != TSS_SUCCESS) {
1119 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n",
1125 ulSubCapLength = sizeof(UINT32);
1126 rgbSubCap = TSS_TPMCAP_PROP_PCR;
1128 result = Tspi_TPM_GetCapability(hTPM,
1129 TSS_TPMCAP_PROPERTY,
1131 (BYTE *) & rgbSubCap,
1132 &pulRespDataLength, &prgbRespData);
1134 if (result != TSS_SUCCESS) {
1135 ERROR("Tspi_TPM_GetCapability failed rc=0x%x\n",
1140 pcrnum = (UINT32) *prgbRespData;
1141 pcrnum = * (UINT32 *)prgbRespData;
1142 pcrs->pcr_num = pcrnum; // TODO
1145 /* PCR Composite - Object */
1146 result = Tspi_Context_CreateObject(
1148 TSS_OBJECT_TYPE_PCRS,
1151 if (result != TSS_SUCCESS) {
1152 ERROR("Tspi_Context_CreateObject failed rc=0x%x\n",
1157 /* PCR Composite - SelectPcrIndex */
1158 for (i = 0; i < (int)pcrnum; i++) {
1159 if (pcrs->pcr_select[i] == 1) {
1160 result = Tspi_PcrComposite_SelectPcrIndex(
1163 if (result != TSS_SUCCESS) {
1164 ERROR("failed rc=0x%x\n", result);
1172 if (pcrSelectCount == 0) {
1173 ERROR("No PCR is selected for quote\n");
1177 /* Get SRK handles */
1178 result = Tspi_Context_LoadKeyByUUID(
1183 if (result != TSS_SUCCESS) {
1184 ERROR("Tspi_Context_LoadKeyByUUID (SRK) failed rc=0x%x\n",
1186 if (result == 0x2020) {
1187 ERROR(" TSS_E_PS_KEY_NOT_FOUND.\n");
1188 fprintf(stderr, NLS(MS_OPENPTS, OPENPTS_TSS_CHECK_SETTING,
1189 "Please check your system_ps_file setting in /etc/tcsd.conf. "
1190 "(The default is /var/lib/tpm/system.data)\n"
1191 "If system_ps_file size is zero then it does not contains the SRK info\n"));
1198 /* Get SRK Policy objects */
1199 result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hSRKPolicy);
1200 if (result != TSS_SUCCESS) {
1201 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
1207 /* SRK Auth Secret */
1208 if (srk_password_mode == 1) {
1209 srk_auth_mode = TSS_SECRET_MODE_SHA1;
1210 srk_auth = known_srk_auth;
1213 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
1214 srk_auth = null_srk_auth;
1218 /* Set SRK Credential */
1219 result = Tspi_Policy_SetSecret(
1224 if (result != TSS_SUCCESS) {
1225 ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
1231 /* Load AIK or Sign key */
1232 if (ps_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
1235 BYTE blob[KEY_BLOB_SIZE];
1238 fp = fopen(filename, "r");
1240 ERROR("file open fail, key blob file is %s",filename);
1241 result = TSS_E_KEY_NOT_LOADED;
1245 len = fread(blob, 1, KEY_BLOB_SIZE, fp);
1249 result = Tspi_Context_LoadKeyByBlob(
1255 if (result != TSS_SUCCESS) {
1256 ERROR("Tspi_Context_LoadKeyByBlob (Key) failed rc=0x%x\n",
1261 /* load from TSS's PS */
1262 result = Tspi_Context_LoadKeyByUUID(hContext,
1263 (UINT32) ps_type, // TSS_PS_TYPE_SYSTEM,
1266 if (result != TSS_SUCCESS) {
1267 ERROR("Tspi_Context_LoadKeyByUUID (Key) failed rc=0x%x\n", result);
1268 debugHex("\t\tUUID", (BYTE*)&tss_uuid, 16, "\n");
1274 /* get Policy Object of Sign key */
1275 result = Tspi_GetPolicyObject(hKey, TSS_POLICY_USAGE, &hKeyPolicy);
1276 if (result != TSS_SUCCESS) {
1277 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
1284 // result = Tspi_Policy_SetSecret(
1286 // TSS_SECRET_MODE_PLAIN,
1289 // if (result != TSS_SUCCESS) {
1290 // ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
1294 if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
1295 /* Set Policy - Dummy Secret */
1296 // 2011-11-26 Munetoh - This fail with Infineon TPM(v1.2)
1297 result = Tspi_Policy_SetSecret(
1299 TSS_SECRET_MODE_PLAIN,
1300 strlen(TPMSIGKEY_SECRET),
1301 (BYTE *)TPMSIGKEY_SECRET);
1302 if (result != TSS_SUCCESS) {
1303 printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
1308 /* Set Policy - Null Secret */
1309 // Atmel, Winbond, STM
1310 BYTE key_auth[] = "";
1312 result = Tspi_Policy_SetSecret(
1314 TSS_SECRET_MODE_PLAIN,
1317 if (result != TSS_SUCCESS) {
1318 printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
1322 //>>>>>>> 042e40b0979f3e44e75200271e4d1282ce08f72c
1325 /* Setup (copy) Validation Data Structure */
1326 validation_data.versionInfo.bMajor = validationData->versionInfo.bMajor;
1327 validation_data.versionInfo.bMinor = validationData->versionInfo.bMinor;
1328 validation_data.versionInfo.bRevMajor = validationData->versionInfo.bRevMajor;
1329 validation_data.versionInfo.bRevMinor = validationData->versionInfo.bRevMinor;
1331 /* Nonce -> rgbExternalData */
1332 validation_data.ulExternalDataLength = validationData->ulExternalDataLength;
1333 validation_data.rgbExternalData = validationData->rgbExternalData;
1336 /* Issue TPM_Quote */
1337 result = Tspi_TPM_Quote(hTPM,
1338 hKey, hPcrComposite, &validation_data);
1339 if (result != TSS_SUCCESS) {
1340 if (result == 0x01) {
1341 ERROR("Tspi_TPM_Quote failed rc=0x%04x\n",
1343 ERROR(" Authorization faild, needs valid password\n");
1345 ERROR("Tspi_TPM_Quote failed rc=0x%04x\n",
1351 /* Store Validation Data Structure */
1359 validationData->ulDataLength = validation_data.ulDataLength;
1360 validationData->rgbData = xmalloc(validation_data.ulDataLength);
1361 if (validationData->rgbData == NULL) {
1366 validationData->rgbData,
1367 validation_data.rgbData,
1368 validation_data.ulDataLength);
1370 // rgbData stores digest only
1371 // 2011-02-09 SM bad approach
1373 validationData->ulDataLength = 20;
1374 validationData->rgbData = xmalloc(20);
1375 if (validationData->rgbData == NULL) {
1380 validationData->rgbData,
1381 &validation_data.rgbData[8],
1386 /* rgbValidationData */
1387 validationData->ulValidationDataLength = validation_data.ulValidationDataLength;
1388 validationData->rgbValidationData = xmalloc(validation_data.ulValidationDataLength);
1389 if (validationData->rgbValidationData == NULL) {
1394 validationData->rgbValidationData,
1395 validation_data.rgbValidationData,
1396 validation_data.ulValidationDataLength);
1399 validationData->versionInfo.bMajor = validationData->rgbData[0];
1400 validationData->versionInfo.bMinor = validationData->rgbData[1];
1401 validationData->versionInfo.bRevMajor = validationData->rgbData[2];
1402 validationData->versionInfo.bRevMinor = validationData->rgbData[3];
1405 if (isDebugFlagSet(DEBUG_FLAG)) {
1406 DEBUG("TPM_Quote\n");
1407 debugHex(" validationData :",
1408 validationData->rgbData,
1409 validationData->ulDataLength, "\n");
1413 /* Get PCR values used by Quote */
1415 for (i = 0; i < (int) pcrnum; i++) { // TODO pcrs->pcr_num
1416 if (pcrs->pcr_select[i] == 1) {
1419 result = Tspi_PcrComposite_GetPcrValue(
1422 if (result != TSS_SUCCESS) {
1423 ERROR("Tspi_PcrComposite_GetPcrValue failed rc=0x%x\n",
1428 // fprintf(fp, "pcr.%d=", i);
1429 // fprinthex(fp, "", data, length);
1430 if (length < MAX_DIGEST_SIZE) {
1431 memcpy(&pcrs->pcr[i], data, length);
1432 if (isDebugFlagSet(DEBUG_FLAG)) {
1433 // DEBUG("PCR[%d]", i);
1434 debugHex(" : ", data, length, "\n");
1437 ERROR("pcr size is too big %d > %d\n", length, MAX_DIGEST_SIZE);
1440 Tspi_Context_FreeMemory(hContext, data);
1448 Tspi_Context_FreeMemory(hContext, NULL);
1449 Tspi_Context_CloseObject(hContext, hPcrComposite);
1450 Tspi_Context_CloseObject(hContext, hKeyPolicy);
1451 Tspi_Context_CloseObject(hContext, hKey);
1452 Tspi_Context_CloseObject(hContext, hSRKPolicy);
1453 Tspi_Context_CloseObject(hContext, hSRK);
1454 Tspi_Context_CloseObject(hContext, hTPM);
1458 Tspi_Context_Close(hContext);
1464 * Get Quote2 Signature
1471 int srk_password_mode,
1479 TSS_VALIDATION *validationData) {
1481 TSS_HCONTEXT hContext;
1484 TSS_HPOLICY hSRKPolicy;
1485 TSS_UUID SRK_UUID = TSS_UUID_SRK;
1487 UINT32 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
1489 int srk_auth_len = 0;
1492 TSS_HPOLICY hKeyPolicy;
1494 TSS_HPCRS hPcrComposite;
1495 TSS_VALIDATION validation_data; // local
1497 UINT32 ulSubCapLength;
1499 UINT32 pulRespDataLength;
1503 UINT32 versionInfoSize;
1506 int pcrSelectCount = 0;
1509 // uuit_t -> TSS_UUID
1510 memcpy(&tss_uuid, uuid, sizeof(TSS_UUID));
1512 /* Connect to TCSD */
1513 result = Tspi_Context_Create(&hContext);
1514 if (result != TSS_SUCCESS) {
1515 ERROR("Tspi_Context_Create failed rc=0x%x\n",
1517 if (result == 0x3011) {
1518 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
1524 result = Tspi_Context_Connect(hContext, SERVER);
1525 if (result != TSS_SUCCESS) {
1526 ERROR("Tspi_Context_Connect failed rc=0x%x\n",
1531 /* Get TPM handle */
1532 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
1533 if (result != TSS_SUCCESS) {
1534 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n",
1540 ulSubCapLength = sizeof(UINT32);
1541 rgbSubCap = TSS_TPMCAP_PROP_PCR;
1543 result = Tspi_TPM_GetCapability(
1545 TSS_TPMCAP_PROPERTY,
1547 (BYTE *) & rgbSubCap,
1548 &pulRespDataLength, &prgbRespData);
1550 if (result != TSS_SUCCESS) {
1551 ERROR("Tspi_TPM_GetCapability failed rc=0x%x\n",
1556 pcrnum = (UINT32) *prgbRespData;
1557 pcrnum = * (UINT32 *)prgbRespData;
1558 pcrs->pcr_num = pcrnum; // TODO
1561 /* PCR Composite - Object */
1562 result = Tspi_Context_CreateObject(
1564 TSS_OBJECT_TYPE_PCRS,
1565 TSS_PCRS_STRUCT_INFO_SHORT,
1567 if (result != TSS_SUCCESS) {
1568 ERROR("Tspi_Context_CreateObject failed rc=0x%x\n",
1573 /* PCR Composite - SelectPcrIndex */
1574 for (i = 0; i < (int)pcrnum; i++) {
1575 if (pcrs->pcr_select[i] == 1) {
1576 result = Tspi_PcrComposite_SelectPcrIndexEx(
1579 TSS_PCRS_DIRECTION_RELEASE);
1580 if (result != TSS_SUCCESS) {
1581 ERROR("failed rc=0x%x\n", result);
1589 if (pcrSelectCount == 0) {
1590 ERROR("No PCR is selected for quote\n");
1594 /* Get SRK handles */
1595 result = Tspi_Context_LoadKeyByUUID(
1600 if (result != TSS_SUCCESS) {
1601 ERROR("Tspi_Context_LoadKeyByUUID (SRK) failed rc=0x%x\n",
1603 if (result == 0x2020) {
1604 ERROR(" TSS_E_PS_KEY_NOT_FOUND.\n");
1605 fprintf(stderr, NLS(MS_OPENPTS, OPENPTS_TSS_CHECK_SETTING,
1606 "Please check your system_ps_file setting in /etc/tcsd.conf. "
1607 "(The default is /var/lib/tpm/system.data)\n"
1608 "If system_ps_file size is zero then it does not contains the SRK info\n"));
1615 /* Get SRK Policy objects */
1616 result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hSRKPolicy);
1617 if (result != TSS_SUCCESS) {
1618 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
1623 /* SRK Auth Secret */
1624 if (srk_password_mode == 1) {
1625 srk_auth_mode = TSS_SECRET_MODE_SHA1;
1626 srk_auth = known_srk_auth;
1629 srk_auth_mode = TSS_SECRET_MODE_PLAIN;
1630 srk_auth = null_srk_auth;
1634 /* Set SRK Credential (must be NULL) */
1635 result = Tspi_Policy_SetSecret(
1640 if (result != TSS_SUCCESS) {
1641 ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
1647 /* Load AIK or Sign key */
1648 if (ps_type == OPENPTS_AIK_STORAGE_TYPE_BLOB) {
1651 BYTE blob[KEY_BLOB_SIZE];
1654 fp = fopen(filename, "r");
1656 ERROR("file open fail, key blob file is %s",filename);
1657 result = TSS_E_KEY_NOT_LOADED;
1662 len = fread(blob, 1, KEY_BLOB_SIZE, fp);
1666 result = Tspi_Context_LoadKeyByBlob(
1672 if (result != TSS_SUCCESS) {
1673 ERROR("Tspi_Context_LoadKeyByBlob (Key) failed rc=0x%x\n",
1678 /* load from TSS's PS */
1679 result = Tspi_Context_LoadKeyByUUID(hContext,
1680 (UINT32) ps_type, // TSS_PS_TYPE_SYSTEM,
1683 if (result != TSS_SUCCESS) {
1684 ERROR("Tspi_Context_LoadKeyByUUID (Key) failed rc=0x%x\n", result);
1685 debugHex("\t\tUUID", (BYTE*)&tss_uuid, 16, "\n");
1691 /* get Policy Object of Sign key */
1692 result = Tspi_GetPolicyObject(hKey, TSS_POLICY_USAGE, &hKeyPolicy);
1693 if (result != TSS_SUCCESS) {
1694 ERROR("Tspi_GetPolicyObject failed rc=0x%x\n",
1701 // result = Tspi_Policy_SetSecret(
1703 // TSS_SECRET_MODE_PLAIN,
1706 // if (result != TSS_SUCCESS) {
1707 // ERROR("Tspi_Policy_SetSecret failed rc=0x%x\n",
1711 if (auth_type == OPENPTS_AIK_AUTH_TYPE_COMMON) {
1712 /* Set Policy - Dummy Secret */
1713 // 2011-11-26 Munetoh - This fail with Infineon TPM(v1.2)
1714 result = Tspi_Policy_SetSecret(
1716 TSS_SECRET_MODE_PLAIN,
1717 strlen(TPMSIGKEY_SECRET),
1718 (BYTE *)TPMSIGKEY_SECRET);
1719 if (result != TSS_SUCCESS) {
1720 printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
1725 /* Set Policy - Null Secret */
1726 // Atmel, Winbond, STM
1727 BYTE key_auth[] = "";
1729 result = Tspi_Policy_SetSecret(
1731 TSS_SECRET_MODE_PLAIN,
1734 if (result != TSS_SUCCESS) {
1735 printf("ERROR: Tspi_Policy_SetSecret failed rc=0x%x\n",
1739 //>>>>>>> 042e40b0979f3e44e75200271e4d1282ce08f72c
1742 /* Nonce -> rgbExternalData */
1743 validation_data.ulExternalDataLength = validationData->ulExternalDataLength;
1744 validation_data.rgbExternalData = validationData->rgbExternalData;
1746 /* Issue TPM_Quote */
1747 result = Tspi_TPM_Quote2(
1750 FALSE, // or TRUE, add version info
1755 if (result != TSS_SUCCESS) {
1756 if (result == 0x01) {
1757 ERROR("Tspi_TPM_Quote failed rc=0x%04x\n", result);
1758 fprintf(stderr, NLS(MS_OPENPTS, OPENPTS_TSS_AUTH_FAILED, "Authorization failed, needs valid password\n"));
1760 ERROR("Tspi_TPM_Quote failed rc=0x%04x\n", result);
1765 if (isDebugFlagSet(DEBUG_FLAG)) {
1766 DEBUG("TPM_Quote2\n");
1767 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_EXT_DATA, "External Data:"),
1768 validation_data.rgbExternalData,
1769 validation_data.ulExternalDataLength, "\n");
1770 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_DATA, "Data:"),
1771 validation_data.rgbData,
1772 validation_data.ulDataLength, "\n");
1773 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_VALIDATION_DATA, "Validation Data:"),
1774 validation_data.rgbValidationData,
1775 validation_data.ulValidationDataLength, "\n");
1776 if (versionInfoSize > 0) {
1777 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_VERSION_INFO, "Version Info:"),
1779 versionInfoSize, "\n");
1783 /* Get PCR values used by Quote */
1784 for (i = 0; i < (int) pcrnum; i++) { // TODO pcrs->pcr_num
1785 if (pcrs->pcr_select[i] == 1) {
1789 // 2011-02-15 SM can not get the PCR values, TSS bug?
1790 result = Tspi_PcrComposite_GetPcrValue(
1793 if (result != TSS_SUCCESS) {
1794 ERROR("Tspi_PcrComposite_GetPcrValue failed rc=0x%x\n",
1799 // 2011-02-15 SM read Pcr value from TPM
1800 result = Tspi_TPM_PcrRead(
1801 hTPM, i, &length, &data);
1802 if (result != TSS_SUCCESS) {
1803 ERROR("Tspi_TPM_PcrRead failed rc=0x%x\n", result);
1808 if (length < MAX_DIGEST_SIZE) {
1809 memcpy(&pcrs->pcr[i], data, length);
1810 if (isDebugFlagSet(DEBUG_FLAG)) {
1811 // DEBUG("PCR[%d]", i);
1812 debugHex(" : ", data, length, "\n");
1815 fprintf(stderr, NLS(MS_OPENPTS, OPENPTS_TSS_PCR_SIZE_TOO_BIG,
1816 "PCR size is too big %d > %d\n"), length, MAX_DIGEST_SIZE);
1819 Tspi_Context_FreeMemory(hContext, data);
1825 /* Store Validation Data Structure */
1826 // TPM_QUOTE_INFO2 structure
1827 // 0:1 TAG 00 36 = TPM_TAG_QUOTE_INFO2
1828 // 2:5 BYTE[4] 51 55 54 32 QUOT2
1829 // 6:25 TPM_NONCE 5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A
1830 // TPM_PCR_INFO_SHORT
1831 // 26:30 TPM_PCR_SELECTION 0003 FF 00 00
1833 // 32:51 COPMPOSIT_HASH A57A3A1E62C3D391E015CCB9167453D5FBBC9E53
1834 // ??? 0030 01 02 04 00 000202494E544300080004000000030464
1835 // TPM_CAP_VERSION_INFO 0030 01 02 04 00 000202494E544300080004000000030464
1836 // TPM_STRUCTURE_TAG 0030 tag;
1837 // TPM_VERSION 01 02 04 00 version;
1838 // UINT16 0002 specLevel;
1839 // BYTE 02 errataRev;
1840 // BYTE 49 4E 54 43 tpmVendorID[4];
1841 // UINT16 0008 vendorSpecificSize;
1842 // SIZEIS(vendorSpecificSize)
1843 // BYTE 0004 0000 0003 0464 *vendorSpecific;
1845 // 2+4+20+5+1+20 = 52
1846 // total 75-bytes???
1847 validationData->ulDataLength = validation_data.ulDataLength;
1848 validationData->rgbData = xmalloc(validation_data.ulDataLength);
1849 if (validationData->rgbData == NULL) {
1854 validationData->rgbData,
1855 validation_data.rgbData,
1856 validation_data.ulDataLength);
1859 /* rgbValidationData */
1860 validationData->ulValidationDataLength = validation_data.ulValidationDataLength;
1861 validationData->rgbValidationData = xmalloc(validation_data.ulValidationDataLength);
1862 if (validationData->rgbValidationData == NULL) {
1867 validationData->rgbValidationData,
1868 validation_data.rgbValidationData,
1869 validation_data.ulValidationDataLength);
1872 // get from validationData->rgbData (used by Quote)
1873 // validationData->versionInfo.bMajor = validationData->rgbData[0];
1874 // validationData->versionInfo.bMinor = validationData->rgbData[1];
1875 // validationData->versionInfo.bRevMajor = validationData->rgbData[2];
1876 // validationData->versionInfo.bRevMinor = validationData->rgbData[3];
1882 Tspi_Context_FreeMemory(hContext, NULL);
1883 Tspi_Context_CloseObject(hContext, hPcrComposite);
1884 Tspi_Context_CloseObject(hContext, hKey);
1888 Tspi_Context_Close(hContext);
1894 * get ramdom value from TPM
1899 * TODO if TPM/TSS is missing, use pseudo ramdom -- added
1901 * UnitTest: check_tss.c / test_getRandom
1903 int getRandom(BYTE *out, int size) {
1905 TSS_HCONTEXT hContext;
1909 /* Connect to TCSD */
1910 result = Tspi_Context_Create(&hContext);
1911 if (result != TSS_SUCCESS) {
1912 ERROR("Tspi_Context_Create failed rc=0x%x\n", result);
1913 if (result == 0x3011) {
1914 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
1919 result = Tspi_Context_Connect(hContext, SERVER);
1920 if (result != TSS_SUCCESS) {
1921 ERROR("Tspi_Context_Connect failed rc=0x%x\n", result);
1925 /* Get TPM handle */
1926 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
1927 if (result != TSS_SUCCESS) {
1928 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n", result);
1934 result = Tspi_TPM_GetRandom(hTPM, size, &buf);
1935 if (result != TSS_SUCCESS) {
1937 ("Tspi_TPM_GetRandom failed rc=0x%x\n",
1939 Tspi_Context_FreeMemory(hContext, NULL);
1942 memcpy(out, buf, size);
1944 DEBUG("Get ramdom data from TPM");
1945 if (isDebugFlagSet(DEBUG_FLAG)) {
1946 debugHex(" - random:", buf, size, "\n");
1950 Tspi_Context_FreeMemory(hContext, buf);
1954 Tspi_Context_Close(hContext);
1962 int extendEvent(TSS_PCR_EVENT* event) {
1964 TSS_HCONTEXT hContext;
1971 /* Connect to TCSD */
1972 result = Tspi_Context_Create(&hContext);
1973 if (result != TSS_SUCCESS) {
1974 ERROR("Tspi_Context_Create failed rc=0x%x\n", result);
1975 if (result == 0x3011) {
1976 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
1981 result = Tspi_Context_Connect(hContext, SERVER);
1982 if (result != TSS_SUCCESS) {
1983 ERROR("Tspi_Context_Connect failed rc=0x%x\n", result);
1987 /* Get TPM handle */
1988 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
1989 if (result != TSS_SUCCESS) {
1990 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n", result);
1994 // 2011-02-21 SM pcr0=NULL -> 0x3003 BAD_PARAMETOR error
1995 pcr0 = xmalloc_assert(20);
1996 memset(pcr0, 0, 20);
1999 result = Tspi_TPM_PcrExtend(
2007 if (result != TSS_SUCCESS) {
2009 ("Tspi_TPM_PcrExtend failed rc=0x%x\n",
2011 // Tspi_Context_FreeMemory(hContext, NULL);
2020 Tspi_Context_Close(hContext);
2026 * call must prepare the buffer for pcr
2028 int readPcr(int pcr_index, BYTE *pcr) {
2030 TSS_HCONTEXT hContext;
2032 UINT32 data_len = 0;
2036 /* Connect to TCSD */
2037 result = Tspi_Context_Create(&hContext);
2038 if (result != TSS_SUCCESS) {
2039 ERROR("Tspi_Context_Create failed rc=0x%x\n", result);
2040 if (result == 0x3011) {
2041 OUTPUT(NLS(MS_OPENPTS, OPENPTS_TPM_TSS_COMMS_FAILURE, "TSS communications failure. Is tcsd running?\n"));
2046 result = Tspi_Context_Connect(hContext, SERVER);
2047 if (result != TSS_SUCCESS) {
2048 ERROR("Tspi_Context_Connect failed rc=0x%x\n", result);
2052 /* Get TPM handle */
2053 result = Tspi_Context_GetTpmObject(hContext, &hTPM);
2054 if (result != TSS_SUCCESS) {
2055 ERROR("Tspi_Context_GetTpmObject failed rc=0x%x\n", result);
2059 result = Tspi_TPM_PcrRead(
2060 hTPM, pcr_index, &data_len, &data);
2061 if (result != TSS_SUCCESS) {
2062 ERROR("Tspi_TPM_PcrRead failed rc=0x%x\n", result);
2065 if (data_len != SHA1_DIGEST_SIZE) {
2066 ERROR("Bad PCR size %d\n", data_len);
2067 result = PTS_INTERNAL_ERROR;
2069 memcpy(pcr, data, SHA1_DIGEST_SIZE);
2074 Tspi_Context_Close(hContext);
2077 #endif // !CONFIG_NO_TSS
2084 * validate QuoteData
2086 * - TPM_SS_RSASSAPKCS1v15_SHA1 ONLY
2093 * PTS_INTERNAL_ERROR
2097 int validateQuoteData(OPENPTS_PCRS *pcrs, TSS_VALIDATION *validationData) {
2098 int rc = PTS_VERIFY_FAILED;
2104 int signature_length;
2109 BIGNUM *rsa_e = NULL;
2110 BIGNUM *rsa_n = NULL;
2111 BYTE exp[4] = {0x00, 0x01, 0x00, 0x01};
2115 ERROR("validateQuoteData - pcrs is NULL\n");
2116 return PTS_INTERNAL_ERROR;
2118 if (pcrs->pubkey_length == 0) {
2119 ERROR("validateQuoteData - pcrs->pubkey_length is ZERO\n");
2120 return PTS_INTERNAL_ERROR;
2122 if (pcrs->pubkey == NULL) {
2123 ERROR("validateQuoteData - pcrs->pubkey is NULL\n");
2124 return PTS_INTERNAL_ERROR;
2128 if (validationData->ulDataLength == 48) {
2130 } else if (validationData->ulDataLength == 52) {
2133 ERROR("validationData->ulDataLength != 48/52, but %d\n",
2134 validationData->ulDataLength);
2135 return PTS_INTERNAL_ERROR;
2138 if (validationData->ulExternalDataLength != 20) {
2139 ERROR("validationData->ulExternalDataLength != 20, but %d\n",
2140 validationData->ulExternalDataLength);
2141 return PTS_INTERNAL_ERROR;
2144 message_length = validationData->ulDataLength;
2145 message = validationData->rgbData;
2148 hash_length = 20; // TODO
2149 hash = xmalloc_assert(20);
2151 SHA1_Update(&ctx, message, message_length);
2152 SHA1_Final(hash, &ctx);
2155 signature_length = validationData->ulValidationDataLength;
2156 signature = validationData->rgbValidationData;
2163 00000001 TPM_ALGORITHM_ID algorithmID << TPM_KEY_PARMS algorithmParms;
2164 0001 TPM_ENC_SCHEME encScheme; 0001 => TPM_ES_NONE
2165 0002 TPM_SIG_SCHEME sigScheme; 0002 => TPM_SS_RSASSAPKCS1v15_SHA1
2166 0000000C UINT32 parmSize = 12
2171 00000100 UINT32 keyLength = 256
2172 734AA85F2DDFD5D7AC09081681537D...
2176 // TODO 2048 bit key only
2177 pubkey_length = 256; // TODO
2178 pubkey = &pcrs->pubkey[28]; // TODO use struct
2180 // pubkey_length = 257;
2181 // pubkey = malloc(pubkey_length);
2183 // memcpy(&pubkey[1],&pcrs->pubkey[28], 256);
2187 printHex("message :", message, message_length, "\n");
2188 printHex("hash :", hash, hash_length, "\n");
2189 printHex("signature :", signature, signature_length, "\n");
2190 printHex("pubkey :", pubkey, pubkey_length, "\n");
2198 BN_bin2bn(exp, 4, rsa_e);
2202 BN_bin2bn(pubkey, pubkey_length, rsa_n);
2204 BN_hex2bn(&(rsa->n), BN_bn2hex(rsa_n));
2205 BN_hex2bn(&(rsa->e), BN_bn2hex(rsa_e));
2207 // DEBUG("RSA_verify\n");
2208 /* RSA verify 1: success, 0:otherwise */
2210 NID_sha1, // hash type,
2227 if (isDebugFlagSet(DEBUG_FLAG)) {
2228 DEBUG("validateQuoteData - rc = %d (1:success)\n", rc);
2229 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_PUBKEY, "pubkey: "), pubkey, pubkey_length, "\n");
2230 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_MSG, "message: "), message, message_length, "\n");
2231 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_SIGNATURE, "signature: "), signature, signature_length, "\n");
2238 /* RSA verify - success */
2241 /* RSA verify - fail */
2242 UINT32 e; // unsigned long
2243 ERR_load_crypto_strings();
2244 e = ERR_get_error();
2245 ERROR("RSA_verify failed, %s\n", ERR_error_string(e, NULL));
2246 ERROR(" %s\n", ERR_lib_error_string(e));
2247 ERROR(" %s\n", ERR_func_error_string(e));
2248 ERROR(" %s\n", ERR_reason_error_string(e));
2250 return PTS_VERIFY_FAILED;
2255 * Validate PCR Composite (TPM/TSS v1.1 PCR[0-15])
2260 * PTS_INTERNAL_ERROR
2262 int validatePcrCompositeV11(OPENPTS_PCRS *pcrs, TSS_VALIDATION *validationData) {
2263 int rc = PTS_VERIFY_FAILED;
2275 if (validationData == NULL) {
2276 ERROR("validationData == NULL\n");
2277 return PTS_INTERNAL_ERROR;
2280 if (validationData->rgbData == NULL) {
2281 ERROR("validationData->rgbData == NULL\n");
2282 return PTS_INTERNAL_ERROR;
2284 if (validationData->ulDataLength != 48) {
2285 ERROR("validationData->ulDataLength != 48, but %d\n",
2286 validationData->ulDataLength);
2287 return PTS_INTERNAL_ERROR;
2291 /* setup PCR composite */
2292 // PCR Select is confusing
2293 // PCR 0,1,2,3,4,5,6,7,8,10 => FF 05
2294 for (i = 15; i > 0; i--) { // 15-1
2295 if (pcrs->pcr_select[i] == 1) {
2298 DEBUG("validatePcrCompositeV11() - PCR[%d] - selected\n", i);
2302 if (pcrs->pcr_select[i] == 1) { // 0
2305 DEBUG("validatePcrCompositeV11() - PCR[%d] - selected\n", i);
2309 value_size = 20 * count;
2310 buf_len = 2 + 2 + 4 + value_size;
2311 buf = xmalloc(buf_len);
2313 return PTS_INTERNAL_ERROR;
2315 memset(buf, 0, buf_len);
2317 /* PCR select size, UINT16 */
2321 /* select, 2 bytes*/
2322 buf[2] = mask & 0xFF;
2323 buf[3] = (mask >> 8) & 0xFF;
2325 /* Value Size, UINT32 */
2328 buf[6] = (value_size >> 8)& 0xFF;
2329 buf[7] = value_size & 0xFF;
2333 for (i = 0; i < 16; i++) {
2334 if (pcrs->pcr_select[i] == 1) {
2335 memcpy(ptr, pcrs->pcr[i], 20);
2342 SHA1_Update(&ctx, buf, buf_len);
2343 SHA1_Final(digest, &ctx);
2345 if (isDebugFlagSet(DEBUG_FLAG)) {
2346 DEBUG("pcr composite\n");
2347 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_BUF, " buf:"), buf, buf_len, "\n");
2348 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_DIGEST, " digest:"), digest, 20, "\n");
2349 DEBUG("select size : %d\n", 2);
2350 DEBUG("select : 0x%X\n", mask);
2355 "Digest :", digest, 20, "\n");
2358 &validationData->rgbData[8],
2363 if (memcmp(digest, &validationData->rgbData[8], 20) == 0) {
2364 // if (memcmp(digest, validationData->rgbData, 20) == 0) {
2365 /* HIT valid composit */
2368 DEBUG("validatePcrCompositeV11() - bad digest\n");
2371 if (rc != PTS_SUCCESS) {
2373 DEBUG("validatePcrCompositeV11() - validation fail, rc = %d\n", rc);
2384 * Validate PCR Composite (TPM/TSS v1.2 PCR[0-23])
2389 * PTS_INTERNAL_ERROR
2391 int validatePcrCompositeV12(OPENPTS_PCRS *pcrs, TSS_VALIDATION *validationData) {
2392 int rc = PTS_VERIFY_FAILED;
2404 BYTE *composit_hash;
2407 if (validationData == NULL) {
2408 ERROR("validationData == NULL\n");
2409 return PTS_INTERNAL_ERROR;
2412 if (validationData->rgbData == NULL) {
2413 ERROR("validationData->rgbData == NULL\n");
2414 return PTS_INTERNAL_ERROR;
2417 // TODO identify Quote/Quote2 not using the data length
2418 if (validationData->ulDataLength == 48) {
2421 composit_hash = &validationData->rgbData[8];
2422 } else if (validationData->ulDataLength == 52) {
2425 composit_hash = &validationData->rgbData[32];
2427 ERROR("validationData->ulDataLength != 48 or 52, but %d\n",
2428 validationData->ulDataLength);
2429 return PTS_INTERNAL_ERROR;
2433 /* setup PCR composite */
2434 // PCR Select is confusing
2435 // PCR 0,1,2,3,4,5,6,7,8,10 => FF 05
2436 for (i = 23; i > 0; i--) { // 23-1
2437 if (pcrs->pcr_select[i] == 1) {
2440 DEBUG("validatePcrCompositeV12() - PCR[%d] - selected\n", i);
2444 if (pcrs->pcr_select[i] == 1) { // 0
2447 DEBUG("validatePcrCompositeV12() - PCR[%d] - selected\n", i);
2453 if (((mask >> 16) & 0xFF) != 0) {
2455 } else if (((mask >> 8) & 0xFF) != 0) {
2463 value_size = 20 * count;
2464 buf_len = 2 + pcrsel_size + 4 + value_size;
2465 buf = xmalloc(buf_len);
2467 return PTS_INTERNAL_ERROR;
2469 memset(buf, 0, buf_len);
2471 /* PCR select size, UINT16 */
2473 buf[1] = pcrsel_size;
2475 /* select, 3 bytes*/
2477 buf[loc] = mask & 0xFF;
2478 buf[loc + 1] = (mask >> 8) & 0xFF;
2479 buf[loc + 2] = (mask >> 16) & 0xFF;
2482 /* Value Size, UINT32 */
2485 buf[loc + 2] = (value_size >> 8)& 0xFF;
2486 buf[loc + 3] = value_size & 0xFF;
2490 for (i = 0; i < MAX_PCRNUM; i++) {
2491 if (pcrs->pcr_select[i] == 1) {
2492 memcpy(ptr, pcrs->pcr[i], 20);
2499 SHA1_Update(&ctx, buf, buf_len);
2500 SHA1_Final(digest, &ctx);
2502 if (isDebugFlagSet(DEBUG_FLAG)) {
2503 DEBUG("PcrComposit\n");
2504 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_BUF, " buf:"), buf, buf_len, "\n");
2505 debugHex(NLS(MS_OPENPTS, OPENPTS_TSS_DIGEST, " digest:"), digest, 20, "\n");
2506 DEBUG("PcrComposit - select size : %d\n", pcrsel_size);
2507 DEBUG("PcrComposit - bit mask : 0x%08X\n", mask);
2511 if (memcmp(digest, composit_hash , 20) == 0) {
2512 // if (memcmp(digest, validationData->rgbData, 20) == 0) {
2513 /* HIT valid composit */
2516 DEBUG("validatePcrCompositeV12() - bad digest\n");
2517 if (isDebugFlagSet(DEBUG_FLAG)) {
2518 debugHex(" calc :", digest, 20, "\n");
2519 debugHex(" given :", composit_hash, 20, "\n");
2523 if (rc != PTS_SUCCESS) {
2525 DEBUG("validatePcrCompositeV12() - validation fail, rc = %d\n", rc);
2526 // 34 PTS_VERIFY_FAILED