1 /* Copyright 2018 Intel Corporation, Inc
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <sapi/tpm20.h>
20 #include "tpm2_plugin_api.h"
22 #include <tcti/tcti_device.h>
25 #include <tcti/tcti_socket.h>
27 #ifdef HAVE_TCTI_TABRMD
28 #include <tcti/tcti-tabrmd.h>
30 bool output_enabled = true;
31 bool hexPasswd = false;
32 TPM_HANDLE handle2048rsa;
33 const char *tcti_path="libtss2-tcti-device.so";
35 static void tcti_teardown(TSS2_TCTI_CONTEXT *tcti_context)
37 if (tcti_context == NULL)
39 tss2_tcti_finalize (tcti_context);
43 static void sapi_teardown(TSS2_SYS_CONTEXT *sapi_context)
45 if (sapi_context == NULL)
47 Tss2_Sys_Finalize (sapi_context);
51 static void sapi_teardown_full (TSS2_SYS_CONTEXT *sapi_context)
53 TSS2_TCTI_CONTEXT *tcti_context = NULL;
56 rc = Tss2_Sys_GetTctiContext (sapi_context, &tcti_context);
57 if (rc != TSS2_RC_SUCCESS)
59 sapi_teardown (sapi_context);
60 tcti_teardown (tcti_context);
63 int tpm2_plugin_init()
65 printf("Init API done for TPM plugin ! \n");
69 int tpm2_plugin_uninit()
71 printf("UnInit API done for TPM plugin ! \n");
75 TPM_HANDLE srk_handle;
76 int tpm2_plugin_activate(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *activate_in_info)
81 printf("number of buffers %d ! \n", activate_in_info->num_buffers);
82 if (activate_in_info->num_buffers!=1){
83 printf("activate failed ! \n");
86 printf("number of buffers %d ! \n", activate_in_info->num_buffers);
87 handle = malloc(activate_in_info->buffer_info[0]->length_of_buffer);
88 memcpy(handle, activate_in_info->buffer_info[0]->buffer, activate_in_info->buffer_info[0]->length_of_buffer);
89 srk_handle = strtol(handle, NULL, 16);
90 printf("Activate API done for TPM plugin ! \n");
94 TPMI_DH_OBJECT handle_load;
98 tcti_device_init (char const *device_file)
100 TCTI_DEVICE_CONF conf = {
101 .device_path = device_file,
107 TSS2_TCTI_CONTEXT *tcti_ctx;
109 rc = InitDeviceTcti (NULL, &size, 0);
110 if (rc != TSS2_RC_SUCCESS) {
112 "Failed to get allocation size for device tcti context: "
116 tcti_ctx = (TSS2_TCTI_CONTEXT*)calloc (1, size);
117 if (tcti_ctx == NULL) {
119 "Allocation for device TCTI context failed: %s\n",
123 rc = InitDeviceTcti (tcti_ctx, &size, &conf);
124 if (rc != TSS2_RC_SUCCESS) {
126 "Failed to initialize device TCTI context: 0x%x\n",
135 #ifdef HAVE_TCTI_SOCK
136 TSS2_TCTI_CONTEXT* tcti_socket_init (char const *address, uint16_t port)
138 TCTI_SOCKET_CONF conf = {
142 .logBufferCallback = NULL,
147 TSS2_TCTI_CONTEXT *tcti_ctx;
149 rc = InitSocketTcti (NULL, &size, &conf, 0);
150 if (rc != TSS2_RC_SUCCESS) {
151 fprintf (stderr, "Faled to get allocation size for tcti context: "
155 tcti_ctx = (TSS2_TCTI_CONTEXT*)calloc (1, size);
156 if (tcti_ctx == NULL) {
157 fprintf (stderr, "Allocation for tcti context failed: %s\n",
161 rc = InitSocketTcti (tcti_ctx, &size, &conf, 0);
162 if (rc != TSS2_RC_SUCCESS) {
163 fprintf (stderr, "Failed to initialize tcti context: 0x%x\n", rc);
170 #ifdef HAVE_TCTI_TABRMD
171 TSS2_TCTI_CONTEXT *tcti_tabrmd_init (void)
173 TSS2_TCTI_CONTEXT *tcti_ctx;
177 rc = tss2_tcti_tabrmd_init(NULL, &size);
178 if (rc != TSS2_RC_SUCCESS) {
179 printf("Failed to get size for TABRMD TCTI context: 0x%x", rc);
182 tcti_ctx = (TSS2_TCTI_CONTEXT*)calloc (1, size);
183 if (tcti_ctx == NULL) {
184 printf("Allocation for TABRMD TCTI context failed: %s", strerror (errno));
187 rc = tss2_tcti_tabrmd_init (tcti_ctx, &size);
188 if (rc != TSS2_RC_SUCCESS) {
189 printf("Failed to initialize TABRMD TCTI context: 0x%x", rc);
196 TSS2_TCTI_CONTEXT *tcti_init_from_options(common_opts_t *options)
198 switch (options->tcti_type) {
201 return tcti_device_init (options->device_file);
203 #ifdef HAVE_TCTI_SOCK
205 return tcti_socket_init (options->socket_address,
206 options->socket_port);
208 #ifdef HAVE_TCTI_TABRMD
210 return tcti_tabrmd_init ();
217 static TSS2_SYS_CONTEXT *sapi_ctx_init (TSS2_TCTI_CONTEXT *tcti_ctx)
219 TSS2_SYS_CONTEXT *sapi_ctx;
222 TSS2_ABI_VERSION abi_version = {
223 .tssCreator = TSSWG_INTEROP,
224 .tssFamily = TSS_SAPI_FIRST_FAMILY,
225 .tssLevel = TSS_SAPI_FIRST_LEVEL,
226 .tssVersion = TSS_SAPI_FIRST_VERSION,
229 size = Tss2_Sys_GetContextSize (0);
230 sapi_ctx = (TSS2_SYS_CONTEXT*)calloc (1, size);
231 if (sapi_ctx == NULL) {
233 "Failed to allocate 0x%zx bytes for the SAPI context\n",
237 rc = Tss2_Sys_Initialize (sapi_ctx, size, tcti_ctx, &abi_version);
238 if (rc != TSS2_RC_SUCCESS) {
239 fprintf (stderr, "Failed to initialize SAPI context: 0x%x\n", rc);
246 #define BUFFER_SIZE(type, field) (sizeof((((type *)NULL)->t.field)))
247 #define TPM2B_TYPE_INIT(type, field) { .t = { .size = BUFFER_SIZE(type, field), }, }
248 TPMS_AUTH_COMMAND sessionData;
249 int hex2ByteStructure(const char *inStr, UINT16 *byteLength, BYTE *byteBuffer)
251 int strLength;//if the inStr likes "1a2b...", no prefix "0x"
253 if(inStr == NULL || byteLength == NULL || byteBuffer == NULL)
255 strLength = strlen(inStr);
258 for(i = 0; i < strLength; i++)
260 if(!isxdigit(inStr[i]))
264 if(*byteLength < strLength/2)
267 *byteLength = strLength/2;
269 for(i = 0; i < *byteLength; i++)
271 char tmpStr[4] = {0};
272 tmpStr[0] = inStr[i*2];
273 tmpStr[1] = inStr[i*2+1];
274 byteBuffer[i] = strtol(tmpStr, NULL, 16);
278 int load_key(TSS2_SYS_CONTEXT *sapi_context,
279 TPMI_DH_OBJECT parentHandle,
280 TPM2B_PUBLIC *inPublic,
281 TPM2B_PRIVATE *inPrivate,
285 TPMS_AUTH_RESPONSE sessionDataOut;
286 TSS2_SYS_CMD_AUTHS sessionsData;
287 TSS2_SYS_RSP_AUTHS sessionsDataOut;
288 TPMS_AUTH_COMMAND *sessionDataArray[1];
289 TPMS_AUTH_RESPONSE *sessionDataOutArray[1];
291 TPM2B_NAME nameExt = TPM2B_TYPE_INIT(TPM2B_NAME, name);
293 sessionDataArray[0] = &sessionData;
294 sessionDataOutArray[0] = &sessionDataOut;
296 sessionsDataOut.rspAuths = &sessionDataOutArray[0];
297 sessionsData.cmdAuths = &sessionDataArray[0];
299 sessionsDataOut.rspAuthsCount = 1;
300 sessionsData.cmdAuthsCount = 1;
302 sessionData.sessionHandle = TPM_RS_PW;
303 sessionData.nonce.t.size = 0;
306 sessionData.hmac.t.size = 0;
308 *((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0;
309 if (sessionData.hmac.t.size > 0 && hexPasswd)
311 sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2;
312 if (hex2ByteStructure((char *)sessionData.hmac.t.buffer,
313 &sessionData.hmac.t.size,
314 sessionData.hmac.t.buffer) != 0)
316 printf( "Failed to convert Hex format password for parent Passwd.\n");
321 rval = Tss2_Sys_Load (sapi_context,
329 if(rval != TPM_RC_SUCCESS)
331 printf("\nLoad Object Failed ! ErrorCode: 0x%0x\n\n",rval);
334 printf("\nLoad succ.\nLoadedHandle: 0x%08x\n\n",handle2048rsa);
339 TPMS_CONTEXT loaded_key_context;
341 int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
342 void **keyHandle, TSS2_SYS_CONTEXT *sapi_context)
345 TPMI_DH_OBJECT parentHandle;
346 TPM2B_PUBLIC inPublic;
347 TPM2B_PRIVATE inPrivate;
351 memset(&inPublic,0,sizeof(TPM2B_PUBLIC));
352 memset(&inPrivate,0,sizeof(TPM2B_SENSITIVE));
354 setbuf(stdout, NULL);
355 setvbuf (stdout, NULL, _IONBF, BUFSIZ);
357 //parentHandle = 0x81000011;
358 parentHandle = srk_handle;
360 if (loadkey_in_info->num_buffers != 2)
362 memcpy(&inPublic, loadkey_in_info->buffer_info[0]->buffer,
363 loadkey_in_info->buffer_info[0]->length_of_buffer);
364 memcpy(&inPrivate, loadkey_in_info->buffer_info[1]->buffer,
365 loadkey_in_info->buffer_info[1]->length_of_buffer);
367 returnVal = load_key (sapi_context,
373 TPM_RC rval = Tss2_Sys_ContextSave(sapi_context, handle2048rsa, &loaded_key_context);
374 if (rval != TPM_RC_SUCCESS) {
375 printf("Tss2_Sys_ContextSave: Saving handle 0x%x context failed. TPM Error:0x%x", handle2048rsa, rval);
378 *keyHandle = &handle2048rsa;
382 int tpm2_plugin_load_key(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
384 SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info)
387 common_opts_t opts = COMMON_OPTS_INITIALIZER;
388 TSS2_TCTI_CONTEXT *tcti_ctx;
389 tcti_ctx = tcti_init_from_options(&opts);
390 if (tcti_ctx == NULL)
393 TSS2_SYS_CONTEXT *sapi_context = NULL;
395 sapi_context = sapi_ctx_init(tcti_ctx);
402 ret = load_key_execute(loadkey_in_info, keyHandle, sapi_context);
404 printf("Load key API failed in TPM plugin ! \n");
406 sapi_teardown_full(sapi_context);
408 printf("Load key API successful in TPM plugin ! \n");
413 typedef struct tpm_sign_ctx tpm_sign_ctx;
414 struct tpm_sign_ctx {
415 TPMT_TK_HASHCHECK validation;
416 TPMS_AUTH_COMMAND sessionData;
417 TPMI_DH_OBJECT keyHandle;
419 char outFilePath[PATH_MAX];
422 TSS2_SYS_CONTEXT *sapi_context;
425 //create a table to consolidate all parts of data from multiple SignUpdate from sessions
426 CONCATENATE_DATA_SIGNUPDATE_t data_signupdate_session[MAX_SESSIONS];
427 unsigned long sign_sequence_id = 0;
428 int tpm2_plugin_rsa_sign_init(
430 unsigned long mechanism,
433 void **plugin_data_ref
436 printf("rsa_sign_init API mechanism is %ld \n", mechanism);
437 printf("rsa_sign_init API len is %d \n", len);
441 unsigned long hSession = sign_sequence_id;
443 for (i = 0; i < MAX_SESSIONS; i++){
444 if (data_signupdate_session[i].session_handle == 0){
445 data_signupdate_session[i].session_handle = hSession;
446 for (j = 0; j < MAX_DATA_SIGNUPDATE; j++ )
447 data_signupdate_session[i].data_signupdate[j] = 0;
448 data_signupdate_session[i].data_length = 0;
451 *plugin_data_ref = (void *)hSession;
453 printf("rsa_sign_init API done for tpm2_plugin... \n");
457 /** This function is called by SSHSM only if there sign_final function is not called.
458 If sign_final function is called, it is assumed that plugin would have cleaned this up.
461 int tpm2_plugin_rsa_sign_cleanup(
463 unsigned long mechnaism,
464 void *plugin_data_ref
468 unsigned long hSession = (unsigned long)plugin_data_ref;
469 for (i = 0; i < MAX_SESSIONS; i++) {
470 if (data_signupdate_session[i].session_handle == hSession){
471 data_signupdate_session[i].session_handle = 0;
472 for (j =0; j < MAX_DATA_SIGNUPDATE; j++ )
473 data_signupdate_session[i].data_signupdate[j] =0;
474 data_signupdate_session[i].data_length = 0;
478 if (sign_sequence_id>0xfffffffe)
484 UINT32 tpm_hash(TSS2_SYS_CONTEXT *sapi_context, TPMI_ALG_HASH hashAlg,
485 UINT16 size, BYTE *data, TPM2B_DIGEST *result) {
486 TPM2B_MAX_BUFFER dataSizedBuffer;
488 dataSizedBuffer.t.size = size;
489 memcpy(dataSizedBuffer.t.buffer, data, size);
490 return Tss2_Sys_Hash(sapi_context, 0, &dataSizedBuffer, hashAlg,
491 TPM_RH_NULL, result, 0, 0);
494 static TPM_RC hash_sequence_ex(TSS2_SYS_CONTEXT *sapi_context,
496 TPMI_ALG_HASH hashAlg, UINT32 numBuffers, TPM2B_MAX_BUFFER *bufferList,
497 TPM2B_DIGEST *result) {
500 TPMI_DH_OBJECT sequenceHandle;
502 TPMT_TK_HASHCHECK validation;
504 TPMS_AUTH_COMMAND cmdAuth;
505 TPMS_AUTH_COMMAND *cmdSessionArray[1] = { &cmdAuth };
506 TSS2_SYS_CMD_AUTHS cmdAuthArray = { 1, &cmdSessionArray[0] };
509 emptyBuffer.size = 0;
511 // Set result size to 0, in case any errors occur
514 // Init input sessions struct
515 cmdAuth.sessionHandle = TPM_RS_PW;
516 cmdAuth.nonce.t.size = 0;
517 *((UINT8 *) ((void *) &cmdAuth.sessionAttributes)) = 0;
518 cmdAuth.hmac.t.size = 0;
520 rval = Tss2_Sys_HashSequenceStart(sapi_context, 0, &nullAuth, hashAlg,
522 if (rval != TPM_RC_SUCCESS) {
527 for (i = 0; i < numBuffers; i++) {
528 rval = Tss2_Sys_SequenceUpdate(sapi_context, sequenceHandle,
529 &cmdAuthArray, &bufferList[i], 0);
531 if (rval != TPM_RC_SUCCESS) {
536 rval = Tss2_Sys_SequenceComplete(sapi_context, sequenceHandle,
537 &cmdAuthArray, (TPM2B_MAX_BUFFER *) &emptyBuffer,
538 TPM_RH_PLATFORM, result, &validation, 0);
540 if (rval != TPM_RC_SUCCESS) {
547 int tpm_hash_compute_data(TSS2_SYS_CONTEXT *sapi_context, BYTE *buffer,
548 UINT16 length, TPMI_ALG_HASH halg, TPM2B_DIGEST *result) {
550 if (length <= MAX_DIGEST_BUFFER) {
551 if (tpm_hash(sapi_context, halg, length, buffer,
552 result) == TPM_RC_SUCCESS){
553 printf("Single hash result size: %d\n", result->t.size);
560 UINT8 numBuffers = (length - 1) / MAX_DIGEST_BUFFER + 1;
562 TPM2B_MAX_BUFFER *bufferList = (TPM2B_MAX_BUFFER *) calloc(numBuffers,
563 sizeof(TPM2B_MAX_BUFFER));
564 if (bufferList == NULL)
568 for (i = 0; i < (UINT32)(numBuffers - 1); i++) {
569 bufferList[i].t.size = MAX_DIGEST_BUFFER;
570 memcpy(bufferList[i].t.buffer, buffer + i * MAX_DIGEST_BUFFER,
573 bufferList[i].t.size = length - i * MAX_DIGEST_BUFFER;
574 memcpy(bufferList[i].t.buffer, buffer + i * MAX_DIGEST_BUFFER,
575 bufferList[i].t.size);
577 TPM_RC rval = hash_sequence_ex(sapi_context, halg, numBuffers, bufferList, result);
579 printf("Sequence hash result size: %d\n", result->t.size);
580 return rval == TPM_RC_SUCCESS ? 0 : -3;
584 static bool get_key_type(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT objectHandle,
585 TPMI_ALG_PUBLIC *type) {
587 TPMS_AUTH_RESPONSE session_data_out;
589 TPMS_AUTH_RESPONSE *session_data_out_array[1] = {
593 TSS2_SYS_RSP_AUTHS sessions_data_out = {
595 &session_data_out_array[0]
598 TPM2B_PUBLIC out_public = {
602 TPM2B_NAME name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
604 TPM2B_NAME qaulified_name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
606 TPM_RC rval = Tss2_Sys_ReadPublic(sapi_context, objectHandle, 0, &out_public, &name,
607 &qaulified_name, &sessions_data_out);
608 if (rval != TPM_RC_SUCCESS) {
609 printf("Sys_ReadPublic failed, error code: 0x%x", rval);
612 *type = out_public.t.publicArea.type;
616 static bool set_scheme(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT keyHandle,
617 TPMI_ALG_HASH halg, TPMT_SIG_SCHEME *inScheme) {
620 bool result = get_key_type(sapi_context, keyHandle, &type);
627 inScheme->scheme = TPM_ALG_RSASSA;
628 inScheme->details.rsassa.hashAlg = halg;
630 case TPM_ALG_KEYEDHASH :
631 inScheme->scheme = TPM_ALG_HMAC;
632 inScheme->details.hmac.hashAlg = halg;
635 inScheme->scheme = TPM_ALG_ECDSA;
636 inScheme->details.ecdsa.hashAlg = halg;
638 case TPM_ALG_SYMCIPHER :
640 printf("Unknown key type, got: 0x%x", type);
646 static bool sign_and_save(tpm_sign_ctx *ctx, TPMT_SIGNATURE *sig) {
647 TPM2B_DIGEST digest = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer);
649 TPMT_SIG_SCHEME in_scheme;
650 TSS2_SYS_CMD_AUTHS sessions_data;
651 TPMS_AUTH_RESPONSE session_data_out;
652 TSS2_SYS_RSP_AUTHS sessions_data_out;
653 TPMS_AUTH_COMMAND *session_data_array[1];
654 TPMS_AUTH_RESPONSE *session_data_out_array[1];
656 session_data_array[0] = &ctx->sessionData;
657 sessions_data.cmdAuths = &session_data_array[0];
658 session_data_out_array[0] = &session_data_out;
659 sessions_data_out.rspAuths = &session_data_out_array[0];
660 sessions_data_out.rspAuthsCount = 1;
661 sessions_data.cmdAuthsCount = 1;
663 int rc = tpm_hash_compute_data(ctx->sapi_context, ctx->msg, ctx->length, ctx->halg, &digest);
665 printf("Compute message hash failed!");
669 printf("Compute message hash digest size : %d \n", digest.t.size);
671 bool result = set_scheme(ctx->sapi_context, ctx->keyHandle, ctx->halg, &in_scheme);
676 TPM_RC rval = Tss2_Sys_Sign(ctx->sapi_context, ctx->keyHandle,
677 &sessions_data, &digest, &in_scheme,
678 &ctx->validation, sig,
681 if (rval != TPM_RC_SUCCESS) {
682 printf("Sys_Sign failed, error code: 0x%x", rval);
689 int tpm2_plugin_rsa_sign(
691 unsigned long mechanism,
694 void *plugin_data_ref,
699 common_opts_t opts = COMMON_OPTS_INITIALIZER;
700 TPMT_SIGNATURE signature;
701 TSS2_TCTI_CONTEXT *tcti_ctx;
702 tcti_ctx = tcti_init_from_options(&opts);
703 if (tcti_ctx == NULL)
706 TSS2_SYS_CONTEXT *sapi_context = NULL;
708 sapi_context = sapi_ctx_init(tcti_ctx);
717 .sessionData = { 0 },
721 .sapi_context = sapi_context
724 printf("rsa_sign API mechanism is %lx \n", mechanism);
725 ctx.sessionData.sessionHandle = TPM_RS_PW;
726 ctx.validation.tag = TPM_ST_HASHCHECK;
727 ctx.validation.hierarchy = TPM_RH_NULL;
729 ctx.halg = TPM_ALG_SHA256;
731 printf("mechanism not supported! \n");
732 ctx.keyHandle = *(TPMI_DH_OBJECT *)keyHandle;
734 rval = Tss2_Sys_ContextLoad(ctx.sapi_context, &loaded_key_context, &ctx.keyHandle);
735 if (rval != TPM_RC_SUCCESS) {
736 printf("ContextLoad Error in RSA Sign API. TPM Error:0x%x", rval);
739 ctx.length = msg_len;
742 if (!sign_and_save(&ctx, &signature)){
743 printf("RSA sign failed\n");
747 *sig_len = (int)signature.signature.rsassa.sig.t.size;
748 printf("signature length: %d \n", *sig_len);
749 memcpy(sig, signature.signature.rsassa.sig.t.buffer, *sig_len);
750 printf("signature buffer size: %ld \n", sizeof(signature.signature.rsassa.sig.t.buffer));
751 printf("RSA sign API successful in TPM plugin ! \n");
754 sapi_teardown_full(sapi_context);
760 int tpm2_plugin_rsa_sign_update(
762 unsigned long mechanism,
765 void *plugin_data_ref
769 unsigned long hSession = (unsigned long)plugin_data_ref;
770 for (i = 0; i < MAX_SESSIONS; i++){
771 if (data_signupdate_session[i].session_handle == hSession){
772 n = data_signupdate_session[i].data_length;
773 for (j =0; j < msg_len; j++ )
774 data_signupdate_session[i].data_signupdate[n + j] = msg[j];
775 data_signupdate_session[i].data_length += msg_len;
782 int tpm2_plugin_rsa_sign_final(
784 unsigned long mechanism,
785 void *plugin_data_ref,
786 unsigned char *outsig,
791 unsigned long hSession = (unsigned long)plugin_data_ref;
794 for (i = 0; i < MAX_SESSIONS; i++){
795 if (data_signupdate_session[i].session_handle == hSession){
796 msg = data_signupdate_session[i].data_signupdate;
797 msg_len = data_signupdate_session[i].data_length;
798 tpm2_plugin_rsa_sign(keyHandle, mechanism, msg, msg_len, plugin_data_ref, outsig, outsiglen);
799 tpm2_plugin_rsa_sign_cleanup(keyHandle, mechanism, plugin_data_ref);