1 /* Copyright 2018 Intel Corporation, Inc
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <sapi/tpm20.h>
20 #include "tpm2_plugin_api.h"
22 #include <tcti/tcti_device.h>
25 #include <tcti/tcti_socket.h>
27 #ifdef HAVE_TCTI_TABRMD
28 #include <tcti/tcti-tabrmd.h>
30 #define ARRAY_LEN(x) (sizeof(x)/sizeof(x[0]))
32 bool output_enabled = true;
33 bool hexPasswd = false;
34 TPM_HANDLE handle2048rsa;
35 const char *tcti_path="libtss2-tcti-device.so";
37 static void tcti_teardown(TSS2_TCTI_CONTEXT *tcti_context)
39 if (tcti_context == NULL)
41 tss2_tcti_finalize (tcti_context);
45 static void sapi_teardown(TSS2_SYS_CONTEXT *sapi_context)
47 if (sapi_context == NULL)
49 Tss2_Sys_Finalize (sapi_context);
53 static void sapi_teardown_full (TSS2_SYS_CONTEXT *sapi_context)
55 TSS2_TCTI_CONTEXT *tcti_context = NULL;
58 rc = Tss2_Sys_GetTctiContext (sapi_context, &tcti_context);
59 if (rc != TSS2_RC_SUCCESS)
61 sapi_teardown (sapi_context);
62 tcti_teardown (tcti_context);
65 int tpm2_plugin_init()
67 printf("Init API done for TPM plugin ! \n");
71 int tpm2_plugin_uninit()
73 printf("UnInit API done for TPM plugin ! \n");
77 TPM_HANDLE srk_handle;
78 int tpm2_plugin_activate(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *activate_in_info)
83 printf("number of buffers %d ! \n", activate_in_info->num_buffers);
84 if (activate_in_info->num_buffers!=1){
85 printf("activate failed ! \n");
88 printf("number of buffers %d ! \n", activate_in_info->num_buffers);
89 handle = malloc(activate_in_info->buffer_info[0]->length_of_buffer);
90 memcpy(handle, activate_in_info->buffer_info[0]->buffer, activate_in_info->buffer_info[0]->length_of_buffer);
91 srk_handle = strtol(handle, NULL, 16);
92 printf("Activate API done for TPM plugin ! \n");
96 TPMI_DH_OBJECT handle_load;
100 tcti_device_init (char const *device_file)
102 TCTI_DEVICE_CONF conf = {
103 .device_path = device_file,
109 TSS2_TCTI_CONTEXT *tcti_ctx;
111 rc = InitDeviceTcti (NULL, &size, 0);
112 if (rc != TSS2_RC_SUCCESS) {
114 "Failed to get allocation size for device tcti context: "
118 tcti_ctx = (TSS2_TCTI_CONTEXT*)calloc (1, size);
119 if (tcti_ctx == NULL) {
121 "Allocation for device TCTI context failed: %s\n",
125 rc = InitDeviceTcti (tcti_ctx, &size, &conf);
126 if (rc != TSS2_RC_SUCCESS) {
128 "Failed to initialize device TCTI context: 0x%x\n",
138 #ifdef HAVE_TCTI_SOCK
139 TSS2_TCTI_CONTEXT* tcti_socket_init (char const *address, uint16_t port)
141 TCTI_SOCKET_CONF conf = {
145 .logBufferCallback = NULL,
150 TSS2_TCTI_CONTEXT *tcti_ctx;
152 rc = InitSocketTcti (NULL, &size, &conf, 0);
153 if (rc != TSS2_RC_SUCCESS) {
154 fprintf (stderr, "Faled to get allocation size for tcti context: "
158 tcti_ctx = (TSS2_TCTI_CONTEXT*)calloc (1, size);
159 if (tcti_ctx == NULL) {
160 fprintf (stderr, "Allocation for tcti context failed: %s\n",
164 rc = InitSocketTcti (tcti_ctx, &size, &conf, 0);
165 if (rc != TSS2_RC_SUCCESS) {
166 fprintf (stderr, "Failed to initialize tcti context: 0x%x\n", rc);
173 #ifdef HAVE_TCTI_TABRMD
174 TSS2_TCTI_CONTEXT *tcti_tabrmd_init (void)
176 TSS2_TCTI_CONTEXT *tcti_ctx;
180 rc = tss2_tcti_tabrmd_init(NULL, &size);
181 if (rc != TSS2_RC_SUCCESS) {
182 printf("Failed to get size for TABRMD TCTI context: 0x%x", rc);
185 tcti_ctx = (TSS2_TCTI_CONTEXT*)calloc (1, size);
186 if (tcti_ctx == NULL) {
187 printf("Allocation for TABRMD TCTI context failed: %s", strerror (errno));
190 rc = tss2_tcti_tabrmd_init (tcti_ctx, &size);
191 if (rc != TSS2_RC_SUCCESS) {
192 printf("Failed to initialize TABRMD TCTI context: 0x%x", rc);
199 TSS2_TCTI_CONTEXT *tcti_init_from_options(common_opts_t *options)
201 switch (options->tcti_type) {
204 return tcti_device_init (options->device_file);
206 #ifdef HAVE_TCTI_SOCK
208 return tcti_socket_init (options->socket_address,
209 options->socket_port);
211 #ifdef HAVE_TCTI_TABRMD
213 return tcti_tabrmd_init ();
220 static TSS2_SYS_CONTEXT *sapi_ctx_init (TSS2_TCTI_CONTEXT *tcti_ctx)
222 TSS2_SYS_CONTEXT *sapi_ctx;
225 TSS2_ABI_VERSION abi_version = {
226 .tssCreator = TSSWG_INTEROP,
227 .tssFamily = TSS_SAPI_FIRST_FAMILY,
228 .tssLevel = TSS_SAPI_FIRST_LEVEL,
229 .tssVersion = TSS_SAPI_FIRST_VERSION,
232 size = Tss2_Sys_GetContextSize (0);
233 sapi_ctx = (TSS2_SYS_CONTEXT*)calloc (1, size);
234 if (sapi_ctx == NULL) {
236 "Failed to allocate 0x%zx bytes for the SAPI context\n",
240 rc = Tss2_Sys_Initialize (sapi_ctx, size, tcti_ctx, &abi_version);
241 if (rc != TSS2_RC_SUCCESS) {
242 fprintf (stderr, "Failed to initialize SAPI context: 0x%x\n", rc);
249 #define BUFFER_SIZE(type, field) (sizeof((((type *)NULL)->t.field)))
250 #define TPM2B_TYPE_INIT(type, field) { .t = { .size = BUFFER_SIZE(type, field), }, }
251 TPMS_AUTH_COMMAND sessionData;
252 int hex2ByteStructure(const char *inStr, UINT16 *byteLength, BYTE *byteBuffer)
254 int strLength;//if the inStr likes "1a2b...", no prefix "0x"
256 if(inStr == NULL || byteLength == NULL || byteBuffer == NULL)
258 strLength = strlen(inStr);
261 for(i = 0; i < strLength; i++)
263 if(!isxdigit(inStr[i]))
267 if(*byteLength < strLength/2)
270 *byteLength = strLength/2;
272 for(i = 0; i < *byteLength; i++)
274 char tmpStr[4] = {0};
275 tmpStr[0] = inStr[i*2];
276 tmpStr[1] = inStr[i*2+1];
277 byteBuffer[i] = strtol(tmpStr, NULL, 16);
281 int load_key(TSS2_SYS_CONTEXT *sapi_context,
282 TPMI_DH_OBJECT parentHandle,
283 TPM2B_PUBLIC *inPublic,
284 TPM2B_PRIVATE *inPrivate,
288 TPMS_AUTH_RESPONSE sessionDataOut;
289 TSS2_SYS_CMD_AUTHS sessionsData;
290 TSS2_SYS_RSP_AUTHS sessionsDataOut;
291 TPMS_AUTH_COMMAND *sessionDataArray[1];
292 TPMS_AUTH_RESPONSE *sessionDataOutArray[1];
294 TPM2B_NAME nameExt = TPM2B_TYPE_INIT(TPM2B_NAME, name);
296 sessionDataArray[0] = &sessionData;
297 sessionDataOutArray[0] = &sessionDataOut;
299 sessionsDataOut.rspAuths = &sessionDataOutArray[0];
300 sessionsData.cmdAuths = &sessionDataArray[0];
302 sessionsDataOut.rspAuthsCount = 1;
303 sessionsData.cmdAuthsCount = 1;
305 sessionData.sessionHandle = TPM_RS_PW;
306 sessionData.nonce.t.size = 0;
309 sessionData.hmac.t.size = 0;
311 *((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0;
312 if (sessionData.hmac.t.size > 0 && hexPasswd)
314 sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2;
315 if (hex2ByteStructure((char *)sessionData.hmac.t.buffer,
316 &sessionData.hmac.t.size,
317 sessionData.hmac.t.buffer) != 0)
319 printf( "Failed to convert Hex format password for parent Passwd.\n");
324 rval = Tss2_Sys_Load (sapi_context,
332 if(rval != TPM_RC_SUCCESS)
334 printf("\nLoad Object Failed ! ErrorCode: 0x%0x\n\n",rval);
337 printf("\nLoad succ.\nLoadedHandle: 0x%08x\n\n",handle2048rsa);
342 int read_public(TSS2_SYS_CONTEXT *sapi_context,
344 SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info)
347 TPMS_AUTH_RESPONSE session_out_data;
348 TSS2_SYS_RSP_AUTHS sessions_out_data;
349 TPMS_AUTH_RESPONSE *session_out_data_array[1];
351 TPM2B_PUBLIC public = {
355 TPM2B_NAME name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
357 TPM2B_NAME qualified_name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
359 session_out_data_array[0] = &session_out_data;
360 sessions_out_data.rspAuths = &session_out_data_array[0];
361 sessions_out_data.rspAuthsCount = ARRAY_LEN(session_out_data_array);
363 TPM_RC rval = Tss2_Sys_ReadPublic(sapi_context, handle, 0,
364 &public, &name, &qualified_name, &sessions_out_data);
365 if (rval != TPM_RC_SUCCESS) {
366 printf("TPM2_ReadPublic error: rval = 0x%0x", rval);
370 printf("\nTPM2_ReadPublic OutPut: \n");
373 for (i = 0; i < name.t.size; i++)
374 printf("%02x ", name.t.name[i]);
377 printf("qualified_name: \n");
378 for (i = 0; i < qualified_name.t.size; i++)
379 printf("%02x ", qualified_name.t.name[i]);
382 printf("public.t.publicArea.parameters.rsaDetail.keyBits = %d \n", public.t.publicArea.parameters.rsaDetail.keyBits);
383 printf("public.t.publicArea.parameters.rsaDetail.exponent = %d \n", public.t.publicArea.parameters.rsaDetail.exponent);
385 importkey_info->modulus_size = public.t.publicArea.unique.rsa.t.size;
386 printf("importkey_info->modulus_size = %ld \n", importkey_info->modulus_size);
387 importkey_info->modulus = (unsigned char *) malloc(importkey_info->modulus_size);
388 if (importkey_info->modulus != NULL) {
389 memcpy(importkey_info->modulus, &public.t.publicArea.unique.rsa.t.buffer, importkey_info->modulus_size);
392 importkey_info->exponent_size = sizeof(public.t.publicArea.parameters.rsaDetail.exponent);
393 printf("importkey_info->exponent_size = %ld \n", importkey_info->exponent_size);
394 importkey_info->exponent = (unsigned char *) malloc(importkey_info->exponent_size);
395 if (importkey_info->exponent != NULL) {
396 memcpy(importkey_info->exponent, &public.t.publicArea.parameters.rsaDetail.exponent, importkey_info->exponent_size);
399 //*importkey_info->exponent = public.t.publicArea.parameters.rsaDetail.exponent;
404 TPMS_CONTEXT loaded_key_context;
406 int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
407 void **keyHandle, TSS2_SYS_CONTEXT *sapi_context,
408 SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info)
411 TPMI_DH_OBJECT parentHandle;
412 TPM2B_PUBLIC inPublic;
413 TPM2B_PRIVATE inPrivate;
417 memset(&inPublic,0,sizeof(TPM2B_PUBLIC));
418 memset(&inPrivate,0,sizeof(TPM2B_SENSITIVE));
420 setbuf(stdout, NULL);
421 setvbuf (stdout, NULL, _IONBF, BUFSIZ);
423 //parentHandle = 0x81000011;
424 parentHandle = srk_handle;
426 if (loadkey_in_info->num_buffers != 2)
428 memcpy(&inPublic, loadkey_in_info->buffer_info[0]->buffer,
429 loadkey_in_info->buffer_info[0]->length_of_buffer);
430 memcpy(&inPrivate, loadkey_in_info->buffer_info[1]->buffer,
431 loadkey_in_info->buffer_info[1]->length_of_buffer);
433 returnVal = load_key (sapi_context,
438 returnVal = read_public(sapi_context,
442 TPM_RC rval = Tss2_Sys_ContextSave(sapi_context, handle2048rsa, &loaded_key_context);
443 if (rval != TPM_RC_SUCCESS) {
444 printf("Tss2_Sys_ContextSave: Saving handle 0x%x context failed. TPM Error:0x%x", handle2048rsa, rval);
447 *keyHandle = &handle2048rsa;
451 int tpm2_plugin_load_key(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
453 SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info)
456 common_opts_t opts = COMMON_OPTS_INITIALIZER;
457 TSS2_TCTI_CONTEXT *tcti_ctx;
458 tcti_ctx = tcti_init_from_options(&opts);
459 if (tcti_ctx == NULL)
462 TSS2_SYS_CONTEXT *sapi_context = NULL;
464 sapi_context = sapi_ctx_init(tcti_ctx);
471 ret = load_key_execute(loadkey_in_info, keyHandle, sapi_context, importkey_info);
473 printf("Load key API failed in TPM plugin ! \n");
475 sapi_teardown_full(sapi_context);
477 printf("Load key API successful in TPM plugin ! \n");
482 typedef struct tpm_sign_ctx tpm_sign_ctx;
483 struct tpm_sign_ctx {
484 TPMT_TK_HASHCHECK validation;
485 TPMS_AUTH_COMMAND sessionData;
486 TPMI_DH_OBJECT keyHandle;
488 char outFilePath[PATH_MAX];
491 TSS2_SYS_CONTEXT *sapi_context;
494 int tpm2_plugin_rsa_sign_init(
496 unsigned long mechanism,
500 printf("rsa_sign_init API mechanism is %lx \n", mechanism);
501 printf("rsa_sign_init API done for tpm2_plugin... \n");
505 UINT32 tpm_hash(TSS2_SYS_CONTEXT *sapi_context, TPMI_ALG_HASH hashAlg,
506 UINT16 size, BYTE *data, TPM2B_DIGEST *result) {
507 TPM2B_MAX_BUFFER dataSizedBuffer;
509 dataSizedBuffer.t.size = size;
510 memcpy(dataSizedBuffer.t.buffer, data, size);
511 return Tss2_Sys_Hash(sapi_context, 0, &dataSizedBuffer, hashAlg,
512 TPM_RH_NULL, result, 0, 0);
515 static TPM_RC hash_sequence_ex(TSS2_SYS_CONTEXT *sapi_context,
517 TPMI_ALG_HASH hashAlg, UINT32 numBuffers, TPM2B_MAX_BUFFER *bufferList,
518 TPM2B_DIGEST *result) {
521 TPMI_DH_OBJECT sequenceHandle;
523 TPMT_TK_HASHCHECK validation;
525 TPMS_AUTH_COMMAND cmdAuth;
526 TPMS_AUTH_COMMAND *cmdSessionArray[1] = { &cmdAuth };
527 TSS2_SYS_CMD_AUTHS cmdAuthArray = { 1, &cmdSessionArray[0] };
530 emptyBuffer.size = 0;
532 // Set result size to 0, in case any errors occur
535 // Init input sessions struct
536 cmdAuth.sessionHandle = TPM_RS_PW;
537 cmdAuth.nonce.t.size = 0;
538 *((UINT8 *) ((void *) &cmdAuth.sessionAttributes)) = 0;
539 cmdAuth.hmac.t.size = 0;
541 rval = Tss2_Sys_HashSequenceStart(sapi_context, 0, &nullAuth, hashAlg,
543 if (rval != TPM_RC_SUCCESS) {
548 for (i = 0; i < numBuffers; i++) {
549 rval = Tss2_Sys_SequenceUpdate(sapi_context, sequenceHandle,
550 &cmdAuthArray, &bufferList[i], 0);
552 if (rval != TPM_RC_SUCCESS) {
557 rval = Tss2_Sys_SequenceComplete(sapi_context, sequenceHandle,
558 &cmdAuthArray, (TPM2B_MAX_BUFFER *) &emptyBuffer,
559 TPM_RH_PLATFORM, result, &validation, 0);
561 if (rval != TPM_RC_SUCCESS) {
568 int tpm_hash_compute_data(TSS2_SYS_CONTEXT *sapi_context, BYTE *buffer,
569 UINT16 length, TPMI_ALG_HASH halg, TPM2B_DIGEST *result) {
571 if (length <= MAX_DIGEST_BUFFER) {
572 if (tpm_hash(sapi_context, halg, length, buffer,
573 result) == TPM_RC_SUCCESS)
579 UINT8 numBuffers = (length - 1) / MAX_DIGEST_BUFFER + 1;
581 TPM2B_MAX_BUFFER *bufferList = (TPM2B_MAX_BUFFER *) calloc(numBuffers,
582 sizeof(TPM2B_MAX_BUFFER));
583 if (bufferList == NULL)
587 for (i = 0; i < (UINT32)(numBuffers - 1); i++) {
588 bufferList[i].t.size = MAX_DIGEST_BUFFER;
589 memcpy(bufferList[i].t.buffer, buffer + i * MAX_DIGEST_BUFFER,
592 bufferList[i].t.size = length - i * MAX_DIGEST_BUFFER;
593 memcpy(bufferList[i].t.buffer, buffer + i * MAX_DIGEST_BUFFER,
594 bufferList[i].t.size);
596 TPM_RC rval = hash_sequence_ex(sapi_context, halg, numBuffers, bufferList, result);
598 return rval == TPM_RC_SUCCESS ? 0 : -3;
602 static bool get_key_type(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT objectHandle,
603 TPMI_ALG_PUBLIC *type) {
605 TPMS_AUTH_RESPONSE session_data_out;
607 TPMS_AUTH_RESPONSE *session_data_out_array[1] = {
611 TSS2_SYS_RSP_AUTHS sessions_data_out = {
613 &session_data_out_array[0]
616 TPM2B_PUBLIC out_public = {
620 TPM2B_NAME name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
622 TPM2B_NAME qaulified_name = TPM2B_TYPE_INIT(TPM2B_NAME, name);
624 TPM_RC rval = Tss2_Sys_ReadPublic(sapi_context, objectHandle, 0, &out_public, &name,
625 &qaulified_name, &sessions_data_out);
626 if (rval != TPM_RC_SUCCESS) {
627 printf("Sys_ReadPublic failed, error code: 0x%x", rval);
630 *type = out_public.t.publicArea.type;
634 static bool set_scheme(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT keyHandle,
635 TPMI_ALG_HASH halg, TPMT_SIG_SCHEME *inScheme) {
638 bool result = get_key_type(sapi_context, keyHandle, &type);
645 inScheme->scheme = TPM_ALG_RSASSA;
646 inScheme->details.rsassa.hashAlg = halg;
648 case TPM_ALG_KEYEDHASH :
649 inScheme->scheme = TPM_ALG_HMAC;
650 inScheme->details.hmac.hashAlg = halg;
653 inScheme->scheme = TPM_ALG_ECDSA;
654 inScheme->details.ecdsa.hashAlg = halg;
656 case TPM_ALG_SYMCIPHER :
658 printf("Unknown key type, got: 0x%x", type);
664 static bool sign_and_save(tpm_sign_ctx *ctx, unsigned char *sig, int *sig_len) {
665 TPM2B_DIGEST digest = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer);
667 TPMT_SIG_SCHEME in_scheme;
668 TPMT_SIGNATURE signature;
670 TSS2_SYS_CMD_AUTHS sessions_data;
671 TPMS_AUTH_RESPONSE session_data_out;
672 TSS2_SYS_RSP_AUTHS sessions_data_out;
673 TPMS_AUTH_COMMAND *session_data_array[1];
674 TPMS_AUTH_RESPONSE *session_data_out_array[1];
676 session_data_array[0] = &ctx->sessionData;
677 sessions_data.cmdAuths = &session_data_array[0];
678 session_data_out_array[0] = &session_data_out;
679 sessions_data_out.rspAuths = &session_data_out_array[0];
680 sessions_data_out.rspAuthsCount = 1;
681 sessions_data.cmdAuthsCount = 1;
683 int rc = tpm_hash_compute_data(ctx->sapi_context, ctx->msg, ctx->length, ctx->halg, &digest);
685 printf("Compute message hash failed!");
689 bool result = set_scheme(ctx->sapi_context, ctx->keyHandle, ctx->halg, &in_scheme);
694 TPM_RC rval = Tss2_Sys_Sign(ctx->sapi_context, ctx->keyHandle,
695 &sessions_data, &digest, &in_scheme,
696 &ctx->validation, &signature,
699 if (rval != TPM_RC_SUCCESS) {
700 printf("Sys_Sign failed, error code: 0x%x", rval);
703 signature_len = sizeof(signature);
704 sig_len = &signature_len;
705 sig = (unsigned char *)&signature;
710 int tpm2_plugin_rsa_sign(
712 unsigned long mechanism,
719 common_opts_t opts = COMMON_OPTS_INITIALIZER;
720 TSS2_TCTI_CONTEXT *tcti_ctx;
721 tcti_ctx = tcti_init_from_options(&opts);
722 if (tcti_ctx == NULL)
725 TSS2_SYS_CONTEXT *sapi_context = NULL;
727 sapi_context = sapi_ctx_init(tcti_ctx);
736 .sessionData = { 0 },
740 .sapi_context = sapi_context
743 printf("rsa_sign API mechanism is %lx \n", mechanism);
744 ctx.sessionData.sessionHandle = TPM_RS_PW;
745 ctx.validation.tag = TPM_ST_HASHCHECK;
746 ctx.validation.hierarchy = TPM_RH_NULL;
747 ctx.halg = TPM_ALG_SHA256;
748 ctx.keyHandle = *(TPMI_DH_OBJECT *)keyHandle;
750 rval = Tss2_Sys_ContextLoad(ctx.sapi_context, &loaded_key_context, &ctx.keyHandle);
751 if (rval != TPM_RC_SUCCESS) {
752 printf("ContextLoad Error in RSA Sign API. TPM Error:0x%x", rval);
755 ctx.length = msg_len;
758 if (!sign_and_save(&ctx, sig, sig_len)){
759 printf("RSA sign failed\n");
763 printf("RSA sign API successful in TPM plugin ! \n");
766 sapi_teardown_full(sapi_context);
Code Review / aaf / sshsm.git / blob