1 //**********************************************************************;
2 // Copyright (c) 2017, Intel Corporation
3 // All rights reserved.
5 // Redistribution and use in source and binary forms, with or without
6 // modification, are permitted provided that the following conditions are met:
8 // 1. Redistributions of source code must retain the above copyright notice,
9 // this list of conditions and the following disclaimer.
11 // 2. Redistributions in binary form must reproduce the above copyright notice,
12 // this list of conditions and the following disclaimer in the documentation
13 // and/or other materials provided with the distribution.
15 // 3. Neither the name of Intel Corporation nor the names of its contributors
16 // may be used to endorse or promote products derived from this software without
17 // specific prior written permission.
19 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
23 // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
29 // THE POSSIBILITY OF SUCH DAMAGE.
30 //**********************************************************************;
32 #include <tss2/tss2_sys.h>
35 #include "tpm2_plugin_api.h"
36 #include "tpm2_convert.h"
37 #include "tpm2_tcti_ldr.h"
38 #include "tpm2_tool.h"
39 #include "tpm2_hash.h"
40 #include "tpm2_alg_util.h"
44 bool output_enabled = true;
46 const char *tcti_path="libtss2-tcti-device.so";
48 static void tcti_teardown (TSS2_TCTI_CONTEXT *tcti_context)
51 Tss2_Tcti_Finalize (tcti_context);
55 static void sapi_teardown (TSS2_SYS_CONTEXT *sapi_context)
58 if (sapi_context == NULL)
60 Tss2_Sys_Finalize (sapi_context);
64 static void sapi_teardown_full (TSS2_SYS_CONTEXT *sapi_context)
67 TSS2_TCTI_CONTEXT *tcti_context = NULL;
70 rc = Tss2_Sys_GetTctiContext (sapi_context, &tcti_context);
71 if (rc != TPM2_RC_SUCCESS)
73 sapi_teardown (sapi_context);
74 tcti_teardown (tcti_context);
77 #define SUPPORTED_ABI_VERSION \
85 static TSS2_SYS_CONTEXT* sapi_ctx_init(TSS2_TCTI_CONTEXT *tcti_ctx)
88 TSS2_ABI_VERSION abi_version = SUPPORTED_ABI_VERSION;
90 size_t size = Tss2_Sys_GetContextSize(0);
91 TSS2_SYS_CONTEXT *sapi_ctx = (TSS2_SYS_CONTEXT*) calloc(1, size);
92 if (sapi_ctx == NULL) {
93 LOG_ERR("Failed to allocate 0x%zx bytes for the SAPI context\n",
98 TSS2_RC rval = Tss2_Sys_Initialize(sapi_ctx, size, tcti_ctx, &abi_version);
99 if (rval != TPM2_RC_SUCCESS) {
100 LOG_PERR(Tss2_Sys_Initialize, rval);
109 int tpm2_plugin_init()
111 printf("Init API done for TPM plugin ! \n");
115 int tpm2_plugin_uninit()
117 printf("UnInit API done for TPM plugin ! \n");
121 TPM2_HANDLE srk_handle;
122 int tpm2_plugin_activate(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *activate_in_info)
127 printf("number of buffers %d ! \n", activate_in_info->num_buffers);
128 if (activate_in_info->num_buffers!=1){
129 printf("activate failed ! \n");
132 printf("number of buffers %d ! \n", activate_in_info->num_buffers);
133 handle = malloc(activate_in_info->buffer_info[0]->length_of_buffer);
134 memcpy(handle, activate_in_info->buffer_info[0]->buffer, activate_in_info->buffer_info[0]->length_of_buffer);
135 srk_handle = strtol(handle, NULL, 16);
136 printf("Activate API done for TPM plugin ! \n");
140 TPM2_HANDLE handle_load;
142 typedef struct tpm_load_ctx tpm_load_ctx;
143 struct tpm_load_ctx {
144 TPMS_AUTH_COMMAND session_data;
145 TPMI_DH_OBJECT parent_handle;
146 TPM2B_PUBLIC in_public;
147 TPM2B_PRIVATE in_private;
150 char *context_parent_file;
160 static tpm_load_ctx ctx_load = {
162 .sessionHandle = TPM2_RS_PW,
163 .nonce = TPM2B_EMPTY_INIT,
164 .hmac = TPM2B_EMPTY_INIT,
165 .sessionAttributes = 0
169 int load (TSS2_SYS_CONTEXT *sapi_context) {
171 TSS2L_SYS_AUTH_COMMAND sessionsData;
172 TSS2L_SYS_AUTH_RESPONSE sessionsDataOut;
174 TPM2B_NAME nameExt = TPM2B_TYPE_INIT(TPM2B_NAME, name);
176 sessionsData.count = 1;
177 sessionsData.auths[0] = ctx_load.session_data;
179 rval = TSS2_RETRY_EXP(Tss2_Sys_Load(sapi_context,
180 ctx_load.parent_handle,
182 &ctx_load.in_private,
187 if(rval != TPM2_RC_SUCCESS)
189 LOG_PERR(Tss2_Sys_Load, rval);
192 tpm2_tool_output("handle_load: 0x%08x\n", handle_load);
194 if (ctx_load.out_file) {
195 if(!files_save_bytes_to_file(ctx_load.out_file, nameExt.name, nameExt.size)) {
203 int tpm2_tool_load_key(TSS2_SYS_CONTEXT *sapi_context)
208 if ((!ctx_load.flags.H && !ctx_load.flags.c) || (!ctx_load.flags.u || !ctx_load.flags.r)) {
209 LOG_ERR("Expected options (H or c) and u and r");
213 if(ctx_load.flags.c) {
214 returnVal = files_load_tpm_context_from_path(sapi_context,
215 &ctx_load.parent_handle,
216 ctx_load.context_parent_file) != true;
222 returnVal = load(sapi_context);
227 if (ctx_load.flags.C) {
228 returnVal = files_save_tpm_context_to_path (sapi_context,
230 ctx_load.context_file) != true;
239 int tpm2_plugin_load_key(
240 SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info,
245 TSS2_TCTI_CONTEXT *tcti;
246 tcti = tpm2_tcti_ldr_load(tcti_path, NULL);
248 LOG_ERR("Could not load tcti, got: \"%s\"", tcti_path);
252 TSS2_SYS_CONTEXT *sapi_context = NULL;
254 sapi_context = sapi_ctx_init(tcti);
260 ret = tpm2_tool_load_key(sapi_context);
262 LOG_ERR("Unable to run tpm2_tool_iload_key");
263 sapi_teardown_full(sapi_context);
266 tpm2_tcti_ldr_unload();
270 printf("Load key API done for TPM plugin ! \n");
275 typedef struct tpm_sign_ctx tpm_sign_ctx;
276 struct tpm_sign_ctx {
277 TPMT_TK_HASHCHECK validation;
278 TPMS_AUTH_COMMAND sessionData;
279 TPMI_DH_OBJECT keyHandle;
285 char *contextKeyFile;
287 tpm2_convert_sig_fmt sig_format;
301 tpm_sign_ctx ctx_sign = {
303 .sessionData = TPMS_AUTH_COMMAND_INIT(TPM2_RS_PW),
304 .halg = TPM2_ALG_SHA1,
305 .digest = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
309 int tpm2_plugin_rsa_sign_init(
311 unsigned long mechanish,
315 printf("rsa_sign_init API done for tpm2_plugin... \n");
319 static bool init_sign(TSS2_SYS_CONTEXT *sapi_context) {
321 if (!((ctx_sign.flags.k || ctx_sign.flags.c) && (ctx_sign.flags.m || ctx_sign.flags.D) && ctx_sign.flags.s)) {
322 LOG_ERR("Expected options (k or c) and (m or D) and s");
326 if (ctx_sign.flags.D && (ctx_sign.flags.t || ctx_sign.flags.m)) {
327 LOG_WARN("Option D provided, options m and t are ignored.");
330 if (ctx_sign.flags.D || !ctx_sign.flags.t) {
331 ctx_sign.validation.tag = TPM2_ST_HASHCHECK;
332 ctx_sign.validation.hierarchy = TPM2_RH_NULL;
333 memset(&ctx_sign.validation.digest, 0, sizeof(ctx_sign.validation.digest));
337 * load tpm context from a file if -c is provided
339 if (ctx_sign.flags.c) {
340 bool result = files_load_tpm_context_from_path(sapi_context, &ctx_sign.keyHandle,
341 ctx_sign.contextKeyFile);
348 * Process the msg file if needed
350 if (ctx_sign.flags.m && !ctx_sign.flags.D) {
351 unsigned long file_size;
352 bool result = files_get_file_size_path(ctx_sign.inMsgFileName, &file_size);
356 if (file_size == 0) {
357 LOG_ERR("The message file \"%s\" is empty!", ctx_sign.inMsgFileName);
361 if (file_size > UINT16_MAX) {
363 "The message file \"%s\" is too large, got: %lu bytes, expected less than: %u bytes!",
364 ctx_sign.inMsgFileName, file_size, UINT16_MAX + 1);
368 ctx_sign.msg = (BYTE*) calloc(required_argument, file_size);
374 ctx_sign.length = file_size;
375 result = files_load_bytes_from_path(ctx_sign.inMsgFileName, ctx_sign.msg, &ctx_sign.length);
386 static bool sign_and_save(TSS2_SYS_CONTEXT *sapi_context) {
388 TPMT_SIG_SCHEME in_scheme;
389 TPMT_SIGNATURE signature;
391 TSS2L_SYS_AUTH_COMMAND sessions_data = { 1, { ctx_sign.sessionData }};
392 TSS2L_SYS_AUTH_RESPONSE sessions_data_out;
394 if (!ctx_sign.flags.D) {
395 bool res = tpm2_hash_compute_data(sapi_context, ctx_sign.halg, TPM2_RH_NULL,
396 ctx_sign.msg, ctx_sign.length, &ctx_sign.digest, NULL);
398 LOG_ERR("Compute message hash failed!");
403 bool result = get_signature_scheme(sapi_context, ctx_sign.keyHandle, ctx_sign.halg, &in_scheme);
408 TSS2_RC rval = TSS2_RETRY_EXP(Tss2_Sys_Sign(sapi_context, ctx_sign.keyHandle,
409 &sessions_data, &ctx_sign.digest, &in_scheme, &ctx_sign.validation, &signature,
410 &sessions_data_out));
411 if (rval != TPM2_RC_SUCCESS) {
412 LOG_PERR(Tss2_Sys_Sign, rval);
416 return tpm2_convert_sig(&signature, ctx_sign.sig_format, ctx_sign.outFilePath);
420 int tpm2_tool_sign(TSS2_SYS_CONTEXT *sapi_context)
423 bool result = init_sign(sapi_context);
428 result = sign_and_save(sapi_context);
432 return result != true;
436 int tpm2_plugin_rsa_sign(
438 unsigned long mechanism,
445 TSS2_TCTI_CONTEXT *tcti;
446 tcti = tpm2_tcti_ldr_load(tcti_path, NULL);
448 LOG_ERR("Could not load tcti, got: \"%s\"", tcti_path);
452 TSS2_SYS_CONTEXT *sapi_context = NULL;
454 sapi_context = sapi_ctx_init(tcti);
460 ret = tpm2_tool_sign(sapi_context);
462 LOG_ERR("Unable to run tpm2_tool_sign");
463 sapi_teardown_full(sapi_context);
466 tpm2_tcti_ldr_unload();
469 printf("rsa_sign API done for tpm2_plugin... \n");
472 int tpm2_rsa_create_object(
473 unsigned long appHandle,
474 //DhsmWPKRSAFormat* wpk,
486 int tpm2_rsa_delete_object(void *cb_object)
491 int tpm2_import_object(unsigned long appHandle,
492 unsigned char* tlvbuffer,
496 unsigned char* tpm_pwd,