tpm2-tools: Backport from upstream
Includes fixes and tpm2_encodeobject tool. Resolves: rhbz#2160304 Resolves: rhbz#2047342 Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
parent
e6f129fc87
commit
53479d9612
62
0001-Fix-nv_readpublic.patch
Normal file
62
0001-Fix-nv_readpublic.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
From 4dffb4295392f69f00003b2879f60bd36076f22d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Imran Desai <imran.desai@intel.com>
|
||||||
|
Date: Tue, 7 Dec 2021 13:21:58 -0700
|
||||||
|
Subject: [PATCH 01/17] Fix nv_readpublic
|
||||||
|
|
||||||
|
Based on 4af3e6b4 tpm2_nvreadpublic: Add option to output cpHash
|
||||||
|
---
|
||||||
|
lib/tpm2.c | 11 +++++++++--
|
||||||
|
lib/tpm2_nv_util.h | 14 +-------------
|
||||||
|
2 files changed, 10 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2.c b/lib/tpm2.c
|
||||||
|
index 4ee27c8c..d91072ae 100644
|
||||||
|
--- a/lib/tpm2.c
|
||||||
|
+++ b/lib/tpm2.c
|
||||||
|
@@ -101,9 +101,16 @@ tool_rc tpm2_close(ESYS_CONTEXT *esys_context, ESYS_TR *rsrc_handle) {
|
||||||
|
tool_rc tpm2_nv_readpublic(ESYS_CONTEXT *esys_context, ESYS_TR nv_index,
|
||||||
|
TPM2B_NV_PUBLIC **nv_public, TPM2B_NAME **nv_name) {
|
||||||
|
|
||||||
|
- TSS2_RC rval = Esys_NV_ReadPublic(esys_context, nv_index,
|
||||||
|
- ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nv_public, nv_name);
|
||||||
|
+ ESYS_TR esys_tr_nv_index;
|
||||||
|
+ TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE,
|
||||||
|
+ ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index);
|
||||||
|
+ if (rval != TPM2_RC_SUCCESS) {
|
||||||
|
+ LOG_PERR(Esys_TR_FromTPMPublic, rval);
|
||||||
|
+ return tool_rc_from_tpm(rval);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ rval = Esys_NV_ReadPublic(esys_context, esys_tr_nv_index,
|
||||||
|
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nv_public, nv_name);
|
||||||
|
if (rval != TSS2_RC_SUCCESS) {
|
||||||
|
LOG_PERR(Esys_NV_ReadPublic, rval);
|
||||||
|
return tool_rc_from_tpm(rval);
|
||||||
|
diff --git a/lib/tpm2_nv_util.h b/lib/tpm2_nv_util.h
|
||||||
|
index 99843156..daf8b624 100644
|
||||||
|
--- a/lib/tpm2_nv_util.h
|
||||||
|
+++ b/lib/tpm2_nv_util.h
|
||||||
|
@@ -28,19 +28,7 @@
|
||||||
|
static inline tool_rc tpm2_util_nv_read_public(ESYS_CONTEXT *context,
|
||||||
|
TPMI_RH_NV_INDEX nv_index, TPM2B_NV_PUBLIC **nv_public) {
|
||||||
|
|
||||||
|
- ESYS_TR tr_object;
|
||||||
|
- tool_rc rc = tpm2_from_tpm_public(context, nv_index, ESYS_TR_NONE,
|
||||||
|
- ESYS_TR_NONE, ESYS_TR_NONE, &tr_object);
|
||||||
|
- if (rc != tool_rc_success) {
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- rc = tpm2_nv_readpublic(context, tr_object, nv_public, NULL);
|
||||||
|
- tool_rc tmp_rc = tpm2_close(context, &tr_object);
|
||||||
|
- if (tmp_rc != tool_rc_success) {
|
||||||
|
- rc = tmp_rc;
|
||||||
|
- }
|
||||||
|
- return rc;
|
||||||
|
+ return tpm2_nv_readpublic(context, nv_index, nv_public, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
385
0002-tpm2_encodeobject-New-tool-to-encode-TPM2-object.patch
Normal file
385
0002-tpm2_encodeobject-New-tool-to-encode-TPM2-object.patch
Normal file
@ -0,0 +1,385 @@
|
|||||||
|
From ba7682dc511f4ef6bbb8a15ca3bb0edf67ec39ce Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Fri, 17 Sep 2021 07:14:20 +0200
|
||||||
|
Subject: [PATCH 02/17] tpm2_encodeobject: New tool to encode TPM2 object
|
||||||
|
|
||||||
|
This adds a new tool tpm2_encodeobject in tools/misc. It takes
|
||||||
|
public and private portions of an object and encode them in a combined
|
||||||
|
PEM form used by tpm2-tss-engine and other applications.
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
Makefile.am | 2 +
|
||||||
|
man/tpm2_encodeobject.1.md | 92 +++++++++++++
|
||||||
|
tools/misc/tpm2_encodeobject.c | 240 +++++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 334 insertions(+)
|
||||||
|
create mode 100644 man/tpm2_encodeobject.1.md
|
||||||
|
create mode 100644 tools/misc/tpm2_encodeobject.c
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 71322159..e1a51ebf 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -103,6 +103,7 @@ tools_tpm2_SOURCES = \
|
||||||
|
tpm2_tools = \
|
||||||
|
tools/misc/tpm2_certifyX509certutil.c \
|
||||||
|
tools/misc/tpm2_checkquote.c \
|
||||||
|
+ tools/misc/tpm2_encodeobject.c \
|
||||||
|
tools/misc/tpm2_eventlog.c \
|
||||||
|
tools/misc/tpm2_print.c \
|
||||||
|
tools/misc/tpm2_rc_decode.c \
|
||||||
|
@@ -376,6 +377,7 @@ if HAVE_MAN_PAGES
|
||||||
|
man/man1/tpm2_createprimary.1 \
|
||||||
|
man/man1/tpm2_dictionarylockout.1 \
|
||||||
|
man/man1/tpm2_duplicate.1 \
|
||||||
|
+ man/man1/tpm2_encodeobject.1 \
|
||||||
|
man/man1/tpm2_getcap.1 \
|
||||||
|
man/man1/tpm2_encryptdecrypt.1 \
|
||||||
|
man/man1/tpm2_eventlog.1 \
|
||||||
|
diff --git a/man/tpm2_encodeobject.1.md b/man/tpm2_encodeobject.1.md
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..791eafbd
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/man/tpm2_encodeobject.1.md
|
||||||
|
@@ -0,0 +1,92 @@
|
||||||
|
+% tpm2_encodeobject(1) tpm2-tools | General Commands Manual
|
||||||
|
+
|
||||||
|
+# NAME
|
||||||
|
+
|
||||||
|
+**tpm2_encodeobject**(1) - Encode an object into a combined PEM format.
|
||||||
|
+
|
||||||
|
+# SYNOPSIS
|
||||||
|
+
|
||||||
|
+**tpm2_encodeobject** [*OPTIONS*]
|
||||||
|
+
|
||||||
|
+# DESCRIPTION
|
||||||
|
+
|
||||||
|
+**tpm2_encodeobject**(1) - Encode both the private and public portions of an
|
||||||
|
+object into a combined PEM format used by tpm2-tss-engine.
|
||||||
|
+
|
||||||
|
+The tool reads private and public portions of an object and encodes it
|
||||||
|
+into a combined PEM format used by tpm2-tss-engine and other
|
||||||
|
+applications.
|
||||||
|
+
|
||||||
|
+**NOTE**: Both private and public portions of the tpm key must be specified.
|
||||||
|
+
|
||||||
|
+# OPTIONS
|
||||||
|
+
|
||||||
|
+ * **-C**, **\--parent-context**=_OBJECT_:
|
||||||
|
+
|
||||||
|
+ The parent object.
|
||||||
|
+
|
||||||
|
+ * **-P**, **\--auth**=_AUTH_:
|
||||||
|
+
|
||||||
|
+ The authorization value of the parent object specified by **-C**.
|
||||||
|
+
|
||||||
|
+ * **-u**, **\--public**=_FILE_:
|
||||||
|
+
|
||||||
|
+ A file containing the public portion of the object.
|
||||||
|
+
|
||||||
|
+ * **-r**, **\--private**=_FILE_:
|
||||||
|
+
|
||||||
|
+ A file containing the sensitive portion of the object.
|
||||||
|
+
|
||||||
|
+ * **-o**, **\--output**=_FILE_:
|
||||||
|
+
|
||||||
|
+ The output file path, recording the public portion of the object.
|
||||||
|
+
|
||||||
|
+## References
|
||||||
|
+
|
||||||
|
+[context object format](common/ctxobj.md) details the methods for specifying
|
||||||
|
+_OBJECT_.
|
||||||
|
+
|
||||||
|
+[authorization formatting](common/authorizations.md) details the methods for
|
||||||
|
+specifying _AUTH_.
|
||||||
|
+
|
||||||
|
+[common options](common/options.md) collection of common options that provide
|
||||||
|
+information many users may expect.
|
||||||
|
+
|
||||||
|
+[common tcti options](common/tcti.md) collection of options used to configure
|
||||||
|
+the various known TCTI modules.
|
||||||
|
+
|
||||||
|
+# EXAMPLES
|
||||||
|
+
|
||||||
|
+## Setup
|
||||||
|
+To load an object you first must create an object under a primary object. So the
|
||||||
|
+first step is to create the primary object.
|
||||||
|
+
|
||||||
|
+```bash
|
||||||
|
+tpm2_createprimary -c primary.ctx
|
||||||
|
+```
|
||||||
|
+
|
||||||
|
+Step 2 is to create an object under the primary object.
|
||||||
|
+
|
||||||
|
+```bash
|
||||||
|
+tpm2_create -C primary.ctx -u key.pub -r key.priv -f pem -o pub.pem
|
||||||
|
+```
|
||||||
|
+
|
||||||
|
+This creates the private and public portions of the TPM object. With these
|
||||||
|
+object portions, it is now possible to load that object into the TPM for
|
||||||
|
+subsequent use.
|
||||||
|
+
|
||||||
|
+## Encoding an Object into a combined PEM format
|
||||||
|
+
|
||||||
|
+The final step, is encoding the public and private portions of the object into a
|
||||||
|
+PEM format.
|
||||||
|
+
|
||||||
|
+```bash
|
||||||
|
+tpm2_encodeobject -C primary.ctx -u key.pub -r key.priv -c priv.pem
|
||||||
|
+```
|
||||||
|
+
|
||||||
|
+The generated `priv.pem` can be used together with `pub.pem` created in the
|
||||||
|
+step 2 of Setup section.
|
||||||
|
+
|
||||||
|
+[returns](common/returns.md)
|
||||||
|
+
|
||||||
|
+[footer](common/footer.md)
|
||||||
|
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..2341c3a1
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tools/misc/tpm2_encodeobject.c
|
||||||
|
@@ -0,0 +1,240 @@
|
||||||
|
+/* SPDX-License-Identifier: BSD-3-Clause */
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Part of this file is copied from tpm2-tss-engine.
|
||||||
|
+ *
|
||||||
|
+ * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
|
||||||
|
+ * All rights reserved.
|
||||||
|
+ * Copyright (c) 2019, Wind River Systems.
|
||||||
|
+ * All rights reserved.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <inttypes.h>
|
||||||
|
+#include <stdbool.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <openssl/asn1.h>
|
||||||
|
+#include <openssl/asn1t.h>
|
||||||
|
+#include <openssl/pem.h>
|
||||||
|
+#include <tss2/tss2_mu.h>
|
||||||
|
+
|
||||||
|
+#include "files.h"
|
||||||
|
+#include "log.h"
|
||||||
|
+#include "tpm2.h"
|
||||||
|
+#include "tpm2_options.h"
|
||||||
|
+#include "tpm2_tool.h"
|
||||||
|
+
|
||||||
|
+#define OID_loadableKey "2.23.133.10.1.3"
|
||||||
|
+
|
||||||
|
+typedef struct {
|
||||||
|
+ ASN1_OBJECT *type;
|
||||||
|
+ ASN1_BOOLEAN emptyAuth;
|
||||||
|
+ ASN1_INTEGER *parent;
|
||||||
|
+ ASN1_OCTET_STRING *pubkey;
|
||||||
|
+ ASN1_OCTET_STRING *privkey;
|
||||||
|
+} TSSPRIVKEY;
|
||||||
|
+
|
||||||
|
+DECLARE_ASN1_FUNCTIONS(TSSPRIVKEY);
|
||||||
|
+DECLARE_PEM_write_bio(TSSPRIVKEY, TSSPRIVKEY);
|
||||||
|
+
|
||||||
|
+ASN1_SEQUENCE(TSSPRIVKEY) = {
|
||||||
|
+ ASN1_SIMPLE(TSSPRIVKEY, type, ASN1_OBJECT),
|
||||||
|
+ ASN1_EXP_OPT(TSSPRIVKEY, emptyAuth, ASN1_BOOLEAN, 0),
|
||||||
|
+ ASN1_SIMPLE(TSSPRIVKEY, parent, ASN1_INTEGER),
|
||||||
|
+ ASN1_SIMPLE(TSSPRIVKEY, pubkey, ASN1_OCTET_STRING),
|
||||||
|
+ ASN1_SIMPLE(TSSPRIVKEY, privkey, ASN1_OCTET_STRING)
|
||||||
|
+} ASN1_SEQUENCE_END(TSSPRIVKEY)
|
||||||
|
+
|
||||||
|
+#define TSSPRIVKEY_PEM_STRING "TSS2 PRIVATE KEY"
|
||||||
|
+
|
||||||
|
+IMPLEMENT_ASN1_FUNCTIONS(TSSPRIVKEY);
|
||||||
|
+IMPLEMENT_PEM_write_bio(TSSPRIVKEY, TSSPRIVKEY, TSSPRIVKEY_PEM_STRING, TSSPRIVKEY);
|
||||||
|
+IMPLEMENT_PEM_read_bio(TSSPRIVKEY, TSSPRIVKEY, TSSPRIVKEY_PEM_STRING, TSSPRIVKEY);
|
||||||
|
+
|
||||||
|
+typedef struct tpm_encodeobject_ctx tpm_encodeobject_ctx;
|
||||||
|
+struct tpm_encodeobject_ctx {
|
||||||
|
+ struct {
|
||||||
|
+ const char *ctx_path;
|
||||||
|
+ const char *auth_str;
|
||||||
|
+ tpm2_loaded_object object;
|
||||||
|
+ } parent;
|
||||||
|
+
|
||||||
|
+ struct {
|
||||||
|
+ const char *pubpath;
|
||||||
|
+ TPM2B_PUBLIC public;
|
||||||
|
+ const char *privpath;
|
||||||
|
+ TPM2B_PRIVATE private;
|
||||||
|
+ ESYS_TR handle;
|
||||||
|
+ } object;
|
||||||
|
+
|
||||||
|
+ char *output_path;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static tpm_encodeobject_ctx ctx;
|
||||||
|
+
|
||||||
|
+static bool on_option(char key, char *value) {
|
||||||
|
+ switch (key) {
|
||||||
|
+ case 'P':
|
||||||
|
+ ctx.parent.auth_str = value;
|
||||||
|
+ break;
|
||||||
|
+ case 'u':
|
||||||
|
+ ctx.object.pubpath = value;
|
||||||
|
+ break;
|
||||||
|
+ case 'r':
|
||||||
|
+ ctx.object.privpath = value;
|
||||||
|
+ break;
|
||||||
|
+ case 'C':
|
||||||
|
+ ctx.parent.ctx_path = value;
|
||||||
|
+ break;
|
||||||
|
+ case 'o':
|
||||||
|
+ ctx.output_path = value;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static bool tpm2_tool_onstart(tpm2_options **opts) {
|
||||||
|
+ const struct option topts[] = {
|
||||||
|
+ { "auth", required_argument, NULL, 'P' },
|
||||||
|
+ { "public", required_argument, NULL, 'u' },
|
||||||
|
+ { "private", required_argument, NULL, 'r' },
|
||||||
|
+ { "parent-context", required_argument, NULL, 'C' },
|
||||||
|
+ { "output", required_argument, NULL, 'o' },
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ *opts = tpm2_options_new("P:u:r:C:o:", ARRAY_LEN(topts), topts, on_option,
|
||||||
|
+ NULL, 0);
|
||||||
|
+
|
||||||
|
+ return *opts != NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static tool_rc check_opts(void) {
|
||||||
|
+ tool_rc rc = tool_rc_success;
|
||||||
|
+ if (!ctx.parent.ctx_path) {
|
||||||
|
+ LOG_ERR("Expected parent object via -C");
|
||||||
|
+ rc = tool_rc_option_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!ctx.object.pubpath) {
|
||||||
|
+ LOG_ERR("Expected public object portion via -u");
|
||||||
|
+ rc = tool_rc_option_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!ctx.object.privpath) {
|
||||||
|
+ LOG_ERR("Expected private object portion via -r");
|
||||||
|
+ rc = tool_rc_option_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!ctx.output_path) {
|
||||||
|
+ LOG_ERR("Expected output file path via -o");
|
||||||
|
+ rc = tool_rc_option_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static tool_rc init(ESYS_CONTEXT *ectx) {
|
||||||
|
+ bool res = files_load_public(ctx.object.pubpath, &ctx.object.public);
|
||||||
|
+ if (!res) {
|
||||||
|
+ return tool_rc_general_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ res = files_load_private(ctx.object.privpath, &ctx.object.private);
|
||||||
|
+ if (!res) {
|
||||||
|
+ return tool_rc_general_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
|
||||||
|
+ ctx.parent.auth_str, &ctx.parent.object, false,
|
||||||
|
+ TPM2_HANDLE_ALL_W_NV);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+encode(void)
|
||||||
|
+{
|
||||||
|
+ TSS2_RC rc;
|
||||||
|
+ BIO *bio = NULL;
|
||||||
|
+ TSSPRIVKEY *tpk = NULL;
|
||||||
|
+
|
||||||
|
+ uint8_t private_buf[sizeof(ctx.object.private)];
|
||||||
|
+ uint8_t public_buf[sizeof(ctx.object.public)];
|
||||||
|
+ size_t private_len = 0, public_len = 0;
|
||||||
|
+
|
||||||
|
+ rc = Tss2_MU_TPM2B_PRIVATE_Marshal(&ctx.object.private, private_buf,
|
||||||
|
+ sizeof(private_buf), &private_len);
|
||||||
|
+ if (rc) {
|
||||||
|
+ LOG_ERR("Error serializing private portion of object");
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = Tss2_MU_TPM2B_PUBLIC_Marshal(&ctx.object.public, public_buf,
|
||||||
|
+ sizeof(public_buf), &public_len);
|
||||||
|
+ if (rc) {
|
||||||
|
+ LOG_ERR("Error serializing public portion of object");
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tpk = TSSPRIVKEY_new();
|
||||||
|
+ if (!tpk) {
|
||||||
|
+ LOG_ERR("oom");
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tpk->type = OBJ_txt2obj(OID_loadableKey, 1);
|
||||||
|
+ tpk->parent = ASN1_INTEGER_new();
|
||||||
|
+ tpk->privkey = ASN1_OCTET_STRING_new();
|
||||||
|
+ tpk->pubkey = ASN1_OCTET_STRING_new();
|
||||||
|
+ if (!tpk->type || !tpk->privkey || !tpk->pubkey || !tpk->parent) {
|
||||||
|
+ LOG_ERR("oom");
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tpk->emptyAuth = ctx.parent.auth_str == NULL ? 0xFF : 0;
|
||||||
|
+
|
||||||
|
+ if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) {
|
||||||
|
+ ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle);
|
||||||
|
+ } else {
|
||||||
|
+ /* Indicate that the parent is a primary object generated on the fly. */
|
||||||
|
+ ASN1_INTEGER_set(tpk->parent, TPM2_RH_OWNER);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ASN1_STRING_set(tpk->privkey, private_buf, private_len);
|
||||||
|
+ ASN1_STRING_set(tpk->pubkey, public_buf, public_len);
|
||||||
|
+
|
||||||
|
+ if ((bio = BIO_new_file(ctx.output_path, "w")) == NULL) {
|
||||||
|
+ LOG_ERR("Could not open file: \"%s\"", ctx.output_path);
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ PEM_write_bio_TSSPRIVKEY(bio, tpk);
|
||||||
|
+ TSSPRIVKEY_free(tpk);
|
||||||
|
+ BIO_free(bio);
|
||||||
|
+
|
||||||
|
+ return tool_rc_success;
|
||||||
|
+ error:
|
||||||
|
+ if (bio)
|
||||||
|
+ BIO_free(bio);
|
||||||
|
+ if (tpk)
|
||||||
|
+ TSSPRIVKEY_free(tpk);
|
||||||
|
+ return tool_rc_general_error;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
+ UNUSED(flags);
|
||||||
|
+
|
||||||
|
+ tool_rc rc = check_opts();
|
||||||
|
+ if (rc != tool_rc_success) {
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = init(ectx);
|
||||||
|
+ if (rc != tool_rc_success) {
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return encode();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// Register this tool with tpm2_tool.c
|
||||||
|
+TPM2_TOOL_REGISTER("encodeobject", tpm2_tool_onstart, tpm2_tool_onrun, NULL, NULL)
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
104
0003-tools-tpm2_evictconrol-fix-for-call-to-Esys_TR_Close.patch
Normal file
104
0003-tools-tpm2_evictconrol-fix-for-call-to-Esys_TR_Close.patch
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
From be8b4cb178332f24fb06f30d3211a24ea3c9e632 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Imran Desai <imran.desai@intel.com>
|
||||||
|
Date: Fri, 3 Sep 2021 11:24:31 -0700
|
||||||
|
Subject: [PATCH 03/17] tools/tpm2_evictconrol: fix for call to Esys_TR_Close
|
||||||
|
on bad handle
|
||||||
|
|
||||||
|
Fixes #2254
|
||||||
|
|
||||||
|
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||||
|
---
|
||||||
|
tools/tpm2_evictcontrol.c | 36 +++++++++++++++---------------------
|
||||||
|
1 file changed, 15 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tpm2_evictcontrol.c b/tools/tpm2_evictcontrol.c
|
||||||
|
index 0ae4edc6..8199be39 100644
|
||||||
|
--- a/tools/tpm2_evictcontrol.c
|
||||||
|
+++ b/tools/tpm2_evictcontrol.c
|
||||||
|
@@ -106,20 +106,18 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
bool evicted = false;
|
||||||
|
|
||||||
|
/* load up the object/handle to work on */
|
||||||
|
- tool_rc tmp_rc = tpm2_util_object_load(ectx, ctx.to_persist_key.ctx_path,
|
||||||
|
- &ctx.to_persist_key.object, TPM2_HANDLE_ALL_W_NV);
|
||||||
|
- if (tmp_rc != tool_rc_success) {
|
||||||
|
- rc = tmp_rc;
|
||||||
|
- goto out;
|
||||||
|
+ rc = tpm2_util_object_load(ectx, ctx.to_persist_key.ctx_path,
|
||||||
|
+ &ctx.to_persist_key.object, TPM2_HANDLE_ALL_W_NV);
|
||||||
|
+ if (rc != tool_rc_success) {
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* load up the auth hierarchy */
|
||||||
|
- tmp_rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
|
||||||
|
+ rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
|
||||||
|
ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
|
||||||
|
TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P);
|
||||||
|
- if (tmp_rc != tool_rc_success) {
|
||||||
|
- rc = tmp_rc;
|
||||||
|
- goto out;
|
||||||
|
+ if (rc != tool_rc_success) {
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ctx.to_persist_key.object.handle >> TPM2_HR_SHIFT
|
||||||
|
@@ -136,11 +134,10 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
*/
|
||||||
|
if (ctx.flags.c && !ctx.flags.p) {
|
||||||
|
bool is_platform = ctx.auth_hierarchy.object.handle == TPM2_RH_PLATFORM;
|
||||||
|
- tmp_rc = tpm2_capability_find_vacant_persistent_handle(ectx,
|
||||||
|
+ rc = tpm2_capability_find_vacant_persistent_handle(ectx,
|
||||||
|
is_platform, &ctx.persist_handle);
|
||||||
|
- if (tmp_rc != tool_rc_success) {
|
||||||
|
- rc = tmp_rc;
|
||||||
|
- goto out;
|
||||||
|
+ if (rc != tool_rc_success) {
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
/* we searched and found a persistent handle, so mark that peristent handle valid */
|
||||||
|
ctx.flags.p = 1;
|
||||||
|
@@ -148,7 +145,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
|
||||||
|
if (ctx.flags.o && !ctx.flags.p) {
|
||||||
|
LOG_ERR("Cannot specify -o without using a persistent handle");
|
||||||
|
- goto out;
|
||||||
|
+ return tool_rc_option_error;
|
||||||
|
}
|
||||||
|
|
||||||
|
ESYS_TR out_tr;
|
||||||
|
@@ -175,7 +172,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
rc = tpm2_evictcontrol(ectx, &ctx.auth_hierarchy.object,
|
||||||
|
&ctx.to_persist_key.object, ctx.persist_handle, &out_tr, NULL);
|
||||||
|
if (rc != tool_rc_success) {
|
||||||
|
- goto out;
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -191,19 +188,16 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
evicted = out_tr == ESYS_TR_NONE;
|
||||||
|
tpm2_tool_output("persistent-handle: 0x%x\n", ctx.persist_handle);
|
||||||
|
tpm2_tool_output("action: %s\n", evicted ? "evicted" : "persisted");
|
||||||
|
-
|
||||||
|
+ tool_rc tmp_rc = tool_rc_success;
|
||||||
|
if (ctx.output_arg) {
|
||||||
|
- rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
|
||||||
|
- } else {
|
||||||
|
- rc = tool_rc_success;
|
||||||
|
+ tmp_rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
|
||||||
|
}
|
||||||
|
|
||||||
|
-out:
|
||||||
|
if (!evicted) {
|
||||||
|
rc = tpm2_close(ectx, &out_tr);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return rc;
|
||||||
|
+ return (tmp_rc == tool_rc_success) ? rc : tmp_rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
45
0004-Fix-argument-parsing-in-tpm2_policylocality.patch
Normal file
45
0004-Fix-argument-parsing-in-tpm2_policylocality.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
From f365a0adca8379ce89ff86fdf740082cf6a56f1b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tien-Ren Chen <trchen1033@gmail.com>
|
||||||
|
Date: Thu, 25 Nov 2021 12:41:52 -0500
|
||||||
|
Subject: [PATCH 04/17] Fix argument parsing in tpm2_policylocality
|
||||||
|
|
||||||
|
This patch fixes a bug that caused tpm2_policylocality to almost
|
||||||
|
always generate PolicyLocality(0).
|
||||||
|
|
||||||
|
There was a logical inversion that caused almost any argument
|
||||||
|
(including invalid ones) to be interpreted as zero, except "zero"
|
||||||
|
would be interpreted as one.
|
||||||
|
|
||||||
|
Signed-off-by: Tien-Ren Chen <trchen1033@gmail.com>
|
||||||
|
---
|
||||||
|
tools/tpm2_policylocality.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tpm2_policylocality.c b/tools/tpm2_policylocality.c
|
||||||
|
index 81edbe65..b1d43d02 100644
|
||||||
|
--- a/tools/tpm2_policylocality.c
|
||||||
|
+++ b/tools/tpm2_policylocality.c
|
||||||
|
@@ -54,15 +54,15 @@ static bool on_arg(int argc, char **argv) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (strcmp(argv[0], "zero")) {
|
||||||
|
+ if (strcmp(argv[0], "zero") == 0) {
|
||||||
|
ctx.locality = TPMA_LOCALITY_TPM2_LOC_ZERO;
|
||||||
|
- } else if (strcmp(argv[0], "one")) {
|
||||||
|
+ } else if (strcmp(argv[0], "one") == 0) {
|
||||||
|
ctx.locality = TPMA_LOCALITY_TPM2_LOC_ONE;
|
||||||
|
- } else if (strcmp(argv[0], "two")) {
|
||||||
|
+ } else if (strcmp(argv[0], "two") == 0) {
|
||||||
|
ctx.locality = TPMA_LOCALITY_TPM2_LOC_TWO;
|
||||||
|
- } else if (strcmp(argv[0], "three")) {
|
||||||
|
+ } else if (strcmp(argv[0], "three") == 0) {
|
||||||
|
ctx.locality = TPMA_LOCALITY_TPM2_LOC_THREE;
|
||||||
|
- } else if (strcmp(argv[0], "four")) {
|
||||||
|
+ } else if (strcmp(argv[0], "four") == 0) {
|
||||||
|
ctx.locality = TPMA_LOCALITY_TPM2_LOC_FOUR;
|
||||||
|
} else {
|
||||||
|
bool result = tpm2_util_string_to_uint8(argv[0], &ctx.locality);
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -0,0 +1,82 @@
|
|||||||
|
From 221d8e557ab5a00246f7b09746377819cfbaec5e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Imran Desai <imran.desai@intel.com>
|
||||||
|
Date: Wed, 9 Mar 2022 10:24:45 -0700
|
||||||
|
Subject: [PATCH 05/17] tools/tpm2_tool.c: Fix an issue where LOG_WARN is
|
||||||
|
always displayed
|
||||||
|
|
||||||
|
Despite setting the 'quiet' flag with -Q the warning messages were
|
||||||
|
always displayed.
|
||||||
|
|
||||||
|
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||||
|
---
|
||||||
|
lib/tpm2_options.c | 12 +++++++++---
|
||||||
|
tools/tpm2_makecredential.c | 9 ++++++---
|
||||||
|
2 files changed, 15 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
|
||||||
|
index 8c8af2af..1238e440 100644
|
||||||
|
--- a/lib/tpm2_options.c
|
||||||
|
+++ b/lib/tpm2_options.c
|
||||||
|
@@ -456,12 +456,16 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
|
||||||
|
|
||||||
|
/* tool doesn't request a sapi, don't initialize one */
|
||||||
|
if (flags->tcti_none && is_optional_sapi) {
|
||||||
|
- LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=none");
|
||||||
|
+ if (!flags->quiet) {
|
||||||
|
+ LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=none");
|
||||||
|
+ }
|
||||||
|
goto none;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (flags->tcti_none && is_no_sapi) {
|
||||||
|
- LOG_WARN("Tool does not use SAPI. Continuing with tcti=none");
|
||||||
|
+ if (!flags->quiet) {
|
||||||
|
+ LOG_WARN("Tool does not use SAPI. Continuing with tcti=none");
|
||||||
|
+ }
|
||||||
|
goto none;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -481,7 +485,9 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
|
||||||
|
bool is_optional_fake_tcti = (flags->tcti_none && tool_opts &&
|
||||||
|
tool_opts->flags & TPM2_OPTIONS_OPTIONAL_SAPI_AND_FAKE_TCTI);
|
||||||
|
if (is_optional_fake_tcti) {
|
||||||
|
- LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=fake");
|
||||||
|
+ if (!flags->quiet) {
|
||||||
|
+ LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=fake");
|
||||||
|
+ }
|
||||||
|
*tcti = (TSS2_TCTI_CONTEXT *)&fake_tcti;
|
||||||
|
goto none;
|
||||||
|
}
|
||||||
|
diff --git a/tools/tpm2_makecredential.c b/tools/tpm2_makecredential.c
|
||||||
|
index 0b0fa123..5bd5b484 100644
|
||||||
|
--- a/tools/tpm2_makecredential.c
|
||||||
|
+++ b/tools/tpm2_makecredential.c
|
||||||
|
@@ -310,11 +310,14 @@ static void set_default_TCG_EK_template(TPMI_ALG_PUBLIC alg) {
|
||||||
|
ctx.public.publicArea.nameAlg = TPM2_ALG_SHA256;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static tool_rc process_input(void) {
|
||||||
|
+static tool_rc process_input(tpm2_option_flags flags) {
|
||||||
|
|
||||||
|
TPMI_ALG_PUBLIC alg = TPM2_ALG_NULL;
|
||||||
|
if (ctx.key_type) {
|
||||||
|
- LOG_WARN("Because **-G** is specified, assuming input encryption public key is in PEM format.");
|
||||||
|
+ if (!flags.quiet) {
|
||||||
|
+ LOG_WARN("Because **-G** is specified, assuming input encryption "
|
||||||
|
+ "public key is in PEM format.");
|
||||||
|
+ }
|
||||||
|
alg = tpm2_alg_util_from_optarg(ctx.key_type,
|
||||||
|
tpm2_alg_util_flags_asymmetric);
|
||||||
|
if (alg == TPM2_ALG_ERROR ||
|
||||||
|
@@ -379,7 +382,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
|
||||||
|
UNUSED(flags);
|
||||||
|
|
||||||
|
- tool_rc rc = process_input();
|
||||||
|
+ tool_rc rc = process_input(flags);
|
||||||
|
if (rc != tool_rc_success) {
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
100
0006-import-fix-bug-on-using-scheme.patch
Normal file
100
0006-import-fix-bug-on-using-scheme.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
From acc82191f519f8bcdfcc0827faf024dcd2f56f78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Fri, 20 May 2022 10:49:04 -0500
|
||||||
|
Subject: [PATCH 06/17] import: fix bug on using scheme
|
||||||
|
|
||||||
|
When scheme is specified in the template, the openssl load functions
|
||||||
|
clobber the scheme value and set it to TPM2_ALG_NULL. Only set the
|
||||||
|
algorithm to NULL if zero value is specified.
|
||||||
|
|
||||||
|
Fixes: #2997
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
lib/tpm2_openssl.c | 24 ++++++++++++++++++------
|
||||||
|
test/integration/tests/import.sh | 13 +++++++++----
|
||||||
|
2 files changed, 27 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c
|
||||||
|
index 01bfc9ef..ad43c8e1 100644
|
||||||
|
--- a/lib/tpm2_openssl.c
|
||||||
|
+++ b/lib/tpm2_openssl.c
|
||||||
|
@@ -534,9 +534,15 @@ static bool load_public_RSA_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) {
|
||||||
|
pt->type = TPM2_ALG_RSA;
|
||||||
|
|
||||||
|
TPMS_RSA_PARMS *rdetail = &pub->publicArea.parameters.rsaDetail;
|
||||||
|
- rdetail->scheme.scheme = TPM2_ALG_NULL;
|
||||||
|
- rdetail->symmetric.algorithm = TPM2_ALG_NULL;
|
||||||
|
- rdetail->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||||
|
+ /*
|
||||||
|
+ * If the scheme is not TPM2_ALG_ERROR (0),
|
||||||
|
+ * its a valid scheme so don't set it to NULL scheme
|
||||||
|
+ */
|
||||||
|
+ if (rdetail->scheme.scheme == TPM2_ALG_ERROR) {
|
||||||
|
+ rdetail->scheme.scheme = TPM2_ALG_NULL;
|
||||||
|
+ rdetail->symmetric.algorithm = TPM2_ALG_NULL;
|
||||||
|
+ rdetail->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* NULL out sym details */
|
||||||
|
TPMT_SYM_DEF_OBJECT *sym = &rdetail->symmetric;
|
||||||
|
@@ -809,9 +815,15 @@ static bool load_public_ECC_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) {
|
||||||
|
* no kdf - not sure what this should be
|
||||||
|
*/
|
||||||
|
pp->kdf.scheme = TPM2_ALG_NULL;
|
||||||
|
- pp->scheme.scheme = TPM2_ALG_NULL;
|
||||||
|
- pp->symmetric.algorithm = TPM2_ALG_NULL;
|
||||||
|
- pp->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If the scheme is not TPM2_ALG_ERROR (0),
|
||||||
|
+ * its a valid scheme so don't set it to NULL scheme
|
||||||
|
+ */
|
||||||
|
+ if (pp->scheme.scheme == TPM2_ALG_ERROR) {
|
||||||
|
+ pp->scheme.scheme = TPM2_ALG_NULL;
|
||||||
|
+ pp->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* NULL out sym details */
|
||||||
|
TPMT_SYM_DEF_OBJECT *sym = &pp->symmetric;
|
||||||
|
diff --git a/test/integration/tests/import.sh b/test/integration/tests/import.sh
|
||||||
|
index 9f6a474e..9cb6096f 100644
|
||||||
|
--- a/test/integration/tests/import.sh
|
||||||
|
+++ b/test/integration/tests/import.sh
|
||||||
|
@@ -4,8 +4,8 @@ source helpers.sh
|
||||||
|
|
||||||
|
cleanup() {
|
||||||
|
rm -f import_key.ctx import_key.name import_key.priv import_key.pub \
|
||||||
|
- parent.ctx plain.dec.ssl plain.enc plain.txt sym.key import_rsa_key.pub \
|
||||||
|
- import_rsa_key.priv import_rsa_key.ctx import_rsa_key.name private.pem \
|
||||||
|
+ parent.ctx plain.dec.ssl plain.enc plain.txt sym.key import_rsa_key*.pub \
|
||||||
|
+ import_rsa_key*.priv import_rsa_key.ctx import_rsa_key.name private.pem \
|
||||||
|
public.pem plain.rsa.enc plain.rsa.dec public.pem data.in.raw \
|
||||||
|
data.in.digest data.out.signed ticket.out ecc.pub ecc.priv ecc.name \
|
||||||
|
ecc.ctx private.ecc.pem public.ecc.pem passfile aes.key policy.dat \
|
||||||
|
@@ -67,6 +67,10 @@ run_rsa_import_test() {
|
||||||
|
tpm2 import -Q -G rsa -g "$name_alg" -i private.pem -C $1 \
|
||||||
|
-u import_rsa_key.pub -r import_rsa_key.priv
|
||||||
|
|
||||||
|
+ # test in import with scheme and discard
|
||||||
|
+ tpm2 import -G rsa:rsassa-sha256 -g "$name_alg" -i private.pem -C $1 \
|
||||||
|
+ -u import_rsa_key2.pub -r import_rsa_key2.priv | grep -q 'rsassa'
|
||||||
|
+
|
||||||
|
tpm2 load -Q -C $1 -u import_rsa_key.pub -r import_rsa_key.priv \
|
||||||
|
-n import_rsa_key.name -c import_rsa_key.ctx
|
||||||
|
|
||||||
|
@@ -118,8 +122,9 @@ run_ecc_import_test() {
|
||||||
|
shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \
|
||||||
|
data.in.digest
|
||||||
|
|
||||||
|
- tpm2 import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
|
||||||
|
- -r ecc.priv
|
||||||
|
+ # test import with scheme
|
||||||
|
+ tpm2 import -G ecc:ecdsa-sha256 -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
|
||||||
|
+ -r ecc.priv | grep -q 'ecdsa'
|
||||||
|
|
||||||
|
tpm2 load -Q -C $1 -u ecc.pub -r ecc.priv -n ecc.name -c ecc.ctx
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
85
0007-tpm2_policyor-fix-unallocated-policy-list.patch
Normal file
85
0007-tpm2_policyor-fix-unallocated-policy-list.patch
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
From d35bff8cf06cec386afd24bdbed9828caf063a2f Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Mon, 18 Jul 2022 11:31:51 -0500
|
||||||
|
Subject: [PATCH 07/17] tpm2_policyor: fix unallocated policy list
|
||||||
|
|
||||||
|
The TPML_DIGEST policy list was calloc'd for some reason, however it
|
||||||
|
could just be statically allocated in the context. The side effect is
|
||||||
|
that when no options or arguments were given a NPD occured when checking
|
||||||
|
the count of the policy list. TO fix this, just statically allocate it.
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
tools/tpm2_policyor.c | 15 ++++++---------
|
||||||
|
1 file changed, 6 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tpm2_policyor.c b/tools/tpm2_policyor.c
|
||||||
|
index e4f6541b..d27fff8b 100644
|
||||||
|
--- a/tools/tpm2_policyor.c
|
||||||
|
+++ b/tools/tpm2_policyor.c
|
||||||
|
@@ -14,7 +14,7 @@ struct tpm2_policyor_ctx {
|
||||||
|
//File path for the session context data
|
||||||
|
const char *session_path;
|
||||||
|
//List of policy digests that will be compounded
|
||||||
|
- TPML_DIGEST *policy_list;
|
||||||
|
+ TPML_DIGEST policy_list;
|
||||||
|
//File path for storing the policy digest output
|
||||||
|
const char *out_policy_dgst_path;
|
||||||
|
|
||||||
|
@@ -36,8 +36,7 @@ static bool on_option(char key, char *value) {
|
||||||
|
ctx.session_path = value;
|
||||||
|
break;
|
||||||
|
case 'l':
|
||||||
|
- ctx.policy_list = calloc(1, sizeof(TPML_DIGEST));
|
||||||
|
- result = tpm2_policy_parse_policy_list(value, ctx.policy_list);
|
||||||
|
+ result = tpm2_policy_parse_policy_list(value, &ctx.policy_list);
|
||||||
|
if (!result) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
@@ -54,8 +53,7 @@ static bool on_arg(int argc, char **argv) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ctx.policy_list = calloc(1, sizeof(TPML_DIGEST));
|
||||||
|
- bool result = tpm2_policy_parse_policy_list(argv[0], ctx.policy_list);
|
||||||
|
+ bool result = tpm2_policy_parse_policy_list(argv[0], &ctx.policy_list);
|
||||||
|
if (!result) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
@@ -85,7 +83,7 @@ static bool is_input_option_args_valid(void) {
|
||||||
|
}
|
||||||
|
|
||||||
|
//Minimum two policies needed to be specified for compounding
|
||||||
|
- if (ctx.policy_list->count < 1) {
|
||||||
|
+ if (ctx.policy_list.count < 1) {
|
||||||
|
LOG_ERR("Must specify at least 2 policy digests for compounding.");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
@@ -109,14 +107,14 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Policy digest hash alg should match that of the session */
|
||||||
|
- if (ctx.policy_list->digests[0].size
|
||||||
|
+ if (ctx.policy_list.digests[0].size
|
||||||
|
!= tpm2_alg_util_get_hash_size(
|
||||||
|
tpm2_session_get_authhash(ctx.session))) {
|
||||||
|
LOG_ERR("Policy digest hash alg should match that of the session.");
|
||||||
|
return tool_rc_general_error;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = tpm2_policy_build_policyor(ectx, ctx.session, ctx.policy_list);
|
||||||
|
+ rc = tpm2_policy_build_policyor(ectx, ctx.session, &ctx.policy_list);
|
||||||
|
if (rc != tool_rc_success) {
|
||||||
|
LOG_ERR("Could not build policyor TPM");
|
||||||
|
return rc;
|
||||||
|
@@ -127,7 +125,6 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
||||||
|
|
||||||
|
static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
|
||||||
|
UNUSED(ectx);
|
||||||
|
- free(ctx.policy_list);
|
||||||
|
free(ctx.policy_digest);
|
||||||
|
return tpm2_session_close(&ctx.session);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -0,0 +1,35 @@
|
|||||||
|
From cfb18410e8f706646adce2bd9f6cffecbd363d2b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Imran Desai <imran.desai@intel.com>
|
||||||
|
Date: Thu, 21 Jul 2022 15:19:36 -0700
|
||||||
|
Subject: [PATCH 08/17] lib/tpm2_alg_util.c: Fix potential null pointer
|
||||||
|
dereference
|
||||||
|
|
||||||
|
Must test ext_alg_str before dereferencing in
|
||||||
|
tpm2_alg_util_handle_rsa_ext_alg
|
||||||
|
|
||||||
|
char *ext_alg_str = calloc(1, strlen(alg_spec) + strlen("rsa") +
|
||||||
|
RSA_KEYBITS_STRLEN)
|
||||||
|
|
||||||
|
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||||
|
---
|
||||||
|
lib/tpm2_alg_util.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
|
||||||
|
index 1e984d74..580f41cb 100644
|
||||||
|
--- a/lib/tpm2_alg_util.c
|
||||||
|
+++ b/lib/tpm2_alg_util.c
|
||||||
|
@@ -601,6 +601,10 @@ tool_rc tpm2_alg_util_handle_rsa_ext_alg(const char *alg_spec,
|
||||||
|
#define RSA_KEYBITS_STRLEN 6
|
||||||
|
char *ext_alg_str = calloc(1, strlen(alg_spec) + strlen("rsa") +
|
||||||
|
RSA_KEYBITS_STRLEN);
|
||||||
|
+ if (ext_alg_str == NULL) {
|
||||||
|
+ LOG_ERR("oom");
|
||||||
|
+ return tool_rc_general_error;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
strcat(ext_alg_str, "rsa");
|
||||||
|
switch(public->publicArea.parameters.rsaDetail.keyBits) {
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
30
0009-tss2_provision-fix-usage-of-L-parameter.patch
Normal file
30
0009-tss2_provision-fix-usage-of-L-parameter.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From d783e7962e268b45c13ad800fca636bb922005fa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Juergen Repp <juergen_repp@web.de>
|
||||||
|
Date: Tue, 18 Oct 2022 10:32:43 +0200
|
||||||
|
Subject: [PATCH 09/17] tss2_provision: fix usage of -L parameter.
|
||||||
|
|
||||||
|
The -L short parameter was not marked as parameter with required
|
||||||
|
arg in the short opt list.
|
||||||
|
Fixes #3147.
|
||||||
|
|
||||||
|
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||||
|
---
|
||||||
|
tools/fapi/tss2_provision.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/fapi/tss2_provision.c b/tools/fapi/tss2_provision.c
|
||||||
|
index 5be7b4dc..7edf2dd3 100644
|
||||||
|
--- a/tools/fapi/tss2_provision.c
|
||||||
|
+++ b/tools/fapi/tss2_provision.c
|
||||||
|
@@ -33,7 +33,7 @@ static bool tss2_tool_onstart(tpm2_options **opts) {
|
||||||
|
{"authValueSh", required_argument, NULL, 'S'},
|
||||||
|
{"authValueLockout", required_argument, NULL, 'L'},
|
||||||
|
};
|
||||||
|
- return (*opts = tpm2_options_new ("E:S:L",
|
||||||
|
+ return (*opts = tpm2_options_new ("E:S:L:",
|
||||||
|
ARRAY_LEN(topts), topts, on_option, NULL, 0)) != NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
26
0010-tpm2_encodeobject-fix-formatting.patch
Normal file
26
0010-tpm2_encodeobject-fix-formatting.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
From 0582b619c3a2c407bf5eace8d83d832688781789 Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Mon, 24 Oct 2022 10:31:05 -0500
|
||||||
|
Subject: [PATCH 10/17] tpm2_encodeobject: fix formatting
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
tools/misc/tpm2_encodeobject.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
|
||||||
|
index 2341c3a1..ccbd0e01 100644
|
||||||
|
--- a/tools/misc/tpm2_encodeobject.c
|
||||||
|
+++ b/tools/misc/tpm2_encodeobject.c
|
||||||
|
@@ -87,7 +87,7 @@ static bool on_option(char key, char *value) {
|
||||||
|
ctx.parent.ctx_path = value;
|
||||||
|
break;
|
||||||
|
case 'o':
|
||||||
|
- ctx.output_path = value;
|
||||||
|
+ ctx.output_path = value;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
99
0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
Normal file
99
0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
From 579bb674b5bdf2a0d50e8d3a3d6f5391d233bdff Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Mon, 24 Oct 2022 10:48:18 -0500
|
||||||
|
Subject: [PATCH 11/17] tpm2_encodeobject: fix auth boolean flag
|
||||||
|
|
||||||
|
The flag for wether or not a key needs a password was being set based on
|
||||||
|
if the parent needed a password or not when it should be set based on if
|
||||||
|
the child object needs a password or not.
|
||||||
|
|
||||||
|
Correct this by adding a -p/--key-auth option to indicate the value of
|
||||||
|
this boolean.
|
||||||
|
|
||||||
|
$ tpm2 encodeobject -C 0x81000000 -u key.pub -r key.priv -o key.pem
|
||||||
|
$ openssl asn1parse -dump -inform PEM -in key.pem
|
||||||
|
<snip>
|
||||||
|
14:d=2 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
</snip>
|
||||||
|
|
||||||
|
$ tpm2 encodeobject -C 0x81000000 -u key.pub -r key.priv -o key.pem -p
|
||||||
|
$ openssl asn1parse -dump -inform PEM -in key.pem
|
||||||
|
<snip>
|
||||||
|
14:d=2 hl=2 l= 1 prim: BOOLEAN :1
|
||||||
|
</snip>
|
||||||
|
|
||||||
|
A workaround would be manually modifying the ASN1 PEM file boolean flag
|
||||||
|
OR creating the same parent key but with a password and specifying the
|
||||||
|
password via `-P`. Note that a primary key is the same given the same
|
||||||
|
inputs and password doesn't change the generated key.
|
||||||
|
|
||||||
|
Fixes: #3152
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
man/tpm2_encodeobject.1.md | 5 +++++
|
||||||
|
tools/misc/tpm2_encodeobject.c | 9 +++++++--
|
||||||
|
2 files changed, 12 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/man/tpm2_encodeobject.1.md b/man/tpm2_encodeobject.1.md
|
||||||
|
index 791eafbd..2e83fa7d 100644
|
||||||
|
--- a/man/tpm2_encodeobject.1.md
|
||||||
|
+++ b/man/tpm2_encodeobject.1.md
|
||||||
|
@@ -37,6 +37,11 @@ applications.
|
||||||
|
|
||||||
|
A file containing the sensitive portion of the object.
|
||||||
|
|
||||||
|
+ * **-p**, **\--key-auth**:
|
||||||
|
+
|
||||||
|
+ Indicates if an authorization value is needed for the object specified by
|
||||||
|
+ **-r** and **-u**.
|
||||||
|
+
|
||||||
|
* **-o**, **\--output**=_FILE_:
|
||||||
|
|
||||||
|
The output file path, recording the public portion of the object.
|
||||||
|
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
|
||||||
|
index ccbd0e01..80de14f5 100644
|
||||||
|
--- a/tools/misc/tpm2_encodeobject.c
|
||||||
|
+++ b/tools/misc/tpm2_encodeobject.c
|
||||||
|
@@ -65,6 +65,7 @@ struct tpm_encodeobject_ctx {
|
||||||
|
const char *privpath;
|
||||||
|
TPM2B_PRIVATE private;
|
||||||
|
ESYS_TR handle;
|
||||||
|
+ bool needs_auth;
|
||||||
|
} object;
|
||||||
|
|
||||||
|
char *output_path;
|
||||||
|
@@ -89,6 +90,9 @@ static bool on_option(char key, char *value) {
|
||||||
|
case 'o':
|
||||||
|
ctx.output_path = value;
|
||||||
|
break;
|
||||||
|
+ case 'p':
|
||||||
|
+ ctx.object.needs_auth = true;
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
@@ -101,9 +105,10 @@ static bool tpm2_tool_onstart(tpm2_options **opts) {
|
||||||
|
{ "private", required_argument, NULL, 'r' },
|
||||||
|
{ "parent-context", required_argument, NULL, 'C' },
|
||||||
|
{ "output", required_argument, NULL, 'o' },
|
||||||
|
+ { "key-auth", no_argument, NULL, 'p' },
|
||||||
|
};
|
||||||
|
|
||||||
|
- *opts = tpm2_options_new("P:u:r:C:o:", ARRAY_LEN(topts), topts, on_option,
|
||||||
|
+ *opts = tpm2_options_new("P:u:r:C:o:p", ARRAY_LEN(topts), topts, on_option,
|
||||||
|
NULL, 0);
|
||||||
|
|
||||||
|
return *opts != NULL;
|
||||||
|
@@ -190,7 +195,7 @@ encode(void)
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
- tpk->emptyAuth = ctx.parent.auth_str == NULL ? 0xFF : 0;
|
||||||
|
+ tpk->emptyAuth = ctx.object.needs_auth;
|
||||||
|
|
||||||
|
if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) {
|
||||||
|
ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle);
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
30
0012-bugfix-fix-convert-sm2-public-key-in-openssl3.patch
Normal file
30
0012-bugfix-fix-convert-sm2-public-key-in-openssl3.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From 3848000b934b9e2546a506ab0922c028491d2284 Mon Sep 17 00:00:00 2001
|
||||||
|
From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
|
||||||
|
Date: Thu, 1 Dec 2022 21:44:22 +0800
|
||||||
|
Subject: [PATCH 12/17] bugfix: fix convert sm2 public key in openssl3.
|
||||||
|
|
||||||
|
Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
|
||||||
|
---
|
||||||
|
lib/tpm2_convert.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2_convert.c b/lib/tpm2_convert.c
|
||||||
|
index 1bba370f..edb9bed0 100644
|
||||||
|
--- a/lib/tpm2_convert.c
|
||||||
|
+++ b/lib/tpm2_convert.c
|
||||||
|
@@ -335,7 +335,11 @@ EVP_PKEY *convert_pubkey_ECC(TPMT_PUBLIC *public) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||||
|
+ if (nid == NID_sm2) {
|
||||||
|
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "SM2", NULL);
|
||||||
|
+ } else {
|
||||||
|
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||||
|
+ }
|
||||||
|
if (!ctx) {
|
||||||
|
print_ssl_error("Failed to allocate EC key context");
|
||||||
|
goto out;
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
46
0013-readpublic-fix-reading-and-writing-serialized-trs.patch
Normal file
46
0013-readpublic-fix-reading-and-writing-serialized-trs.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From 62f6cdaa36e1c9e8f39e1ca60d8e3049de6860bf Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Mon, 27 Feb 2023 15:32:55 -0600
|
||||||
|
Subject: [PATCH 13/17] readpublic: fix reading and writing serialized trs
|
||||||
|
|
||||||
|
Fix reading and writing a serialized persistent ESYS_TR handles. This
|
||||||
|
occurs becuase the TPM2_HANDLE is never set after loading and decisions
|
||||||
|
are made on it.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
tpm2_readpublic -t handle2.tr -c handle.tr
|
||||||
|
ERROR: Can only output a serialized handle for persistent object handles
|
||||||
|
ERROR: Unable to run tpm2_readpublic
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
lib/object.c | 13 ++++++++++++-
|
||||||
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/object.c b/lib/object.c
|
||||||
|
index c186a820..1279a8e5 100644
|
||||||
|
--- a/lib/object.c
|
||||||
|
+++ b/lib/object.c
|
||||||
|
@@ -15,7 +15,18 @@ static tool_rc do_ctx_file(ESYS_CONTEXT *ctx, const char *objectstr, FILE *f,
|
||||||
|
/* assign a dummy transient handle */
|
||||||
|
outobject->handle = TPM2_TRANSIENT_FIRST;
|
||||||
|
outobject->path = objectstr;
|
||||||
|
- return files_load_tpm_context_from_file(ctx, &outobject->tr_handle, f);
|
||||||
|
+ tool_rc rc = files_load_tpm_context_from_file(ctx, &outobject->tr_handle, f);
|
||||||
|
+ if (rc != tool_rc_success) {
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ TSS2_RC rval = Esys_TR_GetTpmHandle(ctx, outobject->tr_handle, &outobject->handle);
|
||||||
|
+ if (rval != TPM2_RC_SUCCESS) {
|
||||||
|
+ LOG_ERR("Failed to acquire SAPI handle");
|
||||||
|
+ return tool_rc_general_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return tool_rc_success;
|
||||||
|
}
|
||||||
|
|
||||||
|
static tool_rc tpm2_util_object_load2(ESYS_CONTEXT *ctx, const char *objectstr,
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
29
0014-fix-wrong-function-name-of-Esys_Load.patch
Normal file
29
0014-fix-wrong-function-name-of-Esys_Load.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From f1515918ebba36a540432425f7cd01ca3c44aaac Mon Sep 17 00:00:00 2001
|
||||||
|
From: yuxiaojun <yuxiaojun@uniontech.com>
|
||||||
|
Date: Wed, 1 Feb 2023 11:47:40 +0800
|
||||||
|
Subject: [PATCH 14/17] fix:wrong function name of "Esys_Load"
|
||||||
|
|
||||||
|
LOG_PERR(Eys_Load, rval);
|
||||||
|
The first parameter in the function should be Esys_Load.
|
||||||
|
|
||||||
|
Signed-off-by: yuxiaojun <yuxiaojun@uniontech.com>
|
||||||
|
---
|
||||||
|
lib/tpm2.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2.c b/lib/tpm2.c
|
||||||
|
index d91072ae..27f101e9 100644
|
||||||
|
--- a/lib/tpm2.c
|
||||||
|
+++ b/lib/tpm2.c
|
||||||
|
@@ -1921,7 +1921,7 @@ tpm2_load_free_name1:
|
||||||
|
parent_object_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, in_private,
|
||||||
|
in_public, object_handle);
|
||||||
|
if (rval != TPM2_RC_SUCCESS) {
|
||||||
|
- LOG_PERR(Eys_Load, rval);
|
||||||
|
+ LOG_PERR(Esys_Load, rval);
|
||||||
|
return tool_rc_from_tpm(rval);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
224
0015-tpm-errata-switch-to-twos-complement.patch
Normal file
224
0015-tpm-errata-switch-to-twos-complement.patch
Normal file
@ -0,0 +1,224 @@
|
|||||||
|
From 510d570d9c4f34d4768af3453dcfcc4f74006e32 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Juergen Repp <juergen_repp@web.de>
|
||||||
|
Date: Fri, 7 Apr 2023 14:02:33 +0200
|
||||||
|
Subject: [PATCH 15/17] tpm errata: switch to twos-complement.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Errata TCG Trusted Platform Module Library Revision 1.59 Version 1.4,
|
||||||
|
Section 2.5 TPM_EO – two’s complement states:
|
||||||
|
"The signed arithmetic operations are performed using twos-complement."
|
||||||
|
The tests policynv and policycountertimer were adapted to work with the
|
||||||
|
complement representation of signed numbers. If the tests return the error 0x126
|
||||||
|
the test will be skipped.
|
||||||
|
|
||||||
|
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||||
|
---
|
||||||
|
.../tests/abrmd_policycountertimer.sh | 35 +++++++--
|
||||||
|
test/integration/tests/abrmd_policynv.sh | 75 +++++++++++++------
|
||||||
|
2 files changed, 78 insertions(+), 32 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/integration/tests/abrmd_policycountertimer.sh b/test/integration/tests/abrmd_policycountertimer.sh
|
||||||
|
index 58fcf1b9..80afc541 100644
|
||||||
|
--- a/test/integration/tests/abrmd_policycountertimer.sh
|
||||||
|
+++ b/test/integration/tests/abrmd_policycountertimer.sh
|
||||||
|
@@ -11,6 +11,27 @@ cleanup() {
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
+call_policy_countertimer () {
|
||||||
|
+ trap - ERR
|
||||||
|
+ output=$(tpm2 policycountertimer $@ 2>&1)
|
||||||
|
+ result=$?
|
||||||
|
+
|
||||||
|
+ if [ $result != 0 ] && echo $output | grep "ErrorCode.*0126" > /dev/null
|
||||||
|
+ then
|
||||||
|
+ echo "This test failed due to a TPM bug regarding signed comparison as described"
|
||||||
|
+ echo "in TCG's Errata for TCG Trusted Platform Module Library Revision 1.59 Version 1.4,"
|
||||||
|
+ echo "Section 2.5 TPM_EO – two’s complement"
|
||||||
|
+ tpm2 flushcontext session.ctx
|
||||||
|
+ skip_test
|
||||||
|
+ else
|
||||||
|
+ if [ $result != 0 ]; then
|
||||||
|
+ tpm2 flushcontext session.ctx
|
||||||
|
+ exit 1
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+ trap onerror ERR
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
trap cleanup EXIT
|
||||||
|
|
||||||
|
start_up
|
||||||
|
@@ -25,8 +46,7 @@ tpm2 clear
|
||||||
|
#
|
||||||
|
tpm2 startauthsession -S session.ctx
|
||||||
|
|
||||||
|
-tpm2 policycountertimer -S session.ctx -L policy.countertimer.minute --ult \
|
||||||
|
-60000
|
||||||
|
+call_policy_countertimer -S session.ctx -L policy.countertimer.minute --ult 60000
|
||||||
|
|
||||||
|
tpm2 flushcontext session.ctx
|
||||||
|
|
||||||
|
@@ -42,8 +62,7 @@ tpm2 create -Q -u key.pub -r key.priv -i- -C prim.ctx \
|
||||||
|
#
|
||||||
|
tpm2 startauthsession -S session.ctx --policy-session
|
||||||
|
|
||||||
|
-tpm2 policycountertimer -S session.ctx -L policy.countertimer.minute --ult \
|
||||||
|
-60000
|
||||||
|
+call_policy_countertimer -S session.ctx -L policy.countertimer.minute --ult 60000
|
||||||
|
|
||||||
|
tpm2 unseal -c key.ctx -p session:session.ctx
|
||||||
|
|
||||||
|
@@ -54,7 +73,7 @@ tpm2 flushcontext session.ctx
|
||||||
|
#
|
||||||
|
tpm2 clear
|
||||||
|
tpm2 startauthsession -S session.ctx --policy-session
|
||||||
|
-tpm2 policycountertimer -S session.ctx --ult clock=60000
|
||||||
|
+call_policy_countertimer -S session.ctx --ult clock=60000
|
||||||
|
tpm2 flushcontext session.ctx
|
||||||
|
|
||||||
|
#
|
||||||
|
@@ -63,7 +82,7 @@ tpm2 flushcontext session.ctx
|
||||||
|
#
|
||||||
|
tpm2 clear
|
||||||
|
tpm2 startauthsession -S session.ctx --policy-session
|
||||||
|
-tpm2 policycountertimer -S session.ctx safe
|
||||||
|
+call_policy_countertimer -S session.ctx safe
|
||||||
|
tpm2 flushcontext session.ctx
|
||||||
|
|
||||||
|
#
|
||||||
|
@@ -72,7 +91,7 @@ tpm2 flushcontext session.ctx
|
||||||
|
#
|
||||||
|
tpm2 clear
|
||||||
|
tpm2 startauthsession -S session.ctx --policy-session
|
||||||
|
-tpm2 policycountertimer -S session.ctx resets=0
|
||||||
|
+call_policy_countertimer -S session.ctx resets=0
|
||||||
|
tpm2 flushcontext session.ctx
|
||||||
|
|
||||||
|
#
|
||||||
|
@@ -81,7 +100,7 @@ tpm2 flushcontext session.ctx
|
||||||
|
#
|
||||||
|
tpm2 clear
|
||||||
|
tpm2 startauthsession -S session.ctx --policy-session
|
||||||
|
-tpm2 policycountertimer -S session.ctx restarts=0
|
||||||
|
+call_policy_countertimer -S session.ctx restarts=0
|
||||||
|
tpm2 flushcontext session.ctx
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
diff --git a/test/integration/tests/abrmd_policynv.sh b/test/integration/tests/abrmd_policynv.sh
|
||||||
|
index b75cabb8..220edec0 100644
|
||||||
|
--- a/test/integration/tests/abrmd_policynv.sh
|
||||||
|
+++ b/test/integration/tests/abrmd_policynv.sh
|
||||||
|
@@ -36,10 +36,34 @@ evaluate_failing_test_case() {
|
||||||
|
}
|
||||||
|
|
||||||
|
evaluate_passing_test_case() {
|
||||||
|
- tpm2 startauthsession -S session.ctx --policy-session
|
||||||
|
- echo $operandB | xxd -r -p | \
|
||||||
|
- tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1
|
||||||
|
- tpm2 flushcontext session.ctx
|
||||||
|
+ tpm2 startauthsession -S session.ctx --policy-session
|
||||||
|
+ if [[ ${1:0:1} == "s" ]]; then
|
||||||
|
+ echo "Test sign: $1 $operandA $operandB"
|
||||||
|
+ # check whether sign compare fails with 0x126
|
||||||
|
+ trap - ERR
|
||||||
|
+ output=$(echo $operandB | xxd -r -p | \
|
||||||
|
+ tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1 2>&1)
|
||||||
|
+ result=$?
|
||||||
|
+ if [ $result != 0 ] && echo $output | grep "ErrorCode.*0126" > /dev/null
|
||||||
|
+ then
|
||||||
|
+ echo "This test failed due to a TPM bug regarding signed comparison as described"
|
||||||
|
+ echo "in TCG's Errata for TCG Trusted Platform Module Library Revision 1.59 Version 1.4,"
|
||||||
|
+ echo "Section 2.5 TPM_EO – two’s complement"
|
||||||
|
+ tpm2 flushcontext session.ctx
|
||||||
|
+ skip_test
|
||||||
|
+ else
|
||||||
|
+ if [ $result != 0 ]; then
|
||||||
|
+ tpm2 flushcontext session.ctx
|
||||||
|
+ exit 1
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+ tpm2 flushcontext session.ctx
|
||||||
|
+ trap onerror ERR
|
||||||
|
+ else
|
||||||
|
+ echo $operandB | xxd -r -p | \
|
||||||
|
+ tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1
|
||||||
|
+ tpm2 flushcontext session.ctx
|
||||||
|
+ fi
|
||||||
|
}
|
||||||
|
|
||||||
|
trap cleanup EXIT
|
||||||
|
@@ -70,40 +94,20 @@ evaluate_passing_test_case eq
|
||||||
|
operandB=0x80
|
||||||
|
evaluate_passing_test_case neq
|
||||||
|
|
||||||
|
-# Perform comparison operation "sgt"
|
||||||
|
-operandB=0x82
|
||||||
|
-evaluate_passing_test_case sgt
|
||||||
|
-
|
||||||
|
# Perform comparison operation "ugt"
|
||||||
|
operandB=0x80
|
||||||
|
evaluate_passing_test_case ugt
|
||||||
|
|
||||||
|
-# Perform comparison operation "slt"
|
||||||
|
-operandB=0x80
|
||||||
|
-evaluate_passing_test_case slt
|
||||||
|
-
|
||||||
|
# Perform comparison operation "ult"
|
||||||
|
operandB=0x82
|
||||||
|
evaluate_passing_test_case ult
|
||||||
|
|
||||||
|
-# Perform comparison operation "sge"
|
||||||
|
-operandB=0x82
|
||||||
|
-evaluate_passing_test_case sge
|
||||||
|
-operandB=0x81
|
||||||
|
-evaluate_passing_test_case sge
|
||||||
|
-
|
||||||
|
# Perform comparison operation "uge"
|
||||||
|
operandB=0x80
|
||||||
|
evaluate_passing_test_case uge
|
||||||
|
operandB=0x81
|
||||||
|
evaluate_passing_test_case uge
|
||||||
|
|
||||||
|
-# Perform comparison operation "sle"
|
||||||
|
-operandB=0x80
|
||||||
|
-evaluate_passing_test_case sle
|
||||||
|
-operandB=0x81
|
||||||
|
-evaluate_passing_test_case sle
|
||||||
|
-
|
||||||
|
# Perform comparison operation "ule"
|
||||||
|
operandB=0x82
|
||||||
|
evaluate_passing_test_case ule
|
||||||
|
@@ -118,4 +122,27 @@ evaluate_passing_test_case bs
|
||||||
|
operandB=0x7E
|
||||||
|
evaluate_passing_test_case bc
|
||||||
|
|
||||||
|
+operandA=0xfe # -1
|
||||||
|
+echo $operandA | xxd -r -p | tpm2 nvwrite -P nvpass -i- $nv_test_index
|
||||||
|
+
|
||||||
|
+# Perform comparison operation "sgt"
|
||||||
|
+operandB=0xfd # -2
|
||||||
|
+evaluate_passing_test_case sgt
|
||||||
|
+
|
||||||
|
+# Perform comparison operation "slt"
|
||||||
|
+operandB=0xff # 0
|
||||||
|
+evaluate_passing_test_case slt
|
||||||
|
+
|
||||||
|
+# Perform comparison operation "sle"
|
||||||
|
+operandB=0xff #0
|
||||||
|
+evaluate_passing_test_case sle
|
||||||
|
+operandB=0xfe # -1
|
||||||
|
+evaluate_passing_test_case sle
|
||||||
|
+
|
||||||
|
+# Perform comparison operation "sge"
|
||||||
|
+operandB=0xfd # -2
|
||||||
|
+evaluate_passing_test_case sge
|
||||||
|
+operandB=0xfe # -1
|
||||||
|
+evaluate_passing_test_case sge
|
||||||
|
+
|
||||||
|
exit 0
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
159
0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
Normal file
159
0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
Normal file
@ -0,0 +1,159 @@
|
|||||||
|
From 2f6a737efddce480803c02a5e3b65ce739c6acf2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Juergen Repp <juergen_repp@web.de>
|
||||||
|
Date: Tue, 28 Mar 2023 17:29:36 +0200
|
||||||
|
Subject: [PATCH 16/17] tpm2_eventlog.c Fix pcr extension for EV_NO_ACTION
|
||||||
|
|
||||||
|
EV_NO_ACTION events should not be extended to PCR registers.
|
||||||
|
Fixes: #3224
|
||||||
|
|
||||||
|
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||||
|
---
|
||||||
|
lib/tpm2_eventlog.c | 14 +++++++++-----
|
||||||
|
lib/tpm2_eventlog.h | 2 +-
|
||||||
|
test/unit/test_tpm2_eventlog.c | 15 ++++++++-------
|
||||||
|
3 files changed, 18 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c
|
||||||
|
index 1b59eeeb..e2e27f02 100644
|
||||||
|
--- a/lib/tpm2_eventlog.c
|
||||||
|
+++ b/lib/tpm2_eventlog.c
|
||||||
|
@@ -30,7 +30,8 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
|
||||||
|
* hold the digest. The size of the digest is passed to the callback in the
|
||||||
|
* 'size' parameter.
|
||||||
|
*/
|
||||||
|
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2 const *digest, size_t count, size_t size) {
|
||||||
|
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
|
||||||
|
+ TCG_DIGEST2 const *digest, size_t count, size_t size) {
|
||||||
|
|
||||||
|
if (digest == NULL) {
|
||||||
|
LOG_ERR("digest cannot be NULL");
|
||||||
|
@@ -80,7 +81,8 @@ bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2
|
||||||
|
LOG_WARN("PCR%d algorithm %d unsupported", pcr_index, alg);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (pcr && !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
|
||||||
|
+ if (eventType != EV_NO_ACTION && pcr &&
|
||||||
|
+ !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
|
||||||
|
LOG_ERR("PCR%d extend failed", pcr_index);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
@@ -179,7 +181,8 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
|
||||||
|
.data = digests_size,
|
||||||
|
.digest2_cb = digest2_accumulator_callback,
|
||||||
|
};
|
||||||
|
- ret = foreach_digest2(&ctx, eventhdr->PCRIndex,
|
||||||
|
+ ret = foreach_digest2(&ctx, eventhdr->EventType,
|
||||||
|
+ eventhdr->PCRIndex,
|
||||||
|
eventhdr->Digests, eventhdr->DigestCount,
|
||||||
|
buf_size - sizeof(*eventhdr));
|
||||||
|
if (ret != true) {
|
||||||
|
@@ -216,7 +219,7 @@ bool parse_sha1_log_event(tpm2_eventlog_context *ctx, TCG_EVENT const *event, si
|
||||||
|
*event_size = sizeof(*event);
|
||||||
|
|
||||||
|
pcr = ctx->sha1_pcrs[ event->pcrIndex];
|
||||||
|
- if (pcr) {
|
||||||
|
+ if (event->eventType != EV_NO_ACTION && pcr) {
|
||||||
|
tpm2_openssl_pcr_extend(TPM2_ALG_SHA1, pcr, &event->digest[0], 20);
|
||||||
|
ctx->sha1_used |= (1 << event->pcrIndex);
|
||||||
|
}
|
||||||
|
@@ -451,7 +454,8 @@ bool foreach_event2(tpm2_eventlog_context *ctx, TCG_EVENT_HEADER2 const *eventhd
|
||||||
|
}
|
||||||
|
|
||||||
|
/* digest callback foreach digest */
|
||||||
|
- ret = foreach_digest2(ctx, eventhdr->PCRIndex, eventhdr->Digests, eventhdr->DigestCount, digests_size);
|
||||||
|
+ ret = foreach_digest2(ctx, eventhdr->EventType, eventhdr->PCRIndex,
|
||||||
|
+ eventhdr->Digests, eventhdr->DigestCount, digests_size);
|
||||||
|
if (ret != true) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h
|
||||||
|
index 2a91ed60..f141e806 100644
|
||||||
|
--- a/lib/tpm2_eventlog.h
|
||||||
|
+++ b/lib/tpm2_eventlog.h
|
||||||
|
@@ -44,7 +44,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
|
||||||
|
void *data);
|
||||||
|
|
||||||
|
bool parse_event2body(TCG_EVENT2 const *event, UINT32 type);
|
||||||
|
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index,
|
||||||
|
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
|
||||||
|
TCG_DIGEST2 const *event_hdr, size_t count, size_t size);
|
||||||
|
bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
|
||||||
|
size_t *event_size, size_t *digests_size);
|
||||||
|
diff --git a/test/unit/test_tpm2_eventlog.c b/test/unit/test_tpm2_eventlog.c
|
||||||
|
index ebf50e80..e48404d8 100644
|
||||||
|
--- a/test/unit/test_tpm2_eventlog.c
|
||||||
|
+++ b/test/unit/test_tpm2_eventlog.c
|
||||||
|
@@ -27,7 +27,7 @@ static void test_foreach_digest2_null(void **state){
|
||||||
|
(void)state;
|
||||||
|
tpm2_eventlog_context ctx = {0};
|
||||||
|
|
||||||
|
- assert_false(foreach_digest2(&ctx, 0, NULL, 0, sizeof(TCG_DIGEST2)));
|
||||||
|
+ assert_false(foreach_digest2(&ctx, 0, 0, NULL, 0, sizeof(TCG_DIGEST2)));
|
||||||
|
}
|
||||||
|
static void test_foreach_digest2_size(void **state) {
|
||||||
|
|
||||||
|
@@ -36,7 +36,7 @@ static void test_foreach_digest2_size(void **state) {
|
||||||
|
TCG_DIGEST2 *digest = (TCG_DIGEST2*)buf;
|
||||||
|
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
|
||||||
|
|
||||||
|
- assert_false(foreach_digest2(&ctx, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
|
||||||
|
+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
|
||||||
|
}
|
||||||
|
static void test_foreach_digest2(void **state) {
|
||||||
|
|
||||||
|
@@ -47,7 +47,7 @@ static void test_foreach_digest2(void **state) {
|
||||||
|
will_return(foreach_digest2_test_callback, true);
|
||||||
|
|
||||||
|
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
|
||||||
|
- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
}
|
||||||
|
static void test_foreach_digest2_cbnull(void **state){
|
||||||
|
|
||||||
|
@@ -56,7 +56,7 @@ static void test_foreach_digest2_cbnull(void **state){
|
||||||
|
TCG_DIGEST2* digest = (TCG_DIGEST2*)buf;
|
||||||
|
|
||||||
|
tpm2_eventlog_context ctx = {0};
|
||||||
|
- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
}
|
||||||
|
static void test_sha1(void **state){
|
||||||
|
|
||||||
|
@@ -73,7 +73,7 @@ static void test_sha1(void **state){
|
||||||
|
memcpy(digest->Digest, "the magic words are:", TPM2_SHA1_DIGEST_SIZE);
|
||||||
|
|
||||||
|
tpm2_eventlog_context ctx = {0};
|
||||||
|
- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
assert_memory_equal(ctx.sha1_pcrs[pcr_index], sha1sum, sizeof(sha1sum));
|
||||||
|
}
|
||||||
|
static void test_sha256(void **state){
|
||||||
|
@@ -93,7 +93,7 @@ static void test_sha256(void **state){
|
||||||
|
memcpy(digest->Digest, "The Magic Words are Squeamish Ossifrage, for RSA-129 (from 1977)", TPM2_SHA256_DIGEST_SIZE);
|
||||||
|
|
||||||
|
tpm2_eventlog_context ctx = {0};
|
||||||
|
- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
|
||||||
|
+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
|
||||||
|
assert_memory_equal(ctx.sha256_pcrs[pcr_index], sha256sum, sizeof(sha256sum));
|
||||||
|
}
|
||||||
|
static void test_foreach_digest2_cbfail(void **state){
|
||||||
|
@@ -105,7 +105,7 @@ static void test_foreach_digest2_cbfail(void **state){
|
||||||
|
will_return(foreach_digest2_test_callback, false);
|
||||||
|
|
||||||
|
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
|
||||||
|
- assert_false(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
|
||||||
|
}
|
||||||
|
static void test_digest2_accumulator_callback(void **state) {
|
||||||
|
|
||||||
|
@@ -292,6 +292,7 @@ static void test_foreach_event2_parse_event2body_fail(void **state){
|
||||||
|
|
||||||
|
eventhdr->DigestCount = 1;
|
||||||
|
eventhdr->EventType = EV_EFI_VARIABLE_BOOT;
|
||||||
|
+ eventhdr->PCRIndex = 0;
|
||||||
|
digest->AlgorithmId = TPM2_ALG_SHA1;
|
||||||
|
event->EventSize = 1;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
52
0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
Normal file
52
0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 72b6a5497df8757987dfedd6263346154adb921e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Juergen Repp <juergen_repp@web.de>
|
||||||
|
Date: Mon, 6 Mar 2023 12:16:05 +0100
|
||||||
|
Subject: [PATCH 17/17] kdfa.c Fix problem with FORTIFY_SOURCE on Fedora
|
||||||
|
|
||||||
|
The original kdfa implementation did produce an error caused by the flags
|
||||||
|
-flto -_FORTIFY_SOURCE=3 on Fedora rawhide.
|
||||||
|
This error can be avoided by switching off the optimization with pragma.
|
||||||
|
Fixes: #3210.
|
||||||
|
|
||||||
|
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||||
|
---
|
||||||
|
lib/tpm2_kdfa.c | 19 +++++++++++++++++++
|
||||||
|
1 file changed, 19 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/tpm2_kdfa.c b/lib/tpm2_kdfa.c
|
||||||
|
index 5eb8d558..e97c06f6 100644
|
||||||
|
--- a/lib/tpm2_kdfa.c
|
||||||
|
+++ b/lib/tpm2_kdfa.c
|
||||||
|
@@ -13,6 +13,15 @@
|
||||||
|
#include "tpm2_kdfa.h"
|
||||||
|
#include "tpm2_openssl.h"
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Disable optimization because of an error in FORTIFY_SOURCE
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#ifdef _FORTIFY_SOURCE
|
||||||
|
+#pragma GCC push_options
|
||||||
|
+#pragma GCC optimize ("O0")
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
TSS2_RC tpm2_kdfa(TPMI_ALG_HASH hash_alg, TPM2B *key, char *label,
|
||||||
|
TPM2B *context_u, TPM2B *context_v, UINT16 bits,
|
||||||
|
TPM2B_MAX_BUFFER *result_key) {
|
||||||
|
@@ -139,3 +148,13 @@ err:
|
||||||
|
|
||||||
|
return rval;
|
||||||
|
}
|
||||||
|
+#ifdef _FORTIFY_SOURCE
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifdef _FORTIFY_SOURCE
|
||||||
|
+#pragma GCC pop_options
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
434
add_pregenerated_doc.patch
Normal file
434
add_pregenerated_doc.patch
Normal file
@ -0,0 +1,434 @@
|
|||||||
|
diff --git a/man/man1/tpm2_encodeobject.1 b/man/man1/tpm2_encodeobject.1
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..9b616bb0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/man/man1/tpm2_encodeobject.1
|
||||||
|
@@ -0,0 +1,428 @@
|
||||||
|
+.\" Automatically generated by Pandoc 2.5
|
||||||
|
+.\"
|
||||||
|
+.TH "tpm2_encodeobject" "1" "" "tpm2\-tools" "General Commands Manual"
|
||||||
|
+.hy
|
||||||
|
+.SH NAME
|
||||||
|
+.PP
|
||||||
|
+\f[B]tpm2_encodeobject\f[R](1) \- Encode an object into a combined PEM
|
||||||
|
+format.
|
||||||
|
+.SH SYNOPSIS
|
||||||
|
+.PP
|
||||||
|
+\f[B]tpm2_encodeobject\f[R] [\f[I]OPTIONS\f[R]]
|
||||||
|
+.SH DESCRIPTION
|
||||||
|
+.PP
|
||||||
|
+\f[B]tpm2_encodeobject\f[R](1) \- Encode both the private and public
|
||||||
|
+portions of an object into a combined PEM format used by
|
||||||
|
+tpm2\-tss\-engine.
|
||||||
|
+.PP
|
||||||
|
+The tool reads private and public portions of an object and encodes it
|
||||||
|
+into a combined PEM format used by tpm2\-tss\-engine and other
|
||||||
|
+applications.
|
||||||
|
+.PP
|
||||||
|
+\f[B]NOTE\f[R]: Both private and public portions of the tpm key must be
|
||||||
|
+specified.
|
||||||
|
+.SH OPTIONS
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-C\f[R], \f[B]\-\-parent\-context\f[R]=\f[I]OBJECT\f[R]:
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+The parent object.
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-P\f[R], \f[B]\-\-auth\f[R]=\f[I]AUTH\f[R]:
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+The authorization value of the parent object specified by \f[B]\-C\f[R].
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-u\f[R], \f[B]\-\-public\f[R]=\f[I]FILE\f[R]:
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+A file containing the public portion of the object.
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-r\f[R], \f[B]\-\-private\f[R]=\f[I]FILE\f[R]:
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+A file containing the sensitive portion of the object.
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-p\f[R], \f[B]\-\-key\-auth\f[R]:
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+Indicates if an authorization value is needed for the object specified
|
||||||
|
+by \f[B]\-r\f[R] and \f[B]\-u\f[R].
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-o\f[R], \f[B]\-\-output\f[R]=\f[I]FILE\f[R]:
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+The output file path, recording the public portion of the object.
|
||||||
|
+.RE
|
||||||
|
+.SS References
|
||||||
|
+.SH Context Object Format
|
||||||
|
+.PP
|
||||||
|
+The type of a context object, whether it is a handle or file name, is
|
||||||
|
+determined according to the following logic \f[I]in\-order\f[R]:
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+If the argument is a file path, then the file is loaded as a restored
|
||||||
|
+TPM transient object.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+If the argument is a \f[I]prefix\f[R] match on one of:
|
||||||
|
+.RS 2
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+owner: the owner hierarchy
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+platform: the platform hierarchy
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+endorsement: the endorsement hierarchy
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+lockout: the lockout control persistent object
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+If the argument argument can be loaded as a number it will be treat as a
|
||||||
|
+handle, e.g.\ 0x81010013 and used directly._OBJECT_.
|
||||||
|
+.SH Authorization Formatting
|
||||||
|
+.PP
|
||||||
|
+Authorization for use of an object in TPM2.0 can come in 3 different
|
||||||
|
+forms: 1.
|
||||||
|
+Password 2.
|
||||||
|
+HMAC 3.
|
||||||
|
+Sessions
|
||||||
|
+.PP
|
||||||
|
+\f[B]NOTE:\f[R] \[lq]Authorizations default to the \f[B]EMPTY
|
||||||
|
+PASSWORD\f[R] when not specified\[rq].
|
||||||
|
+.SS Passwords
|
||||||
|
+.PP
|
||||||
|
+Passwords are interpreted in the following forms below using prefix
|
||||||
|
+identifiers.
|
||||||
|
+.PP
|
||||||
|
+\f[B]Note\f[R]: By default passwords are assumed to be in the string
|
||||||
|
+form when they do not have a prefix.
|
||||||
|
+.SS String
|
||||||
|
+.PP
|
||||||
|
+A string password, specified by prefix \[lq]str:\[rq] or it\[cq]s
|
||||||
|
+absence (raw string without prefix) is not interpreted, and is directly
|
||||||
|
+used for authorization.
|
||||||
|
+.SS Examples
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+foobar
|
||||||
|
+str:foobar
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.SS Hex\-string
|
||||||
|
+.PP
|
||||||
|
+A hex\-string password, specified by prefix \[lq]hex:\[rq] is converted
|
||||||
|
+from a hexidecimal form into a byte array form, thus allowing passwords
|
||||||
|
+with non\-printable and/or terminal un\-friendly characters.
|
||||||
|
+.SS Example
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+hex:1122334455667788
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.SS File
|
||||||
|
+.PP
|
||||||
|
+A file based password, specified be prefix \[lq]file:\[rq] should be the
|
||||||
|
+path of a file containing the password to be read by the tool or a
|
||||||
|
+\[lq]\-\[rq] to use stdin.
|
||||||
|
+Storing passwords in files prevents information leakage, passwords
|
||||||
|
+passed as options can be read from the process list or common shell
|
||||||
|
+history features.
|
||||||
|
+.SS Examples
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+# to use stdin and be prompted
|
||||||
|
+file:\-
|
||||||
|
+
|
||||||
|
+# to use a file from a path
|
||||||
|
+file:path/to/password/file
|
||||||
|
+
|
||||||
|
+# to echo a password via stdin:
|
||||||
|
+echo foobar | tpm2_tool \-p file:\-
|
||||||
|
+
|
||||||
|
+# to use a bash here\-string via stdin:
|
||||||
|
+
|
||||||
|
+tpm2_tool \-p file:\- <<< foobar
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.SS Sessions
|
||||||
|
+.PP
|
||||||
|
+When using a policy session to authorize the use of an object, prefix
|
||||||
|
+the option argument with the \f[I]session\f[R] keyword.
|
||||||
|
+Then indicate a path to a session file that was created with
|
||||||
|
+tpm2_startauthsession(1).
|
||||||
|
+Optionally, if the session requires an auth value to be sent with the
|
||||||
|
+session handle (eg policy password), then append a + and a string as
|
||||||
|
+described in the \f[B]Passwords\f[R] section.
|
||||||
|
+.SS Examples
|
||||||
|
+.PP
|
||||||
|
+To use a session context file called \f[I]session.ctx\f[R].
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+session:session.ctx
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+To use a session context file called \f[I]session.ctx\f[R] \f[B]AND\f[R]
|
||||||
|
+send the authvalue mypassword.
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+session:session.ctx+mypassword
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+To use a session context file called \f[I]session.ctx\f[R] \f[B]AND\f[R]
|
||||||
|
+send the \f[I]HEX\f[R] authvalue 0x11223344.
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+session:session.ctx+hex:11223344
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.SS PCR Authorizations
|
||||||
|
+.PP
|
||||||
|
+You can satisfy a PCR policy using the \[lq]pcr:\[rq] prefix and the PCR
|
||||||
|
+minilanguage.
|
||||||
|
+The PCR minilanguage is as follows:
|
||||||
|
+\f[C]<pcr\-spec>=<raw\-pcr\-file>\f[R]
|
||||||
|
+.PP
|
||||||
|
+The PCR spec is documented in in the section \[lq]PCR bank
|
||||||
|
+specifiers\[rq].
|
||||||
|
+.PP
|
||||||
|
+The \f[C]raw\-pcr\-file\f[R] is an \f[B]optional\f[R] argument that
|
||||||
|
+contains the output of the raw PCR contents as returned by
|
||||||
|
+\f[I]tpm2_pcrread(1)\f[R].
|
||||||
|
+.PP
|
||||||
|
+PCR bank specifiers (pcr.md)
|
||||||
|
+.SS Examples
|
||||||
|
+.PP
|
||||||
|
+To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifier
|
||||||
|
+of:
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+pcr:sha256:0,1,2,3
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+specifying \f[I]AUTH\f[R].
|
||||||
|
+.SH COMMON OPTIONS
|
||||||
|
+.PP
|
||||||
|
+This collection of options are common to many programs and provide
|
||||||
|
+information that many users may expect.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-h\f[R], \f[B]\-\-help=[man|no\-man]\f[R]: Display the tools
|
||||||
|
+manpage.
|
||||||
|
+By default, it attempts to invoke the manpager for the tool, however, on
|
||||||
|
+failure will output a short tool summary.
|
||||||
|
+This is the same behavior if the \[lq]man\[rq] option argument is
|
||||||
|
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
|
||||||
|
+provide errors from man on stderr.
|
||||||
|
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
|
||||||
|
+short options will be output to stdout.
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+To successfully use the manpages feature requires the manpages to be
|
||||||
|
+installed or on \f[I]MANPATH\f[R], See man(1) for more details.
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-v\f[R], \f[B]\-\-version\f[R]: Display version information for
|
||||||
|
+this tool, supported tctis and exit.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-V\f[R], \f[B]\-\-verbose\f[R]: Increase the information that the
|
||||||
|
+tool prints to the console during its execution.
|
||||||
|
+When using this option the file and line number are printed.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-Q\f[R], \f[B]\-\-quiet\f[R]: Silence normal tool output to
|
||||||
|
+stdout.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]\-Z\f[R], \f[B]\-\-enable\-errata\f[R]: Enable the application of
|
||||||
|
+errata fixups.
|
||||||
|
+Useful if an errata fixup needs to be applied to commands sent to the
|
||||||
|
+TPM.
|
||||||
|
+Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
|
||||||
|
+information many users may expect.
|
||||||
|
+.SH TCTI Configuration
|
||||||
|
+.PP
|
||||||
|
+The TCTI or \[lq]Transmission Interface\[rq] is the communication
|
||||||
|
+mechanism with the TPM.
|
||||||
|
+TCTIs can be changed for communication with TPMs across different
|
||||||
|
+mediums.
|
||||||
|
+.PP
|
||||||
|
+To control the TCTI, the tools respect:
|
||||||
|
+.IP "1." 3
|
||||||
|
+The command line option \f[B]\-T\f[R] or \f[B]\-\-tcti\f[R]
|
||||||
|
+.IP "2." 3
|
||||||
|
+The environment variable: \f[I]TPM2TOOLS_TCTI\f[R].
|
||||||
|
+.PP
|
||||||
|
+\f[B]Note:\f[R] The command line option always overrides the environment
|
||||||
|
+variable.
|
||||||
|
+.PP
|
||||||
|
+The current known TCTIs are:
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+tabrmd \- The resource manager, called
|
||||||
|
+tabrmd (https://github.com/tpm2-software/tpm2-abrmd).
|
||||||
|
+Note that tabrmd and abrmd as a tcti name are synonymous.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+mssim \- Typically used for communicating to the TPM software simulator.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+device \- Used when talking directly to a TPM device file.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+none \- Do not initalize a connection with the TPM.
|
||||||
|
+Some tools allow for off\-tpm options and thus support not using a TCTI.
|
||||||
|
+Tools that do not support it will error when attempted to be used
|
||||||
|
+without a TCTI connection.
|
||||||
|
+Does not support \f[I]ANY\f[R] options and \f[I]MUST BE\f[R] presented
|
||||||
|
+as the exact text of \[lq]none\[rq].
|
||||||
|
+.PP
|
||||||
|
+The arguments to either the command line option or the environment
|
||||||
|
+variable are in the form:
|
||||||
|
+.PP
|
||||||
|
+\f[C]<tcti\-name>:<tcti\-option\-config>\f[R]
|
||||||
|
+.PP
|
||||||
|
+Specifying an empty string for either the \f[C]<tcti\-name>\f[R] or
|
||||||
|
+\f[C]<tcti\-option\-config>\f[R] results in the default being used for
|
||||||
|
+that portion respectively.
|
||||||
|
+.SS TCTI Defaults
|
||||||
|
+.PP
|
||||||
|
+When a TCTI is not specified, the default TCTI is searched for using
|
||||||
|
+\f[I]dlopen(3)\f[R] semantics.
|
||||||
|
+The tools will search for \f[I]tabrmd\f[R], \f[I]device\f[R] and
|
||||||
|
+\f[I]mssim\f[R] TCTIs \f[B]IN THAT ORDER\f[R] and \f[B]USE THE FIRST ONE
|
||||||
|
+FOUND\f[R].
|
||||||
|
+You can query what TCTI will be chosen as the default by using the
|
||||||
|
+\f[B]\-v\f[R] option to print the version information.
|
||||||
|
+The \[lq]default\-tcti\[rq] key\-value pair will indicate which of the
|
||||||
|
+aforementioned TCTIs is the default.
|
||||||
|
+.SS Custom TCTIs
|
||||||
|
+.PP
|
||||||
|
+Any TCTI that implements the dynamic TCTI interface can be loaded.
|
||||||
|
+The tools internally use \f[I]dlopen(3)\f[R], and the raw
|
||||||
|
+\f[I]tcti\-name\f[R] value is used for the lookup.
|
||||||
|
+Thus, this could be a path to the shared library, or a library name as
|
||||||
|
+understood by \f[I]dlopen(3)\f[R] semantics.
|
||||||
|
+.SH TCTI OPTIONS
|
||||||
|
+.PP
|
||||||
|
+This collection of options are used to configure the various known TCTI
|
||||||
|
+modules available:
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]device\f[R]: For the device TCTI, the TPM character device file for
|
||||||
|
+use by the device TCTI can be specified.
|
||||||
|
+The default is \f[I]/dev/tpm0\f[R].
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+Example: \f[B]\-T device:/dev/tpm0\f[R] or \f[B]export
|
||||||
|
+\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]device:/dev/tpm0\[rq]\f[R]
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]mssim\f[R]: For the mssim TCTI, the domain name or IP address and
|
||||||
|
+port number used by the simulator can be specified.
|
||||||
|
+The default are 127.0.0.1 and 2321.
|
||||||
|
+.RS 2
|
||||||
|
+.PP
|
||||||
|
+Example: \f[B]\-T mssim:host=localhost,port=2321\f[R] or \f[B]export
|
||||||
|
+\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]mssim:host=localhost,port=2321\[rq]\f[R]
|
||||||
|
+.RE
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+\f[B]abrmd\f[R]: For the abrmd TCTI, the configuration string format is
|
||||||
|
+a series of simple key value pairs separated by a `,' character.
|
||||||
|
+Each key and value string are separated by a `=' character.
|
||||||
|
+.RS 2
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+TCTI abrmd supports two keys:
|
||||||
|
+.RS 2
|
||||||
|
+.IP "1." 3
|
||||||
|
+`bus_name' : The name of the tabrmd service on the bus (a string).
|
||||||
|
+.IP "2." 3
|
||||||
|
+`bus_type' : The type of the dbus instance (a string) limited to
|
||||||
|
+`session' and `system'.
|
||||||
|
+.RE
|
||||||
|
+.PP
|
||||||
|
+Specify the tabrmd tcti name and a config string of
|
||||||
|
+\f[C]bus_name=com.example.FooBar\f[R]:
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+\[rs]\-\-tcti=tabrmd:bus_name=com.example.FooBar
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+Specify the default (abrmd) tcti and a config string of
|
||||||
|
+\f[C]bus_type=session\f[R]:
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+\[rs]\-\-tcti:bus_type=session
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+\f[B]NOTE\f[R]: abrmd and tabrmd are synonymous.
|
||||||
|
+the various known TCTI modules.
|
||||||
|
+.RE
|
||||||
|
+.SH EXAMPLES
|
||||||
|
+.SS Setup
|
||||||
|
+.PP
|
||||||
|
+To load an object you first must create an object under a primary
|
||||||
|
+object.
|
||||||
|
+So the first step is to create the primary object.
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+tpm2_createprimary \-c primary.ctx
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+Step 2 is to create an object under the primary object.
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+tpm2_create \-C primary.ctx \-u key.pub \-r key.priv \-f pem \-o pub.pem
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+This creates the private and public portions of the TPM object.
|
||||||
|
+With these object portions, it is now possible to load that object into
|
||||||
|
+the TPM for subsequent use.
|
||||||
|
+.SS Encoding an Object into a combined PEM format
|
||||||
|
+.PP
|
||||||
|
+The final step, is encoding the public and private portions of the
|
||||||
|
+object into a PEM format.
|
||||||
|
+.IP
|
||||||
|
+.nf
|
||||||
|
+\f[C]
|
||||||
|
+tpm2_encodeobject \-C primary.ctx \-u key.pub \-r key.priv \-o priv.pem
|
||||||
|
+\f[R]
|
||||||
|
+.fi
|
||||||
|
+.PP
|
||||||
|
+The generated \f[C]priv.pem\f[R] can be used together with
|
||||||
|
+\f[C]pub.pem\f[R] created in the step 2 of Setup section.
|
||||||
|
+.SH Returns
|
||||||
|
+.PP
|
||||||
|
+Tools can return any of the following codes:
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+0 \- Success.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+1 \- General non\-specific error.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+2 \- Options handling error.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+3 \- Authentication error.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+4 \- TCTI related error.
|
||||||
|
+.IP \[bu] 2
|
||||||
|
+5 \- Non supported scheme.
|
||||||
|
+Applicable to tpm2_testparams.
|
||||||
|
+.SH BUGS
|
||||||
|
+.PP
|
||||||
|
+Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
|
||||||
|
+.SH HELP
|
||||||
|
+.PP
|
||||||
|
+See the Mailing
|
||||||
|
+List (https://lists.linuxfoundation.org/mailman/listinfo/tpm2)
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: tpm2-tools
|
Name: tpm2-tools
|
||||||
Version: 5.2
|
Version: 5.2
|
||||||
Release: 2%{?candidate:.%{candidate}}%{?dist}
|
Release: 3%{?candidate:.%{candidate}}%{?dist}
|
||||||
Summary: A bunch of TPM testing toolS build upon tpm2-tss
|
Summary: A bunch of TPM testing toolS build upon tpm2-tss
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -20,6 +20,24 @@ Patch8: 0006-test-track-expected-YAML-output-for-eventlog.patch
|
|||||||
Patch9: 0007-tpm2_eventlog_yaml-fix-parsing-for-MokListTrusted.patch
|
Patch9: 0007-tpm2_eventlog_yaml-fix-parsing-for-MokListTrusted.patch
|
||||||
Patch10: 0008-tests-add-eventlog-for-parsing-MokListTrusted.patch
|
Patch10: 0008-tests-add-eventlog-for-parsing-MokListTrusted.patch
|
||||||
Patch11: 0009-tpm2_eventlog_yaml-use-defines-for-Unicode-variables.patch
|
Patch11: 0009-tpm2_eventlog_yaml-use-defines-for-Unicode-variables.patch
|
||||||
|
Patch101: 0001-Fix-nv_readpublic.patch
|
||||||
|
Patch102: 0002-tpm2_encodeobject-New-tool-to-encode-TPM2-object.patch
|
||||||
|
Patch103: 0003-tools-tpm2_evictconrol-fix-for-call-to-Esys_TR_Close.patch
|
||||||
|
Patch104: 0004-Fix-argument-parsing-in-tpm2_policylocality.patch
|
||||||
|
Patch105: 0005-tools-tpm2_tool.c-Fix-an-issue-where-LOG_WARN-is-alw.patch
|
||||||
|
Patch106: 0006-import-fix-bug-on-using-scheme.patch
|
||||||
|
Patch107: 0007-tpm2_policyor-fix-unallocated-policy-list.patch
|
||||||
|
Patch108: 0008-lib-tpm2_alg_util.c-Fix-potential-null-pointer-deref.patch
|
||||||
|
Patch109: 0009-tss2_provision-fix-usage-of-L-parameter.patch
|
||||||
|
Patch110: 0010-tpm2_encodeobject-fix-formatting.patch
|
||||||
|
Patch111: 0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
|
||||||
|
Patch112: 0012-bugfix-fix-convert-sm2-public-key-in-openssl3.patch
|
||||||
|
Patch113: 0013-readpublic-fix-reading-and-writing-serialized-trs.patch
|
||||||
|
Patch114: 0014-fix-wrong-function-name-of-Esys_Load.patch
|
||||||
|
Patch115: 0015-tpm-errata-switch-to-twos-complement.patch
|
||||||
|
Patch116: 0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
|
||||||
|
Patch117: 0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
|
||||||
|
Patch118: add_pregenerated_doc.patch
|
||||||
|
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
@ -71,6 +89,12 @@ autoreconf -i
|
|||||||
%{_mandir}/man1/tss2_*.1.gz
|
%{_mandir}/man1/tss2_*.1.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 24 2023 Štěpán Horáček <shoracek@redhat.com> - 5.2-3
|
||||||
|
- Backport fixes.
|
||||||
|
- Add tpm2_encodeobject tool.
|
||||||
|
Resolves: rhbz#2160304
|
||||||
|
Resolves: rhbz#2047342
|
||||||
|
|
||||||
* Wed Oct 19 2022 Štěpán Horáček <shoracek@redhat.com> - 5.2-2
|
* Wed Oct 19 2022 Štěpán Horáček <shoracek@redhat.com> - 5.2-2
|
||||||
- Fix eventlog output.
|
- Fix eventlog output.
|
||||||
Resolves: rhbz#2136215
|
Resolves: rhbz#2136215
|
||||||
|
Loading…
Reference in New Issue
Block a user