Update to 3.2.0 release
This commit is contained in:
parent
af88e806f0
commit
6165724ecb
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,146 +0,0 @@
|
||||
From 70733e919aaa72aa03cccf6cd453bbe0da752de1 Mon Sep 17 00:00:00 2001
|
||||
From: jetwhiz <Charles.Munson@ll.mit.edu>
|
||||
Date: Tue, 9 Apr 2019 17:57:36 -0400
|
||||
Subject: [PATCH] Add attestation test, which ensures full attestation
|
||||
process works
|
||||
|
||||
Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
|
||||
---
|
||||
test/system/test_attestation.sh | 125 ++++++++++++++++++++++++++++++++
|
||||
1 file changed, 125 insertions(+)
|
||||
create mode 100755 test/system/test_attestation.sh
|
||||
|
||||
diff --git a/test/system/test_attestation.sh b/test/system/test_attestation.sh
|
||||
new file mode 100755
|
||||
index 00000000000..ea9da13a419
|
||||
--- /dev/null
|
||||
+++ b/test/system/test_attestation.sh
|
||||
@@ -0,0 +1,125 @@
|
||||
+#!/bin/bash
|
||||
+#;**********************************************************************;
|
||||
+#
|
||||
+# Copyright (c) 2019 Massachusetts Institute of Technology.
|
||||
+# All rights reserved.
|
||||
+#
|
||||
+# Redistribution and use in source and binary forms, with or without
|
||||
+# modification, are permitted provided that the following conditions are met:
|
||||
+#
|
||||
+# 1. Redistributions of source code must retain the above copyright notice,
|
||||
+# this list of conditions and the following disclaimer.
|
||||
+#
|
||||
+# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
+# this list of conditions and the following disclaimer in the documentation
|
||||
+# and/or other materials provided with the distribution.
|
||||
+#
|
||||
+# 3. Neither the name of Intel Corporation nor the names of its contributors
|
||||
+# may be used to endorse or promote products derived from this software without
|
||||
+# specific prior written permission.
|
||||
+#
|
||||
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
||||
+# THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+#;**********************************************************************;
|
||||
+
|
||||
+source test_helpers.sh
|
||||
+
|
||||
+handle_ek=0x81010007
|
||||
+handle_ak=0x81010008
|
||||
+handle_nv=0x1500018
|
||||
+handle_hier=0x40000001
|
||||
+ek_alg=rsa
|
||||
+ak_alg=rsa
|
||||
+digestAlg=sha256
|
||||
+signAlg=rsassa
|
||||
+ownerpw=ownerpass
|
||||
+endorsepw=endorsepass
|
||||
+ekpw=ekpass
|
||||
+akpw=akpass
|
||||
+
|
||||
+file_input_data=secret.data
|
||||
+file_input_key=nv.data
|
||||
+output_ek_pub_pem=ekpub.pem
|
||||
+output_ek_pub=ek.pub
|
||||
+output_ak_pub_pem=akpub.pem
|
||||
+output_ak_pub=ak.pub
|
||||
+output_ak_priv=ak.priv
|
||||
+output_ak_pub_name=ak.name
|
||||
+output_mkcredential=mkcred.out
|
||||
+output_actcredential=actcred.out
|
||||
+output_quote=quote.out
|
||||
+output_quotesig=quotesig.out
|
||||
+output_quotepcr=quotepcr.out
|
||||
+
|
||||
+cleanup() {
|
||||
+ rm -f $output_ak_priv \
|
||||
+ $file_input_data $file_input_key $output_ek_pub $output_ek_pub_pem $output_ak_pub \
|
||||
+ $output_ak_pub_pem $output_ak_pub_name $output_mkcredential \
|
||||
+ $output_actcredential $output_quote $output_quotesig $output_quotepcr rand.out
|
||||
+
|
||||
+ tpm2_pcrreset 16
|
||||
+ tpm2_evictcontrol -Q -Ao -c $handle_ek 2>/dev/null || true
|
||||
+ tpm2_evictcontrol -Q -Ao -c $handle_ak 2>/dev/null || true
|
||||
+
|
||||
+ tpm2_nvrelease -Q -x $handle_nv -a $handle_hier -P "$ownerpw" 2>/dev/null || true
|
||||
+
|
||||
+ tpm2_takeownership -c 2>/dev/null || true
|
||||
+}
|
||||
+trap cleanup EXIT
|
||||
+
|
||||
+
|
||||
+cleanup
|
||||
+
|
||||
+echo "12345678" > $file_input_data
|
||||
+echo "1234567890123456789012345678901" > $file_input_key
|
||||
+
|
||||
+getrandom() {
|
||||
+ tpm2_getrandom -Q -o rand.out $1
|
||||
+ local file_size=`stat --printf="%s" rand.out`
|
||||
+ loaded_randomness=`cat rand.out | xxd -p -c $file_size`
|
||||
+}
|
||||
+
|
||||
+
|
||||
+tpm2_takeownership -o "$ownerpw" -e "$endorsepw"
|
||||
+
|
||||
+# Key generation
|
||||
+tpm2_getpubek -Q -H $handle_ek -g $ek_alg -f $output_ek_pub -P "$ekpw" -o "$ownerpw" -e "$endorsepw"
|
||||
+tpm2_readpublic -Q -H $handle_ek -o $output_ek_pub_pem -f pem
|
||||
+tpm2_getpubak -Q -E $handle_ek -k $handle_ak -g $ak_alg -D $digestAlg -s $signAlg -f $output_ak_pub -n $output_ak_pub_name -e "$endorsepw" -P "$akpw" -o "$ownerpw"
|
||||
+tpm2_readpublic -Q -H $handle_ak -o $output_ak_pub_pem -f pem
|
||||
+
|
||||
+# Validate keys (registrar)
|
||||
+file_size=`stat --printf="%s" $output_ak_pub_name`
|
||||
+loaded_key_name=`cat $output_ak_pub_name | xxd -p -c $file_size`
|
||||
+tpm2_makecredential -Q -T none -e $output_ek_pub -s $file_input_data -n $loaded_key_name -o $output_mkcredential
|
||||
+tpm2_activatecredential -Q -H $handle_ak -k $handle_ek -f $output_mkcredential -o $output_actcredential -P "$akpw" -e "$endorsepw"
|
||||
+diff $file_input_data $output_actcredential
|
||||
+
|
||||
+
|
||||
+# Quoting
|
||||
+tpm2_pcrreset -Q 16
|
||||
+tpm2_pcrextend -Q 16:sha256=6ea40aa7267bb71251c1de1c3605a3df759b86b22fa9f62aa298d4197cd88a38
|
||||
+tpm2_pcrlist -Q
|
||||
+getrandom 20
|
||||
+tpm2_quote -Q -k $handle_ak -L $digestAlg:15,16,22 -q $loaded_randomness -m $output_quote -s $output_quotesig -p $output_quotepcr -G $digestAlg -P "$akpw"
|
||||
+
|
||||
+
|
||||
+# Verify quote
|
||||
+tpm2_checkquote -Q -c $output_ak_pub_pem -m $output_quote -s $output_quotesig -p $output_quotepcr -G $digestAlg -q $loaded_randomness
|
||||
+
|
||||
+
|
||||
+# Save U key from verifier
|
||||
+tpm2_nvdefine -Q -x $handle_nv -a $handle_hier -s 32 -t "ownerread|policywrite|ownerwrite" -I "indexpass" -P "$ownerpw"
|
||||
+tpm2_nvwrite -Q -x $handle_nv -a $handle_hier -P "$ownerpw" $file_input_key
|
||||
+tpm2_nvread -Q -x $handle_nv -a $handle_hier -s 32 -P "$ownerpw"
|
||||
+
|
||||
+exit 0
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,34 +0,0 @@
|
||||
From 6c25de22d981d26d0ae80d99706f86c52f713b06 Mon Sep 17 00:00:00 2001
|
||||
From: jetwhiz <Charles.Munson@ll.mit.edu>
|
||||
Date: Fri, 3 May 2019 13:46:41 -0400
|
||||
Subject: [PATCH] Fix-ups in tpm2_quote.md.1
|
||||
|
||||
Capitalization fixes to follow preferred format
|
||||
|
||||
Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
|
||||
---
|
||||
man/tpm2_quote.1.md | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/man/tpm2_quote.1.md b/man/tpm2_quote.1.md
|
||||
index 491848201d9..c926f4d045d 100644
|
||||
--- a/man/tpm2_quote.1.md
|
||||
+++ b/man/tpm2_quote.1.md
|
||||
@@ -41,12 +41,12 @@
|
||||
|
||||
* **-m**, **--message**:
|
||||
|
||||
- message output file, records the quote message that makes up the data that
|
||||
+ Message output file, records the quote message that makes up the data that
|
||||
is signed by the TPM.
|
||||
|
||||
* **-s**, **--signature**:
|
||||
|
||||
- signature output file, records the signature in the format specified via the **-f**
|
||||
+ Signature output file, records the signature in the format specified via the **-f**
|
||||
option.
|
||||
|
||||
* **-f**, **--format**
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,26 +0,0 @@
|
||||
From edbbe53e225bcc68c6ee0a5a85bec82ae6cdc398 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Thu, 2 May 2019 08:44:48 -0700
|
||||
Subject: [PATCH] Update CHANGELOG.md
|
||||
|
||||
---
|
||||
CHANGELOG.md | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/CHANGELOG.md b/CHANGELOG.md
|
||||
index 19e831d7e7f..a8e4f39afde 100644
|
||||
--- a/CHANGELOG.md
|
||||
+++ b/CHANGELOG.md
|
||||
@@ -1,4 +1,9 @@
|
||||
## Changelog
|
||||
+### 3.2.0 - next
|
||||
+* tpm2_makecredential: add support for executing tool off-TPM.
|
||||
+* tpm2_pcrreset: introduce new tool for resetting PCRs.
|
||||
+* tpm2_quote: Fix AK auth password not being used.
|
||||
+
|
||||
### 3.1.4 - 2019-03-14
|
||||
* Fix various man pages
|
||||
* tpm2_getmanufec: fix OSSL build warnings
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,97 +0,0 @@
|
||||
From 993da58a612238bf2dd53a015dfdb2a6c0eb00b9 Mon Sep 17 00:00:00 2001
|
||||
From: jetwhiz <Charles.Munson@ll.mit.edu>
|
||||
Date: Mon, 22 Apr 2019 09:48:56 -0400
|
||||
Subject: [PATCH 1/6] Wire up support for ak auth password in tpm2_quote tool
|
||||
|
||||
Add regression test
|
||||
|
||||
Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
|
||||
---
|
||||
test/system/test_tpm2_quote.sh | 9 ++++++++-
|
||||
tools/tpm2_quote.c | 11 ++++++++---
|
||||
2 files changed, 16 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/test/system/test_tpm2_quote.sh b/test/system/test_tpm2_quote.sh
|
||||
index d845ea1bdb1..231bed326ec 100755
|
||||
--- a/test/system/test_tpm2_quote.sh
|
||||
+++ b/test/system/test_tpm2_quote.sh
|
||||
@@ -50,6 +50,7 @@ file_quote_key_ctx=ctx_load_out_"$alg_primary_obj"_"$alg_primary_key"-"$alg_crea
|
||||
Handle_ak_quote=0x81010016
|
||||
Handle_ek_quote=0x81010017
|
||||
Handle_ak_quote2=0x81010018
|
||||
+Handle_ak_quote3=0x81010019
|
||||
|
||||
maxdigest=$(tpm2_getcap -c properties-fixed | grep TPM_PT_MAX_DIGEST | sed -r -e 's/.*(0x[0-9a-f]+)/\1/g')
|
||||
if ! [[ "$maxdigest" =~ ^(0x)*[0-9]+$ ]] ; then
|
||||
@@ -73,6 +74,7 @@ cleanup() {
|
||||
tpm2_evictcontrol -Q -Ao -H $Handle_ek_quote 2>/dev/null || true
|
||||
tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote 2>/dev/null || true
|
||||
tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote2 2>/dev/null || true
|
||||
+ tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote3 2>/dev/null || true
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
@@ -104,4 +106,9 @@ tpm2_getpubak -Q -E $Handle_ek_quote -k $Handle_ak_quote2 -f ak.pub2 -n ak.nam
|
||||
|
||||
tpm2_quote -Q -k $Handle_ak_quote -g $alg_quote -l 16,17,18 -q $nonce
|
||||
|
||||
-exit 0
|
||||
+#####AK with password
|
||||
+tpm2_getpubak -Q -E $Handle_ek_quote -k $Handle_ak_quote3 -f ak.pub2 -n ak.name_2 -P abc123
|
||||
+
|
||||
+tpm2_quote -Q -k $Handle_ak_quote3 -g $alg_quote -l 16,17,18 -q $nonce -P abc123
|
||||
+
|
||||
+exit 0
|
||||
\ No newline at end of file
|
||||
diff --git a/tools/tpm2_quote.c b/tools/tpm2_quote.c
|
||||
index 3538947db31..05b6d641656 100644
|
||||
--- a/tools/tpm2_quote.c
|
||||
+++ b/tools/tpm2_quote.c
|
||||
@@ -50,7 +50,7 @@ typedef struct {
|
||||
UINT32 id[24];
|
||||
} PCR_LIST;
|
||||
|
||||
-static TPMS_AUTH_COMMAND sessionData;
|
||||
+static TPMS_AUTH_COMMAND sessionData = TPMS_AUTH_COMMAND_INIT(TPM2_RS_PW);
|
||||
static char *outFilePath;
|
||||
static char *signature_path;
|
||||
static char *message_path;
|
||||
@@ -60,7 +60,7 @@ static TPM2B_DATA qualifyingData = TPM2B_EMPTY_INIT;
|
||||
static TPML_PCR_SELECTION pcrSelections;
|
||||
static bool is_auth_session;
|
||||
static TPMI_SH_AUTH_SESSION auth_session_handle;
|
||||
-static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag, G_flag;
|
||||
+static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag, G_flag, P_flag;
|
||||
static char *contextFilePath;
|
||||
static TPM2_HANDLE akHandle;
|
||||
|
||||
@@ -94,7 +94,7 @@ static int quote(TSS2_SYS_CONTEXT *sapi_context, TPM2_HANDLE akHandle, TPML_PCR_
|
||||
{
|
||||
UINT32 rval;
|
||||
TPMT_SIG_SCHEME inScheme;
|
||||
- TSS2L_SYS_AUTH_COMMAND sessionsData = { 1, {{.sessionHandle=TPM2_RS_PW}}};
|
||||
+ TSS2L_SYS_AUTH_COMMAND sessionsData = { 1, { sessionData }};
|
||||
TSS2L_SYS_AUTH_RESPONSE sessionsDataOut;
|
||||
TPM2B_ATTEST quoted = TPM2B_TYPE_INIT(TPM2B_ATTEST, attestationData);
|
||||
TPMT_SIGNATURE signature;
|
||||
@@ -152,6 +152,7 @@ static bool on_option(char key, char *value) {
|
||||
LOG_ERR("Invalid AK password, got\"%s\"", value);
|
||||
return false;
|
||||
}
|
||||
+ P_flag = 1;
|
||||
} break;
|
||||
case 'l':
|
||||
if(!pcr_parse_list(value, strlen(value), &pcrSelections.pcrSelections[0]))
|
||||
@@ -265,5 +266,9 @@ int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) {
|
||||
}
|
||||
}
|
||||
|
||||
+ if (P_flag == 0) {
|
||||
+ sessionData.hmac.size = 0;
|
||||
+ }
|
||||
+
|
||||
return quote(sapi_context, akHandle, &pcrSelections);
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 9685ea263f994537430323fb1681b210395eee7c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD=20=D0=9F=D0=B0=D0=BB=D0=B0?=
|
||||
=?UTF-8?q?=D1=83=D0=B7=D0=BE=D0=B2?= <git-dpa@aegee.org>
|
||||
Date: Tue, 2 Apr 2019 16:18:32 +0000
|
||||
Subject: [PATCH] lib/tpm2_util.c:string_to_uint32: ensure the string does not
|
||||
overflow in uint32
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Before this change input of "4294967295" generated output of 4294967295, which
|
||||
is UINT32_MAX = 2**32 - 1. But input "4294967296" created output of 0. The
|
||||
function is supposed to fail if the number is too big, rather than silently
|
||||
convert unsigned long int to uint32_t, ignoring some bits.
|
||||
|
||||
Signed-Off-By: Дилян Палаузов <git-dpa@aegee.org>
|
||||
---
|
||||
lib/tpm2_util.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/tpm2_util.c b/lib/tpm2_util.c
|
||||
index edfda4a8b0b..ca9d8b7f4d7 100644
|
||||
--- a/lib/tpm2_util.c
|
||||
+++ b/lib/tpm2_util.c
|
||||
@@ -236,8 +236,8 @@ bool tpm2_util_string_to_uint32(const char *str, uint32_t *value) {
|
||||
|
||||
/* clear errno before the call, should be 0 afterwards */
|
||||
errno = 0;
|
||||
- uint32_t tmp = strtoul(str, &endptr, 0);
|
||||
- if (errno) {
|
||||
+ unsigned long int tmp = strtoul(str, &endptr, 0);
|
||||
+ if (errno || tmp > UINT32_MAX) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -250,7 +250,7 @@ bool tpm2_util_string_to_uint32(const char *str, uint32_t *value) {
|
||||
return false;
|
||||
}
|
||||
|
||||
- *value = tmp;
|
||||
+ *value = (uint32_t) tmp;
|
||||
return true;
|
||||
}
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (tpm2-tools-3.1.4.tar.gz) = c5e1be4ffab305ee42a8b4a9c9aa4373158259a58844e273465f97a74f913fb12098b9fd81127148be95ecba7378f6a45b96af256dde3101a237e5e33e8e8ccb
|
||||
SHA512 (tpm2-tools-3.2.0.tar.gz) = ab8081ee3ac2d7f445522141395198b1c570b9649a42e4b27b11b0e04495f4c935ee3ec73b228a953934f9dbdf3dccd4640eb62c4e0bae6dd11b91260e67c227
|
||||
|
@ -1,21 +1,12 @@
|
||||
Name: tpm2-tools
|
||||
Version: 3.1.4
|
||||
Release: 2%{?dist}
|
||||
Version: 3.2.0
|
||||
Release: 1%{?dist}
|
||||
Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
|
||||
|
||||
License: BSD
|
||||
URL: https://github.com/tpm2-software/tpm2-tools
|
||||
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||
|
||||
Patch0: Wire-up-support-for-ak-auth-password-in-tpm2_quote-t.patch
|
||||
Patch1: tpm2_pcrreset-new-tools.patch
|
||||
Patch2: Add-ability-to-run-tpm2_makecredential-without-a-TPM.patch
|
||||
Patch3: Update-CHANGELOG.md.patch
|
||||
Patch4: Add-ability-to-check-quotes-and-output-PCR-values-fo.patch
|
||||
Patch5: Add-attestation-test-which-ensures-full-attestation-.patch
|
||||
Patch6: Fix-ups-in-tpm2_quote.md.1.patch
|
||||
Patch7: lib-tpm2_util.c-string_to_uint32-ensure-the-string-d.patch
|
||||
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libtool
|
||||
BuildRequires: autoconf-archive
|
||||
@ -54,6 +45,10 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
|
||||
%{_mandir}/man1/tpm2_*.1.gz
|
||||
|
||||
%changelog
|
||||
* Fri Jun 21 2019 Yunying Sun <yunying.sun@intel.com> - 3.2.0-1
|
||||
- Update to 3.2.0 release
|
||||
- Removed patches since all have been included in 3.2.0 release
|
||||
|
||||
* Fri May 10 2019 Javier Martinez Canillas <javierm@redhat.com> - 3.1.4-2
|
||||
- Allow tpm2_makecredential to run without a TPM (jetwhiz)
|
||||
- Add tpm2_pcrreset and tpm2_checkquote tools (jetwhiz)
|
||||
|
@ -1,313 +0,0 @@
|
||||
From 016ef077a2e81fab14cbcd5ba6fae10a6681688b Mon Sep 17 00:00:00 2001
|
||||
From: jetwhiz <charles.munson@ll.mit.edu>
|
||||
Date: Mon, 1 Oct 2018 17:55:13 -0400
|
||||
Subject: [PATCH 2/6] tpm2_pcrreset new tools
|
||||
|
||||
New tool to allow resetting PCR registers, backport from 0ef0f31775
|
||||
|
||||
Signed-off-by: jetwhiz <Charles.Munson@ll.mit.edu>
|
||||
---
|
||||
Makefile.am | 3 +
|
||||
man/tpm2_pcrreset.1.md | 58 ++++++++++++++
|
||||
test/system/test_tpm2_pcrreset.sh | 59 ++++++++++++++
|
||||
tools/tpm2_pcrreset.c | 129 ++++++++++++++++++++++++++++++
|
||||
4 files changed, 249 insertions(+)
|
||||
create mode 100644 man/tpm2_pcrreset.1.md
|
||||
create mode 100755 test/system/test_tpm2_pcrreset.sh
|
||||
create mode 100644 tools/tpm2_pcrreset.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 3856bcb400c..ffe22f383e3 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -87,6 +87,7 @@ bin_PROGRAMS = \
|
||||
tools/tpm2_pcrevent \
|
||||
tools/tpm2_pcrextend \
|
||||
tools/tpm2_pcrlist \
|
||||
+ tools/tpm2_pcrreset \
|
||||
tools/tpm2_quote \
|
||||
tools/tpm2_rc_decode \
|
||||
tools/tpm2_readpublic \
|
||||
@@ -179,6 +180,7 @@ tools_tpm2_unseal_SOURCES = tools/tpm2_unseal.c $(TOOL_SRC)
|
||||
tools_tpm2_dictionarylockout_SOURCES = tools/tpm2_dictionarylockout.c $(TOOL_SRC)
|
||||
tools_tpm2_createpolicy_SOURCES = tools/tpm2_createpolicy.c $(TOOL_SRC)
|
||||
tools_tpm2_pcrextend_SOURCES = tools/tpm2_pcrextend.c $(TOOL_SRC)
|
||||
+tools_tpm2_pcrreset_SOURCES = tools/tpm2_pcrreset.c $(TOOL_SRC)
|
||||
tools_tpm2_pcrevent_SOURCES = tools/tpm2_pcrevent.c $(TOOL_SRC)
|
||||
tools_tpm2_rc_decode_SOURCES = tools/tpm2_rc_decode.c $(TOOL_SRC)
|
||||
|
||||
@@ -279,6 +281,7 @@ if HAVE_MAN_PAGES
|
||||
man/man1/tpm2_pcrevent.1 \
|
||||
man/man1/tpm2_pcrextend.1 \
|
||||
man/man1/tpm2_pcrlist.1 \
|
||||
+ man/man1/tpm2_pcrreset.1 \
|
||||
man/man1/tpm2_quote.1 \
|
||||
man/man1/tpm2_rc_decode.1 \
|
||||
man/man1/tpm2_readpublic.1 \
|
||||
diff --git a/man/tpm2_pcrreset.1.md b/man/tpm2_pcrreset.1.md
|
||||
new file mode 100644
|
||||
index 00000000000..d5637137796
|
||||
--- /dev/null
|
||||
+++ b/man/tpm2_pcrreset.1.md
|
||||
@@ -0,0 +1,58 @@
|
||||
+% tpm2_pcrreset(1) tpm2-tools | General Commands Manual
|
||||
+%
|
||||
+% JANUARY 2019
|
||||
+
|
||||
+# NAME
|
||||
+
|
||||
+**tpm2_pcrreset**(1) - Reset one or more PCR banks
|
||||
+
|
||||
+# SYNOPSIS
|
||||
+
|
||||
+**tpm2_pcrreset** [*OPTIONS*] _PCR\_INDEX_ ...
|
||||
+
|
||||
+# DESCRIPTION
|
||||
+
|
||||
+**tpm2_pcrreset**(1) - Reset PCR value in all banks for specified index.
|
||||
+More than one PCR index can be specified.
|
||||
+
|
||||
+The reset value is manufacturer-dependent and is either sequence of 00 or FF
|
||||
+on the length of the hash algorithm for each supported bank
|
||||
+
|
||||
+_PCR\_INDEX_ is a space separated list of PCR indexes to be reset when issuing
|
||||
+the command.
|
||||
+
|
||||
+# OPTIONS
|
||||
+
|
||||
+This tool accepts no tool specific options.
|
||||
+
|
||||
+[common options](common/options.md)
|
||||
+
|
||||
+[common tcti options](common/tcti.md)
|
||||
+
|
||||
+# EXAMPLES
|
||||
+
|
||||
+## Reset a single PCR
|
||||
+```
|
||||
+tpm2_pcrreset 23
|
||||
+```
|
||||
+
|
||||
+## Reset multiple PCRs
|
||||
+```
|
||||
+tpm2_pcrreset 16 23
|
||||
+```
|
||||
+
|
||||
+# NOTES
|
||||
+
|
||||
+On operating system's locality (generally locality 0), only PCR 23 can be reset.
|
||||
+PCR-16 can also be reset on this locality, depending on TPM manufacturers
|
||||
+which could define this PCR as resettable.
|
||||
+
|
||||
+PCR 0 to 15 are not resettable (being part of SRTM). PCR 16 to 22 are mostly
|
||||
+reserved for DRTM or dedicated to specific localities and might not
|
||||
+be resettable depending on current TPM locality.
|
||||
+
|
||||
+# RETURNS
|
||||
+
|
||||
+0 on success or 1 on failure.
|
||||
+
|
||||
+[footer](common/footer.md)
|
||||
diff --git a/test/system/test_tpm2_pcrreset.sh b/test/system/test_tpm2_pcrreset.sh
|
||||
new file mode 100755
|
||||
index 00000000000..962de780ab4
|
||||
--- /dev/null
|
||||
+++ b/test/system/test_tpm2_pcrreset.sh
|
||||
@@ -0,0 +1,59 @@
|
||||
+#!/bin/bash
|
||||
+#;**********************************************************************;
|
||||
+#
|
||||
+# Copyright (c) 2019, Sebastien LE STUM
|
||||
+# All rights reserved.
|
||||
+#
|
||||
+# Redistribution and use in source and binary forms, with or without
|
||||
+# modification, are permitted provided that the following conditions are met:
|
||||
+#
|
||||
+# 1. Redistributions of source code must retain the above copyright notice,
|
||||
+# this list of conditions and the following disclaimer.
|
||||
+#
|
||||
+# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
+# this list of conditions and the following disclaimer in the documentation
|
||||
+# and/or other materials provided with the distribution.
|
||||
+#
|
||||
+# 3. Neither the name of Intel Corporation nor the names of its contributors
|
||||
+# may be used to endorse or promote products derived from this software without
|
||||
+# specific prior written permission.
|
||||
+#
|
||||
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
||||
+# THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+#;**********************************************************************;
|
||||
+
|
||||
+source test_helpers.sh
|
||||
+
|
||||
+# Reset a resettable PCR
|
||||
+tpm2_pcrreset 23
|
||||
+
|
||||
+# Reset more than one resettable PCR
|
||||
+tpm2_pcrreset 16 23
|
||||
+
|
||||
+# Get PCR_Reset out of bound index error
|
||||
+tpm2_pcrreset 999 2>&1 1>/dev/null | grep -q "out of bound PCR"
|
||||
+
|
||||
+# Get PCR_Reset wrong index error
|
||||
+tpm2_pcrreset toto 2>&1 1>/dev/null | grep -q "invalid PCR"
|
||||
+
|
||||
+# Get PCR_Reset index out of range error
|
||||
+if tpm2_pcrreset 29 2>&1 1>/dev/null ; then
|
||||
+ echo "tpm2_pcrreset on out of range PCR index didn't fail"
|
||||
+ exit 1
|
||||
+else
|
||||
+ true
|
||||
+fi
|
||||
+
|
||||
+# Get PCR_Reset bad locality error
|
||||
+tpm2_pcrreset 0 2>&1 1>/dev/null | grep -q "0x907"
|
||||
+
|
||||
+exit 0
|
||||
diff --git a/tools/tpm2_pcrreset.c b/tools/tpm2_pcrreset.c
|
||||
new file mode 100644
|
||||
index 00000000000..5fa1de121e7
|
||||
--- /dev/null
|
||||
+++ b/tools/tpm2_pcrreset.c
|
||||
@@ -0,0 +1,129 @@
|
||||
+//**********************************************************************;
|
||||
+// Copyright (c) 2017, Intel Corporation
|
||||
+// All rights reserved.
|
||||
+//
|
||||
+// Redistribution and use in source and binary forms, with or without
|
||||
+// modification, are permitted provided that the following conditions are met:
|
||||
+//
|
||||
+// 1. Redistributions of source code must retain the above copyright notice,
|
||||
+// this list of conditions and the following disclaimer.
|
||||
+//
|
||||
+// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
+// this list of conditions and the following disclaimer in the documentation
|
||||
+// and/or other materials provided with the distribution.
|
||||
+//
|
||||
+// 3. Neither the name of Intel Corporation nor the names of its contributors
|
||||
+// may be used to endorse or promote products derived from this software without
|
||||
+// specific prior written permission.
|
||||
+//
|
||||
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
+// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
||||
+// THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+//**********************************************************************;
|
||||
+
|
||||
+#include <ctype.h>
|
||||
+#include <errno.h>
|
||||
+#include <stdbool.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include <tss2/tss2_sys.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "pcr.h"
|
||||
+#include "tpm2_options.h"
|
||||
+#include "tpm2_tool.h"
|
||||
+#include "tpm2_util.h"
|
||||
+
|
||||
+typedef struct tpm_pcr_reset_ctx tpm_pcr_reset_ctx;
|
||||
+struct tpm_pcr_reset_ctx {
|
||||
+ bool pcr_list[TPM2_MAX_PCRS];
|
||||
+};
|
||||
+
|
||||
+static tpm_pcr_reset_ctx ctx;
|
||||
+
|
||||
+static bool pcr_reset_one(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_PCR pcr_index) {
|
||||
+ TSS2L_SYS_AUTH_RESPONSE sessions_data_out;
|
||||
+ TSS2L_SYS_AUTH_COMMAND sessions_data = { 1, {{ .sessionHandle=TPM2_RS_PW }}};
|
||||
+
|
||||
+ TSS2_RC rval = TSS2_RETRY_EXP(Tss2_Sys_PCR_Reset(sapi_context, pcr_index, &sessions_data,
|
||||
+ &sessions_data_out));
|
||||
+ if (rval != TSS2_RC_SUCCESS) {
|
||||
+ LOG_ERR("Could not reset PCR index: %d", pcr_index);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+static bool pcr_reset(TSS2_SYS_CONTEXT *sapi_context) {
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < TPM2_MAX_PCRS; i++) {
|
||||
+ if(!ctx.pcr_list[i])
|
||||
+ continue;
|
||||
+
|
||||
+ bool result = pcr_reset_one(sapi_context, i);
|
||||
+ if (!result) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+static bool on_arg(int argc, char** argv){
|
||||
+ int i;
|
||||
+ uint32_t pcr;
|
||||
+
|
||||
+ memset(ctx.pcr_list, 0, TPM2_MAX_PCRS);
|
||||
+
|
||||
+ if (argc < 1) {
|
||||
+ LOG_ERR("Expected at least one PCR index"
|
||||
+ "ie: <pcr index>, got: 0");
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ for(i = 0; i < argc; i++){
|
||||
+ if(!tpm2_util_string_to_uint32(argv[i], &pcr)){
|
||||
+ LOG_ERR("Got invalid PCR Index: \"%s\"", argv[i]);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If any specified PCR index is greater than the last valid
|
||||
+ * index supported in the spec, throw an error
|
||||
+ */
|
||||
+ if(pcr > TPM2_MAX_PCRS - 1){
|
||||
+ LOG_ERR("Got out of bound PCR Index: \"%s\"", argv[i]);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ ctx.pcr_list[pcr] = 1;
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+bool tpm2_tool_onstart(tpm2_options **opts) {
|
||||
+
|
||||
+ *opts = tpm2_options_new(NULL, 0, NULL, NULL, on_arg, 0);
|
||||
+
|
||||
+ return *opts != NULL;
|
||||
+}
|
||||
+
|
||||
+int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) {
|
||||
+
|
||||
+ UNUSED(flags);
|
||||
+
|
||||
+ return pcr_reset(sapi_context) != true;
|
||||
+}
|
||||
+
|
||||
--
|
||||
2.21.0
|
||||
|
Loading…
Reference in New Issue
Block a user