static long getPhysicalCMDEnable(TPM_BOOL *physicalPresenceCMDEnable)
{
uint32_t ret = 0;
STACK_TPM_BUFFER( subcap );
STACK_TPM_BUFFER( resp );
STACK_TPM_BUFFER( tb );
TPM_PERMANENT_FLAGS permanentFlags;
if (ret == 0) {
STORE32(subcap.buffer, 0, TPM_CAP_FLAG_PERMANENT );
subcap.used = 4;
ret = TPM_GetCapability(TPM_CAP_FLAG,
&subcap,
&resp);
if (ret != 0) {
printf("Error %s from TPM_GetCapability\n",
TPM_GetErrMsg(ret));
}
}
if (ret == 0) {
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadPermanentFlags(&tb, 0, &permanentFlags, resp.used);
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("TPM_ReadPermanentFlags: ret %08x, responselen %d\n", ret, resp.used);
printf("TPM_ReadPermanentFlags: Error parsing response!\n");
}
else {
ret = 0;
}
}
if (ret == 0) {
*physicalPresenceCMDEnable = permanentFlags.physicalPresenceCMDEnable;
}
return ret;
}
/*
* Validate the signature over a PCR composite structure.
* Returns '0' on success, an error code otherwise.
*/
uint32_t TPM_ValidatePCRCompositeSignature(TPM_PCR_COMPOSITE *tpc,
unsigned char *antiReplay,
pubkeydata *pk,
struct tpm_buffer *signature,
uint16_t sigscheme)
{
uint32_t ret;
RSA *rsa; /* openssl RSA public key */
TPM_QUOTE_INFO tqi;
STACK_TPM_BUFFER (ser_tqi);
STACK_TPM_BUFFER(response);
STACK_TPM_BUFFER (ser_tpc);
/*
** Convert to an OpenSSL RSA public key
*/
rsa = TSS_convpubkey(pk);
ret = TPM_GetCapability(TPM_CAP_VERSION, NULL,
&response);
if (ret != 0) {
RSA_free(rsa);
return ret;
}
memcpy(&(tqi.version), response.buffer, response.used);
memcpy(&(tqi.fixed), "QUOT", 4);
memcpy(&(tqi.externalData), antiReplay, TPM_NONCE_SIZE);
ret = TPM_WritePCRComposite(&ser_tpc, tpc);
if ((ret & ERR_MASK)) {
RSA_free(rsa);
return ret;
}
/* create the hash of the PCR_composite data for the quoteinfo structure */
TSS_sha1(ser_tpc.buffer, ser_tpc.used, tqi.digestValue);
ret = TPM_WriteQuoteInfo(&ser_tqi, &tqi);
if ((ret & ERR_MASK)) {
RSA_free(rsa);
return ret;
}
ret = TPM_ValidateSignature(sigscheme,
&ser_tqi,
signature,
rsa);
RSA_free(rsa);
return ret;
}
int main(int argc, char *argv[])
{
int ret = 0;
uint32_t handle;
int listsize;
int offset;
int i; /* argc iterator */
TPM_setlog(0); /* turn off verbose output */
for (i=1 ; i<argc ; i++) {
if (!strcmp(argv[i], "-h")) {
printUsage();
}
else if (!strcmp(argv[i], "-v")) {
TPM_setlog(1);
}
else {
printf("\n%s is not a valid option\n", argv[i]);
printUsage();
}
}
STACK_TPM_BUFFER(response);
if (ret == 0) {
ret = TPM_GetCapability(0x0000007,NULL,&response);
if (ret != 0)
{
printf("Error %s from TPM_GetCapability\n",TPM_GetErrMsg(ret));
exit(1);
}
listsize = LOAD16(response.buffer,0);
offset = 2;
for (i = 0; i < listsize; ++i)
{
handle = LOAD32(response.buffer,offset);
printf("Key handle %02d %08x\n",i,handle);
offset += 4;
}
}
exit(0);
}
int main(int argc, char *argv[])
{
uint32_t ret;
STACK_TPM_BUFFER(resp);
int index = 0;
STACK_TPM_BUFFER( subcap );;
TPM_setlog(0); /* turn off verbose output */
ParseArgs(argc, argv);
while ((int)matrx[index].cap != -1) {
if (cap == matrx[index].cap) {
break;
}
index++;
}
if (-1 == (int)matrx[index].cap) {
printf("Unknown or unsupported capability!\n");
exit(-1);
}
subcap.used = 0;
if (matrx[index].subcap_size > 0) {
if ((int)scap == -1) {
printf("Need subcap parameter for this capability!\n");
exit(-1);
}
if (0 == prepare_subcap(cap, &subcap, scap)) {
if (2 == matrx[index].subcap_size) {
STORE16(subcap.buffer,0,scap);
subcap.used = 2;
} else
if (matrx[index].subcap_size >= 4) {
STORE32(subcap.buffer,0,scap);
subcap.used = 4;
}
}
}
#if 0
/* This was for VTPM extensions and needs retest */
if (cap == TPM_CAP_MFR) {
int idx2 = 0;
while ((int)mfr_matrix[idx2].cap != -1) {
if (mfr_matrix[idx2].cap == scap) {
break;
}
idx2++;
}
if (mfr_matrix[idx2].subcap_size > 0) {
uint32_t used = subcap.used +
mfr_matrix[idx2].subcap_size;
while (subcap.used < used) {
if (argc <= nxtarg) {
printf("Need one more parameter for this "
"capability!\n");
exit(-1);
}
if (!strncmp("0x",argv[nxtarg],2)) {
sscanf(argv[nxtarg],"%x",&sscap);
} else {
sscanf(argv[nxtarg],"%d",&sscap);
}
nxtarg++;
if (2 == matrx[index].subcap_size) {
STORE16(subcap.buffer,
subcap.used,sscap);
subcap.used += 2;
} else
if (matrx[index].subcap_size >= 4) {
STORE32(subcap.buffer,
subcap.used,sscap);
subcap.used += 4;
}
}
}
}
#endif
if (0 == sikeyhandle) {
ret = TPM_GetCapability(cap,
&subcap,
&resp);
if (0 != ret) {
printf("TPM_GetCapability returned %s.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
} else {
unsigned char antiReplay[TPM_HASH_SIZE];
unsigned char signature[2048];
uint32_t signaturelen = sizeof(signature);
pubkeydata pubkey;
RSA * rsa;
unsigned char sighash[TPM_HASH_SIZE];
unsigned char * buffer = NULL;
unsigned char * sigkeyhashptr = NULL;
unsigned char sigkeypasshash[TPM_HASH_SIZE];
if (NULL != sikeypass) {
TSS_sha1(sikeypass,strlen(sikeypass),sigkeypasshash);
sigkeyhashptr = sigkeypasshash;
}
TSS_gennonce(antiReplay);
ret = TPM_GetPubKey(sikeyhandle,
sigkeyhashptr,
&pubkey);
if (0 != ret) {
printf("Error while trying to access the signing key's public key.\n");
exit(-1);
}
rsa = TSS_convpubkey(&pubkey);
ret = TPM_GetCapabilitySigned(sikeyhandle,
sigkeyhashptr,
antiReplay,
cap,
&subcap,
&resp,
signature, &signaturelen);
if (0 != ret) {
printf("TPM_GetCapabilitySigned returned %s.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
buffer = malloc(resp.used+TPM_NONCE_SIZE);
if (NULL == buffer) {
printf("Could not allocate buffer.\n");
exit(-1);
}
memcpy(&buffer[0], resp.buffer, resp.used);
memcpy(&buffer[resp.used], antiReplay, TPM_NONCE_SIZE);
TSS_sha1(buffer,
resp.used+TPM_NONCE_SIZE,
sighash);
free(buffer);
ret = RSA_verify(NID_sha1,
sighash,TPM_HASH_SIZE,
signature,signaturelen,
rsa);
if (1 != ret) {
printf("Error: Signature verification failed.\n");
exit(-1);
}
}
if (0 == resp.used) {
printf("Empty response.\n");
} else {
if (-1 == (int)scap) {
printf("Result for capability 0x%x is : ",cap);
} else {
printf("Result for capability 0x%x, subcapability 0x%x is : ",cap,scap);
}
if (TYPE_BOOL == matrx[index].result_size) {
if (resp.buffer[0] == 0) {
printf("FALSE\n");
} else {
printf("TRUE\n");
}
} else
if (TYPE_UINT32 == matrx[index].result_size) {
uint32_t rsp;
rsp = LOAD32(resp.buffer,0);
printf("0x%08X = %d\n",rsp,rsp);
} else
if (TYPE_UINT32_ARRAY == matrx[index].result_size) {
int i = 0;
printf("\n");
while (i+3 < (int)resp.used) {
uint32_t rsp = LOAD32(resp.buffer,i);
i+=4;
if (TPM_CAP_NV_LIST == cap) {
/* don't zero extend, grep needs the exact value for test suite */
printf("%d. Index : %d = 0x%x.\n",
i/4,
rsp,
rsp);
} else
if (TPM_CAP_KEY_HANDLE == cap) {
printf("%d. keyhandle : %d.\n",
i/4,
rsp);
} else {
printf("%d. item : %d.\n",
i/4,
rsp);
}
}
} else
if (TYPE_STRUCTURE == matrx[index].result_size) {
switch(cap) {
case TPM_CAP_FLAG:
{
if (scap == TPM_CAP_FLAG_PERMANENT) {
TPM_PERMANENT_FLAGS pf;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadPermanentFlags(&tb, 0, &pf, resp.used);
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showPermanentFlags(&pf, resp.used);
} else
if (scap == TPM_CAP_FLAG_VOLATILE) {
TPM_STCLEAR_FLAGS sf;
STACK_TPM_BUFFER(tb);
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadSTClearFlags(&tb, 0, &sf);
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showVolatileFlags(&sf);
}
}
break;
case TPM_CAP_KEY_HANDLE:
{
uint16_t num = LOAD16(resp.buffer, 0);
uint32_t i = 0;
uint32_t handle;
printf("\n");
while (i < num) {
handle = LOAD32(resp.buffer,2+i*4);
printf("%d. handle: 0x%08X\n",
i,
handle);
i++;
}
}
break;
case TPM_CAP_NV_INDEX:
{
//char scratch_info[256];
unsigned char scratch_info[256];
uint32_t scratch_info_len;
TPM_NV_DATA_PUBLIC ndp;
uint32_t i, c;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadNVDataPublic(&tb,
0,
&ndp);
if ( ( ret & ERR_MASK) != 0) {
printf("Could not deserialize the TPM_NV_DATA_PUBLIC structure.\n");
exit(-1);
}
printf("permission.attributes : %08X\n",(unsigned int)ndp.permission.attributes);
printf("ReadSTClear : %02X\n",ndp.bReadSTClear);
printf("WriteSTClear : %02X\n",ndp.bWriteSTClear);
printf("WriteDefine : %02X\n",ndp.bWriteDefine);
printf("dataSize : %08X = %d",(unsigned int)ndp.dataSize,
(unsigned int)ndp.dataSize);
c = 0;
for (i = 0; i < ndp.pcrInfoRead.pcrSelection.sizeOfSelect*8; i++) {
if (ndp.pcrInfoRead.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) {
if (!c)
printf("\nRead PCRs selected: ");
else
printf(", ");
printf("%d", i);
c++;
}
}
if (c) {
char pcrmap[4], *pf;
memcpy(pcrmap, ndp.pcrInfoRead.pcrSelection.pcrSelect,
ndp.pcrInfoRead.pcrSelection.sizeOfSelect);
// printf("\npcrmap: %02x%02x%02x%02x\n", pcrmap[0], pcrmap[1],
// pcrmap[2], pcrmap[3]);
ret = TSS_GenPCRInfo(*(uint32_t *)pcrmap,
scratch_info,
&scratch_info_len);
printf("\nRead PCR Composite: ");
for (i = 0; i < 20; i++)
printf("%02x", ndp.pcrInfoRead.digestAtRelease[i] & 0xff);
printf("\n");
#if 1
pf = &scratch_info[5];
printf("\nCurrent PCR composite: ");
for (i = 0; i < 20; i++)
//printf("%02x", scratch_info.digestAtRelease[i] & 0xff);
printf("%02x", pf[i] & 0xff);
printf("\n");
#endif
if (!ret) {
printf("Matches current TPM state: ");
if (!memcmp(&scratch_info[5],
&ndp.pcrInfoRead.digestAtRelease,
20)) {
printf("Yes\n");
} else {
printf("No\n");
}
}
}
c = 0;
for (i = 0; i < ndp.pcrInfoWrite.pcrSelection.sizeOfSelect*8; i++) {
if (ndp.pcrInfoWrite.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) {
if (!c)
printf("\nWrite PCRs selected: ");
else
printf(", ");
printf("%d", i);
c++;
}
}
if (c) {
printf("\nWrite PCR Composite: ");
for (i = 0; i < 20; i++)
printf("%02x", ndp.pcrInfoWrite.digestAtRelease[i] & 0xff);
printf("\n");
}
}
break;
case TPM_CAP_HANDLE:
{
uint16_t num = LOAD16(resp.buffer, 0);
uint16_t x = 0;
while (x < num) {
uint32_t handle = LOAD32(resp.buffer,
sizeof(num)+4*x);
printf("%02d. 0x%08X\n",x,handle);
x++;
}
}
break;
case TPM_CAP_VERSION_VAL:
{
int i = 0;
TPM_CAP_VERSION_INFO cvi;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadCapVersionInfo(&tb,
0,
&cvi);
if ( ( ret & ERR_MASK) != 0) {
printf("Could not read the version info structure.\n");
exit(-1);
}
printf("\n");
printf("major : 0x%02X\n",cvi.version.major);
printf("minor : 0x%02X\n",cvi.version.minor);
printf("revMajor : 0x%02X\n",cvi.version.revMajor);
printf("revMinor : 0x%02X\n",cvi.version.revMinor);
printf("specLevel : 0x%04X\n",cvi.specLevel);
printf("errataRev : 0x%02X\n",cvi.errataRev);
printf("VendorID : ");
while (i < 4) {
printf("%02X ",cvi.tpmVendorID[i]);
i++;
}
printf("\n");
/* Print vendor ID in text if printable */
for (i=0 ; i<4 ; i++) {
if (isprint(cvi.tpmVendorID[i])) {
if (i == 0) {
printf("VendorID : ");
}
printf("%c", cvi.tpmVendorID[i]);
}
else {
break;
}
}
printf("\n");
printf("[not displaying vendor specific information]\n");
}
break;
#if 0 /* kgold: I don't think these are valid cap values */
case TPM_CAP_FLAG_PERMANENT:
{
TPM_PERMANENT_FLAGS pf;
STACK_TPM_BUFFER(tb)
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
if (resp.used == 21) {
ret = TPM_ReadPermanentFlagsPre103(&tb, 0, &pf);
} else {
ret = TPM_ReadPermanentFlags(&tb, 0, &pf);
}
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showPermanentFlags(&pf, resp.used);
}
break;
case TPM_CAP_FLAG_VOLATILE:
{
TPM_STCLEAR_FLAGS sf;
STACK_TPM_BUFFER(tb);
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadSTClearFlags(&tb, 0, &sf);
if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
}
printf("\n");
showVolatileFlags(&sf);
}
break;
#endif
case TPM_CAP_DA_LOGIC:
{
uint32_t ctr;
TPM_BOOL lim = FALSE;
TPM_DA_INFO dainfo;
TPM_DA_INFO_LIMITED dainfo_lim;
STACK_TPM_BUFFER(tb);
TSS_SetTPMBuffer(&tb, resp.buffer, resp.used);
ret = TPM_ReadDAInfo(&tb, 0, &dainfo);
if ( ( ret & ERR_MASK) != 0 || ret > resp.used) {
ret = TPM_ReadDAInfoLimited(&tb, 0, &dainfo_lim);
if ( (ret & ERR_MASK ) != 0 || ret > resp.used) {
printf("ret=%x, responselen=%d\n",ret,resp.used);
printf("Error parsing response!\n");
exit(-1);
} else {
lim = TRUE;
}
}
printf("\n");
if (lim) {
printf("State : %d\n",dainfo_lim.state);
printf("Actions : 0x%08x\n",dainfo_lim.actionAtThreshold.actions);
ctr = 0;
while (ctr < dainfo_lim.vendorData.size) {
printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]);
ctr++;
}
} else {
printf("State : %d\n",dainfo.state);
printf("currentCount : %d\n",dainfo.currentCount);
printf("thresholdCount : %d\n",dainfo.thresholdCount);
printf("Actions : 0x%08x\n",dainfo.actionAtThreshold.actions);
printf("actionDependValue : %d\n",dainfo.actionDependValue);
#if 0
ctr = 0;
while (ctr < dainfo_lim.vendorData.size) {
printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]);
ctr++;
}
#endif
}
}
break;
}
} else
if (TYPE_VARIOUS == matrx[index].result_size) {
switch(cap) {
case TPM_CAP_MFR:
switch (scap) {
case TPM_CAP_PROCESS_ID:
{
uint32_t rsp;
rsp = LOAD32(resp.buffer,0);
printf("%d\n",rsp);
}
break;
}
break; /* TPM_CAP_MFR */
default:
/* Show booleans */
if (scap == TPM_CAP_PROP_OWNER ||
scap == TPM_CAP_PROP_DAA_INTERRUPT
) {
if (0 == resp.buffer[0]) {
printf("FALSE\n");
} else {
printf("TRUE\n");
}
} else /* check for array of 4 UINTs */
if (scap == TPM_CAP_PROP_TIS_TIMEOUT /* ||
scap == TPM_CAP_PROP_TIMEOUTS */) {
int i = 0;
while (i < 4) {
uint32_t val = LOAD32(resp.buffer,i * 4);
printf("%d ",
val);
i++;
}
printf("\n");
} else /* check for TPM_STARTUP_EFFECTS */
if (scap == TPM_CAP_PROP_STARTUP_EFFECT) {
TPM_STARTUP_EFFECTS se = 0;
ret = TPM_ReadStartupEffects(resp.buffer,
&se);
if ( ( ret & ERR_MASK ) != 0 ) {
printf("Could not read startup effects structure.\n");
exit(-1);
}
printf("0x%08X=%d\n",
(unsigned int)se,
(unsigned int)se);
printf("\n");
printf("Startup effects:\n");
printf("Effect on audit digest: %s\n", (se & (1 << 7))
? "none"
: "active");
printf("Audit Digest on TPM_Startup(ST_CLEAR): %s\n", ( se & (1 << 6))
? "set to NULL"
: "not set to NULL" );
printf("Audit Digest on TPM_Startup(any) : %s\n", ( se & (1 << 5))
? "set to NULL"
: "not set to NULL" );
printf("TPM_RT_KEY resource initialized on TPM_Startup(ST_ANY) : %s\n", (se & ( 1 << 4))
? "yes"
: "no");
printf("TPM_RT_AUTH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 3))
? "yes"
: "no");
printf("TPM_RT_HASH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 2))
? "yes"
: "no");
printf("TPM_RT_TRANS resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 1))
? "yes"
: "no");
printf("TPM_RT_CONTEXT session initialized on TPM_Startup(ST_STATE): %s\n", (se & ( 1 << 0))
? "yes"
: "no");
} else /* check for array of 3 UINTs */
if (scap == TPM_CAP_PROP_DURATION) {
int i = 0;
while (i < 4*3) {
uint32_t val = LOAD32(resp.buffer,i);
printf("%d ",
val);
i+= 4;
}
printf("\n");
} else /* check for TPM_COUNT_ID */
if (scap == TPM_CAP_PROP_ACTIVE_COUNTER) {
uint32_t val = LOAD32(resp.buffer,0);
printf("0x%08X=%d",val,val);
if (0xffffffff == val) {
printf(" (no counter is active)");
}
printf("\n");
} else { /* just a single UINT32 */
printf("%ld=0x%08lX.\n",
(long)LOAD32(resp.buffer, 0),
(long)LOAD32(resp.buffer, 0));
}
}
}
}
printf("\n");
exit(0);
}
uint32_t TPM_TakeOwnership(unsigned char *ownpass, unsigned char *srkpass,
keydata * key)
{
unsigned char take_owner_fmt[] = "00 c2 T l s @ @ % l % 00 %";
/* required OAEP padding P parameter */
unsigned char tpm_oaep_pad_str[] = { 'T', 'C', 'P', 'A' };
uint32_t ret;
int iret;
unsigned char tpmdata[TPM_MAX_BUFF_SIZE];
pubkeydata tpmpubkey; /* public endorsement key data */
uint32_t srkparamsize; /* SRK parameter buffer size */
unsigned char nonceeven[TPM_HASH_SIZE]; /* even nonce (from OIAPopen) */
RSA *pubkey; /* PubEK converted to OpenSSL format */
unsigned char padded[RSA_MODULUS_BYTE_SIZE];
keydata srk; /* key info for SRK */
unsigned char dummypass[TPM_HASH_SIZE]; /* dummy srk password */
unsigned char *spass; /* pointer to srkpass or dummy */
unsigned int i;
/* data to be inserted into Take Owner Request Buffer */
/* the uint32_t and uint16_t values are stored in network byte order */
uint32_t command; /* command ordinal */
uint16_t protocol; /* protocol ID */
uint32_t oencdatasize; /* owner auth data encrypted size */
unsigned char ownerencr[RSA_MODULUS_BYTE_SIZE];
uint32_t sencdatasize; /* srk auth data encrypted size */
unsigned char srkencr[RSA_MODULUS_BYTE_SIZE];
unsigned char srk_param_buff[TPM_SRK_PARAM_BUFF_SIZE];
uint32_t authhandle; /* auth handle (from OIAPopen) */
unsigned char nonceodd[TPM_HASH_SIZE]; /* odd nonce */
unsigned char authdata[TPM_HASH_SIZE]; /* auth data */
/* check that parameters are valid */
if (ownpass == NULL)
return ERR_NULL_ARG;
if (srkpass == NULL) {
memset(dummypass, 0, sizeof dummypass);
spass = dummypass;
} else
spass = srkpass;
/* set up command and protocol values for TakeOwnership function */
command = htonl(0x0d);
protocol = htons(0x05);
/* get the TPM Endorsement Public Key */
ret = TPM_ReadPubek(&tpmpubkey);
if (ret)
return ret;
/* convert the public key to OpenSSL format */
pubkey = TSS_convpubkey(&tpmpubkey);
if (pubkey == NULL)
return ERR_CRYPT_ERR;
memset(ownerencr, 0, sizeof ownerencr);
memset(srkencr, 0, sizeof srkencr);
/* Pad and then encrypt the owner data using the RSA public key */
iret = RSA_padding_add_PKCS1_OAEP(padded, RSA_MODULUS_BYTE_SIZE,
ownpass, TPM_HASH_SIZE,
tpm_oaep_pad_str,
sizeof tpm_oaep_pad_str);
if (iret == 0)
return ERR_CRYPT_ERR;
iret =
RSA_public_encrypt(RSA_MODULUS_BYTE_SIZE, padded, ownerencr,
pubkey, RSA_NO_PADDING);
if (iret < 0)
return ERR_CRYPT_ERR;
oencdatasize = htonl(iret);
/* Pad and then encrypt the SRK data using the RSA public key */
iret = RSA_padding_add_PKCS1_OAEP(padded, RSA_MODULUS_BYTE_SIZE,
spass, TPM_HASH_SIZE,
tpm_oaep_pad_str,
sizeof tpm_oaep_pad_str);
if (iret == 0)
return ERR_CRYPT_ERR;
iret =
RSA_public_encrypt(RSA_MODULUS_BYTE_SIZE, padded, srkencr,
pubkey, RSA_NO_PADDING);
if (iret < 0)
return ERR_CRYPT_ERR;
sencdatasize = htonl(iret);
RSA_free(pubkey);
if (ntohl(oencdatasize) < 0)
return ERR_CRYPT_ERR;
if (ntohl(sencdatasize) < 0)
return ERR_CRYPT_ERR;
/* fill the SRK-params key structure */
/* get tpm version */
ret =
TPM_GetCapability(0x00000006, NULL, 0, &(srk.version[0]), &i);
if (ret != 0)
return ret;
srk.keyusage = 0x0011; /* Storage Key */
srk.keyflags = 0;
if (srkpass != NULL)
srk.authdatausage = 0x01;
else
srk.authdatausage = 0x00;
srk.privkeylen = 0; /* private key not specified here */
srk.pub.algorithm = 0x00000001; /* RSA */
srk.pub.encscheme = 0x0003; /* RSA OAEP SHA1 MGF1 */
srk.pub.sigscheme = 0x0001; /* NONE */
srk.pub.keybitlen = RSA_MODULUS_BIT_SIZE;
srk.pub.numprimes = 2;
srk.pub.expsize = 0; /* defaults to 0x010001 */
srk.pub.keylength = 0; /* not used here */
srk.pub.pcrinfolen = 0; /* not used here */
/* convert to a memory buffer */
srkparamsize = TPM_BuildKey(srk_param_buff, &srk);
/* generate the odd nonce */
ret = TSS_gennonce(nonceodd);
if (ret == 0)
return ret;
/* initiate the OIAP protocol */
ret = TSS_OIAPopen(&authhandle, nonceeven);
if (ret != 0)
return ret;
/* calculate the Authorization Data */
ret =
TSS_authhmac(authdata, ownpass, TPM_HASH_SIZE, nonceeven,
nonceodd, 0, TPM_U32_SIZE, &command, TPM_U16_SIZE,
&protocol, TPM_U32_SIZE, &oencdatasize,
ntohl(oencdatasize), ownerencr, TPM_U32_SIZE,
&sencdatasize, ntohl(sencdatasize), srkencr,
srkparamsize, srk_param_buff, 0, 0);
if (ret != 0) {
TSS_OIAPclose(authhandle);
return ret;
}
/* insert all the calculated fields into the request buffer */
ret = TSS_buildbuff(take_owner_fmt, tpmdata,
command,
protocol,
ntohl(oencdatasize),
ownerencr,
ntohl(sencdatasize),
srkencr,
srkparamsize,
srk_param_buff,
authhandle,
TPM_HASH_SIZE,
nonceodd, TPM_HASH_SIZE, authdata);
if ((ret & ERR_MASK) != 0) {
TSS_OIAPclose(authhandle);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(tpmdata, "Take Ownership");
TSS_OIAPclose(authhandle);
if (ret != 0)
return ret;
/* check the response HMAC */
srkparamsize = TSS_KeySize(tpmdata + TPM_DATA_OFFSET);
ret =
TSS_checkhmac1(tpmdata, command, nonceodd, ownpass,
TPM_HASH_SIZE, srkparamsize, TPM_DATA_OFFSET, 0,
0);
if (ret != 0)
return ret;
/* convert the returned key to a structure */
if (key == NULL)
return 0;
TSS_KeyExtract(tpmdata + TPM_DATA_OFFSET, key);
return 0;
}
/*
* make sure the given keys are in the TPM and there is
* enough room for 'room' keys in the TPM
*/
static uint32_t
needKeysRoom_General(uint32_t key1, uint32_t key2, uint32_t key3,
uint32_t room)
{
uint32_t ret = 0;
uint32_t scap_no;
STACK_TPM_BUFFER(context);
STACK_TPM_BUFFER(scap);
STACK_TPM_BUFFER(capabilities);
uint32_t tpmkeyroom;
uint32_t keysintpm;
int intpm1, intpm2, intpm3;
uint32_t neededslots;
static int in_swapping = 0;
char *tmp1;
char *tmp2;
char *tmp3;
/* do NOT allow recursion */
if (in_swapping) {
return 0;
}
tmp1 = getenv("TPM_AUDITING");
tmp2 = getenv("TPM_TRANSPORT");
tmp3 = getenv("TPM_NO_KEY_SWAP");
if ((tmp1 && !strcmp(tmp1,"1") &&
tmp2 && !strcmp(tmp2,"1")) ||
(tmp3 && !strcmp(tmp3,"1")) ) {
return 0;
}
in_swapping = 1;
#if 0
printf("level: %d\n",g_num_transports);
#endif
/*
* Support for 1.1 TPMs is not possible since the key handle
* must be maintained and the old SaveKeyContext functions don't
* do that.
*
* Strategy for 1.2 TPMs:
* Check the number of keys the TPM can handle.
* Check which keys are in the TPM and how many.
* If there's enough room for all keys that need to be loaded in,
* just load them in, otherwise swap an unneeded key out first.
* If necessary, swap as many keys out such that there's enough
* room for 'room' keys.
*/
scap_no = htonl(TPM_CAP_PROP_MAX_KEYS); // 0x110
SET_TPM_BUFFER(&scap, &scap_no, sizeof(scap_no));
ret = TPM_GetCapability(TPM_CAP_PROPERTY, // 0x5
&scap,
&capabilities);
if (ret != 0) {
/* call may fail at very beginning */
in_swapping = 0;
return 0;
} else {
ret = tpm_buffer_load32(&capabilities, 0, &tpmkeyroom);
if (ret != 0) {
in_swapping = 0;
return ret;
}
//tpmkeyroom = 10;
}
scap_no = ntohl(TPM_RT_KEY);
SET_TPM_BUFFER(&scap, &scap_no, sizeof(scap_no));
ret = TPM_GetCapability(TPM_CAP_KEY_HANDLE,
&scap,
&capabilities);
if (ret != 0) {
in_swapping = 0;
printf("Error %s from TPM_GetCapability.\n",
TPM_GetErrMsg(ret));
return ret;
}
neededslots = room;
intpm1 = IsKeyInTPM(&capabilities, key1);
if (!intpm1)
neededslots++;
intpm2 = IsKeyInTPM(&capabilities, key2);
if (!intpm2)
neededslots++;
intpm3 = IsKeyInTPM(&capabilities, key3);
if (!intpm2)
neededslots++;
#if 0
uint32_t ctr, handle;
for (ctr = 2; ctr < capabilities.used; ctr += sizeof(handle)) {
ret = tpm_buffer_load32(&capabilities,
ctr,
&handle);
if (ret != 0) {
break;
}
printf("available key: %08x\n",handle);
}
#endif
keysintpm = (capabilities.used - 2 ) / 4;
#if 0
printf("TPM has room for %d keys, holds %d keys.\n",
tpmkeyroom,keysintpm);
#endif
if ((int)neededslots > ((int)tpmkeyroom - (int)keysintpm)) {
ret = swapOutKeys((int)neededslots - ((int)tpmkeyroom-(int)keysintpm),
key1,
key2,
key3,
&capabilities);
#if 0
} else {
printf("No need to swap out keys.\n");
#endif
}
if (ret == 0 && !intpm1) {
ret = swapInKey(key1);
}
if (ret == 0 && !intpm2) {
ret = swapInKey(key2);
}
if (ret == 0 && !intpm3) {
ret = swapInKey(key3);
}
in_swapping = 0;
return ret;
}
int main(int argc, char *argv[])
{
int i;
int ret;
RSA *rsa;
EVP_PKEY *pkey;
FILE *dfile;
FILE *ofile;
FILE *kfile;
unsigned char blob[4096];
unsigned int bloblen;
unsigned int datlen;
struct tcpa_bound_data {
unsigned char version[4];
unsigned char type;
unsigned char data[256];
} bound;
struct stat sbuf;
if (argc < 4) {
fprintf(stderr,
"Usage: bindfile <pubkey file> <data file> <output file>\n");
exit(1);
}
TPM_setlog(0);
/*
** get size of data file
*/
stat(argv[2], &sbuf);
datlen = (int) sbuf.st_size;
/*
** read the data file
*/
dfile = fopen(argv[2], "r");
if (dfile == NULL) {
fprintf(stderr, "Unable to open data file '%s'\n",
argv[2]);
exit(2);
}
memset(bound.data, 0, 256);
ret = fread(bound.data, 1, datlen, dfile);
fclose(dfile);
if (ret != datlen) {
fprintf(stderr, "Unable to read data file\n");
exit(3);
}
/*
** read the key file
*/
kfile = fopen(argv[1], "r");
if (kfile == NULL) {
fprintf(stderr, "Unable to open public key file '%s'\n",
argv[1]);
exit(4);
}
pkey = PEM_read_PUBKEY(kfile, NULL, NULL, NULL);
fclose(kfile);
if (pkey == NULL) {
fprintf(stderr,
"I/O Error while reading public key file '%s'\n",
argv[1]);
exit(5);
}
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
fprintf(stderr, "Error while converting public key \n");
exit(6);
}
/* get the TPM version and put into the bound structure */
ret =
TPM_GetCapability(0x00000006, NULL, 0, &(bound.version[0]),
&i);
if (ret != 0) {
fprintf(stderr, "Error '%s' from TPM_GetCapability\n",
TPM_GetErrMsg(ret));
exit(7);
}
bound.type = 2;
ret =
TSS_Bind(rsa, (unsigned char *) &bound, 5 + datlen, blob,
&bloblen);
if (ret != 0) {
fprintf(stderr, "Error '%s' from TSS_Bind\n",
TPM_GetErrMsg(ret));
exit(8);
}
ofile = fopen(argv[3], "w");
if (ofile == NULL) {
fprintf(stderr, "Unable to open output file '%s'\n",
argv[3]);
exit(9);
}
i = fwrite(blob, 1, bloblen, ofile);
if (i != bloblen) {
fprintf(stderr, "Error writing output file '%s'\n",
argv[3]);
fclose(ofile);
exit(10);
}
fclose(ofile);
exit(0);
}
