int main(int argc, char **argv) { TSS_RESULT tResult; TSS_HTPM hTpm; int iRc = -1; struct option opts[] = { {"infile", required_argument, NULL, 'i'}, }; BYTE revokeData[TPM_SHA1BASED_NONCE_LEN]; BYTE *revData = revokeData; initIntlSys(); if (genericOptHandler(argc, argv, "i:", opts, sizeof(opts) / sizeof(struct option), parse, help) != 0) goto out; if (isInputSet) { if (readData(sizeof(revokeData), &revData)) goto out; } else { logError(_("Please specify which file contains the secret to revoke the Ek (use option -i, --infile).\n")); goto out; } logDebug("Input file name: %s\n", in_filename); if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; tResult = tpmRevokeEk(hTpm, sizeof(revokeData), revData); if (tResult != TSS_SUCCESS) goto out_close; iRc = 0; logSuccess(argv[0]); out_close: contextClose(hContext); out: return iRc; }
/* * Affect: Change owner or srk password * Default: No action * Required: Owner authentication */ int main(int argc, char **argv) { int i = 0, iRc = -1; char *passwd = NULL; int pswd_len; TSS_HPOLICY hTpmPolicy, hNewPolicy; TSS_HTPM hTpm; TSS_HTPM hSrk; BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET; struct option opts[] = { {"owner", no_argument, NULL, 'o'}, {"srk", no_argument, NULL, 's'}, {"original_password_unicode", no_argument, NULL, 'g'}, {"new_password_unicode", no_argument, NULL, 'n'}, {"well-known", no_argument, NULL, 'z'}, {"set-well-known", no_argument, NULL, 'r'}, }; initIntlSys(); if (genericOptHandler (argc, argv, "zrsogn", opts, sizeof(opts) / sizeof(struct option), parse, help) != 0) goto out; //nothing selected if ((!changeRequested && wellKnown) || (!changeRequested)) { help(argv[0]); goto out; } //Connect to TSS and TPM if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; if (wellKnown) { passwd = (char *)well_known_secret; pswd_len = TCPA_SHA1_160_HASH_LEN; } else { passwd = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n")); goto out_close; } } if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS) goto out_close; if (policySetSecret(hTpmPolicy, pswd_len, (BYTE *)passwd) != TSS_SUCCESS) goto out_close; if (!wellKnown && !setWellKnown) { shredPasswd(passwd); passwd = NULL; } do { if (auths[i].change) { logInfo(_("Changing password for: %s.\n"), _(auths[i].name)); if (setWellKnown) { passwd = (char *)well_known_secret; pswd_len = TCPA_SHA1_160_HASH_LEN; } else { passwd = _GETPASSWD(_(auths[i].prompt), &pswd_len, TRUE, newUnicode || useUnicode ); if (!passwd) { logError(_("Failed to get new password.\n")); goto out_close; } } if (contextCreateObject (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hNewPolicy) != TSS_SUCCESS) goto out_close; if (policySetSecret (hNewPolicy, pswd_len, (BYTE *)passwd) != TSS_SUCCESS) goto out_close; if (i == owner) { if (tpmChangeAuth(hTpm, NULL_HOBJECT, hNewPolicy) != TSS_SUCCESS) goto out_close; } else if (i == srk) { if (keyLoadKeyByUUID (hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSrk) != TSS_SUCCESS) goto out_close; if (tpmChangeAuth(hSrk, hTpm, hNewPolicy) != TSS_SUCCESS) goto out_close; } logInfo(_("Change of %s password successful.\n"), _(auths[i].name)); if (!wellKnown && !setWellKnown) { shredPasswd(passwd); passwd = NULL; } } } while (auths[++i].name); iRc = 0; out_close: contextClose(hContext); out: if (passwd && !wellKnown && !setWellKnown) shredPasswd(passwd); return iRc; }
int main(int argc, char **argv) { char *szTpmPasswd = NULL; int pswd_len; TSS_HTPM hTpm; TSS_HPOLICY hTpmPolicy; int iRc = -1; struct option opts[] = { {"force", no_argument, NULL, 'f'}, {"well-known", no_argument, NULL, 'z'}, }; BYTE well_known[] = TSS_WELL_KNOWN_SECRET; initIntlSys(); if (genericOptHandler (argc, argv, "fz", opts, sizeof(opts) / sizeof(struct option), parse, help) != 0) goto out; if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; if (!bValue) { if (isWellKnown){ szTpmPasswd = (char *)well_known; pswd_len = sizeof(well_known); }else{ szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n")); goto out_close; } } if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS) goto out_close; if (policySetSecret(hTpmPolicy, pswd_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS) goto out_close; } //Setup complete attempt command if (tpmClearOwner(hTpm, bValue) != TSS_SUCCESS) goto out_close; //Command successful iRc = 0; logSuccess(argv[0]); logMsg( _("TPM Successfuly Cleared. You need to reboot to complete this operation. After reboot the TPM will be in the default state: unowned, disabled and inactive.\n") ); //Cleanup out_close: if (szTpmPasswd && !isWellKnown) shredPasswd(szTpmPasswd); contextClose(hContext); out: return iRc; }
int main(int argc, char **argv) { char *szTpmPasswd = NULL; int pswd_len; TSS_HPOLICY hTpmPolicy; TSS_HTPM hTpm; int iRc = -1; struct option opts[] = { {"allow", no_argument, NULL, 'a'}, {"status", no_argument, NULL, 's'}, {"restrict", no_argument, NULL, 'r'}, {"well-known", no_argument, NULL, 'z'}, }; BYTE well_known[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; initIntlSys(); if (genericOptHandler (argc, argv, "asrz", opts, sizeof(opts) / sizeof(struct option), parse, help) != 0) goto out; /* If no args are given, the default should be to give status */ if (argc == 1) bCheck = TRUE; //Connect to TSS and TPM if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; if (isWellKnown) { szTpmPasswd = (char *)well_known; pswd_len = sizeof(well_known); } else { // Prompt for owner password szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n")); goto out_close; } } if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS) goto out_close; if (policySetSecret (hTpmPolicy, pswd_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS) goto out_close; if (bCheck) { TSS_BOOL bValue; if (tpmGetStatus (hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD, &bValue) != TSS_SUCCESS) goto out; logMsg(_("Storage Root Key readable with: %s\n"), bValue ? _("owner auth") : _("SRK auth")); } else { if (tpmSetStatus(hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD, bRestrict) != TSS_SUCCESS) goto out_close; } iRc = 0; logSuccess(argv[0]); out_close: contextClose(hContext); out: if (szTpmPasswd && !isWellKnown) shredPasswd(szTpmPasswd); return iRc; }
int main(int argc, char **argv) { TSS_RESULT tResult; TSS_HTPM hTpm; TSS_HKEY hEk; TSS_FLAG fEkAttrs; int iRc = -1; #ifdef TSS_LIB_IS_12 struct option opts[] = {{"revocable", no_argument, NULL, 'r'}, {"generate-secret", no_argument, NULL, 'g'}, {"infile", required_argument, NULL, 'i'}, {"outfile", required_argument, NULL, 'o'}, }; UINT32 revDataSz; BYTE revokeData[TPM_SHA1BASED_NONCE_LEN]; BYTE *pRevData; #endif initIntlSys(); #ifdef TSS_LIB_IS_12 if (genericOptHandler(argc, argv, "rgi:o:", opts, sizeof(opts) / sizeof(struct option), parse, help) != 0) goto out; //Check commands for command hierarchy if (isRevocable) { if (needGenerateSecret) { if (!outFileSet) { logError(_("Please specify an output file\n")); goto out; } if (inFileSet) { logError(_("The option -i, --infile is not valid with -g\n")); goto out; } } else if (!inFileSet) { logError(_("Please specify -i, --infile or -g, --generate-secret\n")); goto out; } else if (outFileSet) { logError(_("The option -o, --outfile is not valid with -i, --infile")); goto out; } } logDebug("Input file name: %s\n", in_filename); logDebug("Output file name: %s\n", out_filename); if (inFileSet) { pRevData = revokeData; revDataSz = sizeof(revokeData); if (readData(revDataSz, &pRevData)) goto out; } else if (outFileSet) { FILE *outfile = fopen(out_filename, "w"); if (!outfile) { iRc = -1; logError(_("Unable to open output file: %s\n"), out_filename); goto out; } fclose(outfile); //TPM should generate the revoke data revDataSz = 0; pRevData = NULL; } #else if (genericOptHandler(argc, argv, NULL, NULL, 0, NULL, NULL) != 0){ logError(_("See man pages for details.\n")); goto out; } #endif if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; //Initialize EK attributes here fEkAttrs = TSS_KEY_SIZE_2048 | TSS_KEY_TYPE_LEGACY; if (contextCreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, fEkAttrs, &hEk) != TSS_SUCCESS) goto out_close; #ifdef TSS_LIB_IS_12 if (isRevocable){ tResult = tpmCreateRevEk(hTpm, hEk, NULL, &revDataSz, &pRevData); if (tResult != TSS_SUCCESS) goto out_close; //Writes the generated secret into the output file if (outFileSet) { if (writeData(revDataSz, pRevData)) { logError(_("Creating revocable EK succeeded, but writing the EK " "revoke authorization to disk failed.\nPrinting the " "revoke authorization instead:\n")); logHex(revDataSz, pRevData); logError(_("You should record this data, as its the authorization " "you'll need to revoke your EK!\n")); goto out_close; } } } else #endif tResult = tpmCreateEk(hTpm, hEk, NULL); if (tResult != TSS_SUCCESS) goto out_close; iRc = 0; logSuccess(argv[0]); out_close: contextClose(hContext); out: return iRc; }
int main( int argc, char **argv ) { char *szTpmPasswd = NULL; int tpm_len; TSS_HTPM hTpm; TSS_HPOLICY hTpmPolicy; TSS_BOOL bValue = TRUE; int iRc = -1; struct option opts[] = { {"use-hex", no_argument, NULL, 'x'}, {"well-known", no_argument, NULL, 'z'}, }; BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; BYTE* pTpmPasswd = NULL; int iTpmPasswdLen; initIntlSys(); if (genericOptHandler(argc, argv, "xz", opts, sizeof(opts) / sizeof(struct option), parse, help) != 0) goto out; if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (!isWellKnown) { // Prompt for owner password szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get Owner password\n")); goto out; } if( decodeHexPassword ) { if( hex2bytea(szTpmPasswd, &pTpmPasswd, &iTpmPasswdLen) != 0 ) { logError(_("Invalid hex owner secret\n")); goto out_close; } } } else { szTpmPasswd = (char *)wellKnown; tpm_len = sizeof(wellKnown); } if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS) goto out_close; if( decodeHexPassword ) { if( Tspi_Policy_SetSecret(hTpmPolicy, TSS_SECRET_MODE_PLAIN, iTpmPasswdLen, pTpmPasswd) != TSS_SUCCESS) goto out_close; } else { if (policySetSecret(hTpmPolicy, tpm_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS) goto out_close; } if (tpmSetStatus(hTpm, TSS_TPMSTATUS_RESETLOCK, bValue) != TSS_SUCCESS) goto out_close; iRc = 0; logSuccess(argv[0]); out_close: contextClose(hContext); out: if (!isWellKnown && szTpmPasswd) shredPasswd(szTpmPasswd); if( pTpmPasswd ) shredByteArray(pTpmPasswd, iTpmPasswdLen); return iRc; }
int cmdVersion(const char *a_szCmd) { TSS_HTPM hTpm; UINT32 uiSubCap; BYTE *pSubCap; UINT32 uiResultLen; BYTE *pResult; int iRc = -1; if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; #ifdef TSS_LIB_IS_12 { UINT64 offset; TSS_RESULT uiResult; TPM_CAP_VERSION_INFO versionInfo; int tmpLogLevel = iLogLevel; /* disable logging during this call. If we're on a 1.1 TPM, it'd throw an error */ iLogLevel = LOG_LEVEL_NONE; if ((uiResult = getCapability(hTpm, TSS_TPMCAP_VERSION_VAL, 0, NULL, &uiResultLen, &pResult)) != TSS_SUCCESS) { iLogLevel = tmpLogLevel; if (uiResult == TPM_E_BAD_MODE) goto print_cap_version; else goto out_close; } iLogLevel = tmpLogLevel; offset = 0; if ((uiResult = unloadVersionInfo(&offset, pResult, &versionInfo))) { goto out_close; } logMsg(_(" TPM 1.2 Version Info:\n")); logMsg(_(" Chip Version: %hhu.%hhu.%hhu.%hhu\n"), versionInfo.version.major, versionInfo.version.minor, versionInfo.version.revMajor, versionInfo.version.revMinor); logMsg(_(" Spec Level: %hu\n"), versionInfo.specLevel); logMsg(_(" Errata Revision: %hhu\n"), versionInfo.errataRev); logMsg(_(" TPM Vendor ID: %c%c%c%c\n"), versionInfo.tpmVendorID[0], versionInfo.tpmVendorID[1], versionInfo.tpmVendorID[2], versionInfo.tpmVendorID[3]); if (versionInfo.vendorSpecificSize) { logMsg(_(" Vendor Specific data: ")); logHex(versionInfo.vendorSpecificSize, versionInfo.vendorSpecific); free(versionInfo.vendorSpecific); } } print_cap_version: #endif if (getCapability(hTpm, TSS_TPMCAP_VERSION, 0, NULL, &uiResultLen, &pResult) != TSS_SUCCESS) goto out_close; logMsg(_(" TPM Version: ")); logHex(uiResultLen, pResult); uiSubCap = TSS_TPMCAP_PROP_MANUFACTURER; pSubCap = (BYTE *) & uiSubCap; if (getCapability(hTpm, TSS_TPMCAP_PROPERTY, sizeof(uiSubCap), pSubCap, &uiResultLen, &pResult) != TSS_SUCCESS) goto out_close; logMsg(_(" Manufacturer Info: ")); logHex(uiResultLen, pResult); iRc = 0; logSuccess(a_szCmd); out_close: contextClose(hContext); out: return iRc; }
int main(int argc, char **argv) { TSS_HTPM hTpm; TSS_HNVSTORE nvObject; TSS_FLAG fNvAttrs; TSS_HPOLICY hTpmPolicy, hDataPolicy; int iRc = -1; BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET; int opswd_len = -1; int dpswd_len = -1; struct option hOpts[] = { {"index" , required_argument, NULL, 'i'}, {"size" , required_argument, NULL, 's'}, {"permissions" , required_argument, NULL, 'p'}, {"pwdo" , optional_argument, NULL, 'o'}, {"pwda" , optional_argument, NULL, 'a'}, {"use-unicode" , no_argument, NULL, 'u'}, {"data-well-known" , no_argument, NULL, 'z'}, {"owner-well-known", no_argument, NULL, 'y'}, {NULL , no_argument, NULL, 0}, }; initIntlSys(); if (genericOptHandler (argc, argv, "i:s:p:o:a:yzu", hOpts, sizeof(hOpts) / sizeof(struct option), parse, help) != 0) goto out; if (end) { iRc = 0; goto out; } if (!nvindex_set) { logError(_("You must provide an index for the NVRAM area.\n")); goto out; } if (nvperm == 0 && (UINT32)nvindex != TPM_NV_INDEX_LOCK && (UINT32)nvindex != TPM_NV_INDEX0) { logError(_("You must provide permission bits for the NVRAM area.\n")); goto out; } logDebug("permissions = 0x%08x\n", nvperm); if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; fNvAttrs = 0; if (contextCreateObject(hContext, TSS_OBJECT_TYPE_NV, fNvAttrs, &nvObject) != TSS_SUCCESS) goto out_close; if (askOwnerPass) { ownerpass = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n")); goto out_close; } } if (ownerpass || ownerWellKnown) { if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS) goto out_close; if (ownerpass) { if (opswd_len < 0) opswd_len = strlen(ownerpass); if (policySetSecret(hTpmPolicy, opswd_len, (BYTE *)ownerpass) != TSS_SUCCESS) goto out_close; } else { if (policySetSecret(hTpmPolicy, TCPA_SHA1_160_HASH_LEN, (BYTE *)well_known_secret) != TSS_SUCCESS) goto out_close; } } if (askDataPass) { datapass = _GETPASSWD(_("Enter NVRAM data password: "******"Failed to get NVRAM data password\n")); goto out_close; } } if (datapass || dataWellKnown) { if (contextCreateObject (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hDataPolicy) != TSS_SUCCESS) goto out_close; if (datapass) { if (dpswd_len < 0) dpswd_len = strlen(datapass); if (policySetSecret(hDataPolicy, dpswd_len, (BYTE *)datapass) != TSS_SUCCESS) goto out_close; } else { if (policySetSecret(hDataPolicy, TCPA_SHA1_160_HASH_LEN, (BYTE *)well_known_secret) != TSS_SUCCESS) goto out_close; } if (Tspi_Policy_AssignToObject(hDataPolicy, nvObject) != TSS_SUCCESS) goto out_close; } if (Tspi_SetAttribUint32(nvObject, TSS_TSPATTRIB_NV_INDEX, 0, nvindex) != TSS_SUCCESS) goto out_close_obj; if (Tspi_SetAttribUint32(nvObject, TSS_TSPATTRIB_NV_PERMISSIONS, 0, nvperm) != TSS_SUCCESS) goto out_close_obj; if (Tspi_SetAttribUint32(nvObject, TSS_TSPATTRIB_NV_DATASIZE, 0, nvsize) != TSS_SUCCESS) goto out_close_obj; if (NVDefineSpace(nvObject, (TSS_HPCRS)0, (TSS_HPCRS)0) != TSS_SUCCESS) goto out_close; logMsg(_("Successfully created NVRAM area at index 0x%x (%u).\n"), nvindex, nvindex); iRc = 0; goto out_close; out_close_obj: contextCloseObject(hContext, nvObject); out_close: contextClose(hContext); out: return iRc; }
int main(int argc, char **argv) { TSS_HKEY hSrk, hKey; TSS_HENCDATA hEncdata; TSS_HPOLICY hPolicy; int iRc = -1; struct option opts[] = { {"infile", required_argument, NULL, 'i'}, {"outfile", required_argument, NULL, 'o'}, {"pcr", required_argument, NULL, 'p'}, {"unicode", no_argument, NULL, 'u'}, {"well-known", no_argument, NULL, 'z'} }; unsigned char line[EVP_CIPHER_block_size(EVP_aes_256_cbc()) * 16]; int lineLen; unsigned char encData[sizeof(line) + EVP_CIPHER_block_size(EVP_aes_256_cbc())]; int encDataLen; UINT32 encLen, i; BYTE *encKey; BYTE *randKey = NULL; UINT32 sealKeyLen; BYTE *sealKey; TSS_FLAG keyFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 | TSS_KEY_VOLATILE | TSS_KEY_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE; TSS_HPOLICY hSrkPolicy; char *passwd = NULL; int pswd_len; BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; BIO *bin = NULL, *bdata=NULL, *b64=NULL; initIntlSys(); if (genericOptHandler(argc, argv, "i:o:p:uz", opts, sizeof(opts) / sizeof(struct option), parse, help) != 0) goto out; if (contextCreate(&hContext) != TSS_SUCCESS) goto out; if (contextConnect(hContext) != TSS_SUCCESS) goto out_close; if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) goto out_close; /* Create a BIO for the input file */ if ((bin = BIO_new(BIO_s_file())) == NULL) { logError(_("Unable to open input BIO\n")); goto out_close; } /* Assign the input file to the BIO */ if (strlen(in_filename) == 0) BIO_set_fp(bin, stdin, BIO_NOCLOSE); else if (!BIO_read_filename(bin, in_filename)) { logError(_("Unable to open input file: %s\n"), in_filename); goto out_close; } /* Create the PCRs object. If any PCRs above 15 are selected, this will need to be * a 1.2 TSS/TPM */ if (selectedPcrsLen) { TSS_FLAG initFlag = 0; UINT32 pcrSize; BYTE *pcrValue; for (i = 0; i < selectedPcrsLen; i++) { if (selectedPcrs[i] > 15) { #ifdef TSS_LIB_IS_12 initFlag |= TSS_PCRS_STRUCT_INFO_LONG; #else logError(_("This version of %s was compiled for a v1.1 TSS, which " "can only seal\n data to PCRs 0-15. PCR %u is out of range" "\n"), argv[0], selectedPcrs[i]); goto out_close; #endif } } if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag, &hPcrs) != TSS_SUCCESS) goto out_close; for (i = 0; i < selectedPcrsLen; i++) { if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS) goto out_close; if (pcrcompositeSetPcrValue(hPcrs, selectedPcrs[i], pcrSize, pcrValue) != TSS_SUCCESS) goto out_close; } #ifdef TSS_LIB_IS_12 if (initFlag) { UINT32 localityValue = TPM_LOC_ZERO | TPM_LOC_ONE | TPM_LOC_TWO | TPM_LOC_THREE | TPM_LOC_FOUR; if (pcrcompositeSetPcrLocality(hPcrs, localityValue) != TSS_SUCCESS) goto out_close; } #endif } /* Retrieve random data to be used as the symmetric key (this key will encrypt the input file contents) */ if (tpmGetRandom(hTpm, EVP_CIPHER_key_length(EVP_aes_256_cbc()), &randKey) != TSS_SUCCESS) goto out_close; /* Load the SRK and set the SRK policy (no password) */ if (keyLoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSrk) != TSS_SUCCESS) goto out_close; /* Use the context's default policy for the SRK secret */ if (policyGet(hSrk, &hSrkPolicy) != TSS_SUCCESS) goto out_close; /* Prompt for SRK password */ if (!isWellKnown) { passwd = _GETPASSWD(_("Enter SRK password: "******"Failed to get SRK password\n")); goto out_close; } } else { passwd = (char *)wellKnown; pswd_len = sizeof(wellKnown); } if (policySetSecret(hSrkPolicy, (UINT32)pswd_len, (BYTE *)passwd) != TSS_SUCCESS) goto out_close; if (!isWellKnown) shredPasswd(passwd); passwd = NULL; /* Build an RSA key object that will be created by the TPM (this will encrypt and protect the symmetric key) */ if (contextCreateObject (hContext, TSS_OBJECT_TYPE_RSAKEY, keyFlags, &hKey) != TSS_SUCCESS) goto out_close; if (contextCreateObject (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hPolicy) != TSS_SUCCESS) goto out_close; if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET) != TSS_SUCCESS) goto out_close; if (policyAssign(hPolicy, hKey) != TSS_SUCCESS) goto out_close; /* Create the RSA key (under the SRK) */ if (keyCreateKey(hKey, hSrk, NULL_HPCRS) != TSS_SUCCESS) goto out_close; /* Load the newly created RSA key */ if (keyLoadKey(hKey, hSrk) != TSS_SUCCESS) goto out_close; /* Build an encrypted data object that will hold the encrypted version of the symmetric key */ if (contextCreateObject (hContext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL, &hEncdata) != TSS_SUCCESS) goto out_close; if (contextCreateObject (hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hPolicy) != TSS_SUCCESS) goto out_close; if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET) != TSS_SUCCESS) goto out_close; if (policyAssign(hPolicy, hEncdata) != TSS_SUCCESS) goto out_close; /* Encrypt and seal the symmetric key */ if (dataSeal (hEncdata, hKey, EVP_CIPHER_key_length(EVP_aes_256_cbc()), randKey, hPcrs) != TSS_SUCCESS) goto out_close; if (getAttribData(hEncdata, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &encLen, &encKey) != TSS_SUCCESS) goto out_close; if (getAttribData (hKey, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_BLOB, &sealKeyLen, &sealKey) != TSS_SUCCESS) goto out_close; /* Create a BIO to perform base64 encoding */ if ((b64 = BIO_new(BIO_f_base64())) == NULL) { logError(_("Unable to open base64 BIO\n")); goto out_close; } /* Create a BIO for the output file */ if ((bdata = BIO_new(BIO_s_file())) == NULL) { logError(_("Unable to open output BIO\n")); goto out_close; } /* Assign the output file to the BIO */ if (strlen(out_filename) == 0) BIO_set_fp(bdata, stdout, BIO_NOCLOSE); else if (BIO_write_filename(bdata, out_filename) <= 0) { logError(_("Unable to open output file: %s\n"), out_filename); goto out_close; } /* Output the sealed data header string */ BIO_puts(bdata, TPMSEAL_HDR_STRING); /* Sealing key used on the TPM */ BIO_puts(bdata, TPMSEAL_TSS_STRING); bdata = BIO_push(b64, bdata); BIO_write(bdata, sealKey, sealKeyLen); if (BIO_flush(bdata) != 1) { logError(_("Unable to flush output\n")); goto out_close; } bdata = BIO_pop(b64); /* Sealed EVP Symmetric Key */ BIO_puts(bdata, TPMSEAL_EVP_STRING); BIO_puts(bdata, TPMSEAL_KEYTYPE_SYM); BIO_puts(bdata, TPMSEAL_CIPHER_AES256CBC); bdata = BIO_push(b64, bdata); BIO_write(bdata, encKey, encLen); if (BIO_flush(bdata) != 1) { logError(_("Unable to flush output\n")); goto out_close; } bdata = BIO_pop(b64); /* Encrypted Data */ BIO_puts(bdata, TPMSEAL_ENC_STRING); bdata = BIO_push(b64, bdata); EVP_CIPHER_CTX ctx; EVP_EncryptInit(&ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV); while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) { EVP_EncryptUpdate(&ctx, encData, &encDataLen, line, lineLen); BIO_write(bdata, encData, encDataLen); } EVP_EncryptFinal(&ctx, encData, &encDataLen); BIO_write(bdata, encData, encDataLen); if (BIO_flush(bdata) != 1) { logError(_("Unable to flush output\n")); goto out_close; } bdata = BIO_pop(b64); BIO_puts( bdata, TPMSEAL_FTR_STRING); iRc = 0; logSuccess(argv[0]); out_close: contextClose(hContext); out: if (bin) BIO_free(bin); if (bdata) BIO_free(bdata); if (b64) BIO_free(b64); return iRc; }