static TPM_RESULT execute_TPM_MakeIdentity(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_ENCAUTH identityAuth; TPM_CHOSENID_HASH labelPrivCADigest; TPM_KEY idKeyParams; TPM_KEY idKey; UINT32 identityBindingSize; BYTE *identityBinding = NULL; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_ENCAUTH(&ptr, &len, &identityAuth) || tpm_unmarshal_TPM_CHOSENID_HASH(&ptr, &len, &labelPrivCADigest) || tpm_unmarshal_TPM_KEY(&ptr, &len, &idKeyParams) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_MakeIdentity(&identityAuth, &labelPrivCADigest, &idKeyParams, &req->auth1, &req->auth2, &idKey, &identityBindingSize, &identityBinding); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = sizeof_TPM_KEY(idKey) + 4 + identityBindingSize; rsp->param = ptr = ExtendBuf; if (tpm_marshal_TPM_KEY(&ptr, &len, &idKey) || tpm_marshal_UINT32(&ptr, &len, identityBindingSize) || tpm_marshal_BLOB(&ptr, &len, identityBinding, identityBindingSize)) { res = TPM_FAIL; } return res; }
static TPM_RESULT execute_TPM_GetPubKey(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_KEY_HANDLE keyHandle; TPM_PUBKEY pubKey; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &keyHandle) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_GetPubKey(keyHandle, &req->auth1, &pubKey); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = sizeof_TPM_PUBKEY(pubKey); rsp->param = ptr = malloc(len); if (ptr == NULL || tpm_marshal_TPM_PUBKEY(&ptr, &len, &pubKey)) { free(rsp->param); res = TPM_FAIL; } free_TPM_PUBKEY(pubKey); return res; }
static TPM_RESULT execute_TPM_UnBind(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_KEY_HANDLE keyHandle; UINT32 inDataSize; BYTE *inData; UINT32 outDataSize; BYTE *outData = NULL; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &keyHandle) || tpm_unmarshal_UINT32(&ptr, &len, &inDataSize) || tpm_unmarshal_BLOB(&ptr, &len, &inData, inDataSize) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_UnBind(keyHandle, inDataSize, inData, &req->auth1, &outDataSize, &outData); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = 4 + outDataSize; rsp->param = ptr = ExtendBuf; if (ptr == NULL || tpm_marshal_UINT32(&ptr, &len, outDataSize) || tpm_marshal_BLOB(&ptr, &len, outData, outDataSize)) { free(rsp->param); res = TPM_FAIL; } free(outData); return res; }
static TPM_RESULT execute_MTM_LoadVerificationKey(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_VERIFICATION_KEY_HANDLE parentKey; UINT32 verificationKeySize; TPM_VERIFICATION_KEY verificationKey; TPM_VERIFICATION_KEY_HANDLE verificationKeyHandle; BYTE loadMethod; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_VERIFICATION_KEY_HANDLE(&ptr, &len, &parentKey) || tpm_unmarshal_UINT32(&ptr, &len, &verificationKeySize) || tpm_unmarshal_TPM_VERIFICATION_KEY(&ptr, &len, &verificationKey) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = MTM_LoadVerificationKey(parentKey, &verificationKey, &req->auth1, &verificationKeyHandle, &loadMethod); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = 4 + 1; rsp->param = ptr = tpm_malloc(len); if (ptr == NULL || tpm_marshal_TPM_VERIFICATION_KEY_HANDLE(&ptr, &len, verificationKeyHandle) || tpm_marshal_BYTE(&ptr, &len, loadMethod)) { tpm_free(rsp->param); res = TPM_FAIL; } return res; }
static TPM_RESULT execute_TPM_CreateWrapKey(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_KEY_HANDLE parentHandle; TPM_ENCAUTH dataUsageAuth; TPM_ENCAUTH dataMigrationAuth; TPM_KEY keyInfo; TPM_KEY wrappedKey; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &parentHandle) || tpm_unmarshal_TPM_ENCAUTH(&ptr, &len, &dataUsageAuth) || tpm_unmarshal_TPM_ENCAUTH(&ptr, &len, &dataMigrationAuth) || tpm_unmarshal_TPM_KEY(&ptr, &len, &keyInfo) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_CreateWrapKey(parentHandle, &dataUsageAuth, &dataMigrationAuth, &keyInfo, &req->auth1, &wrappedKey); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = sizeof_TPM_KEY(wrappedKey); //rsp->param = ptr = malloc(len); rsp->param = ptr = ExtendBuf; if (ptr == NULL || tpm_marshal_TPM_KEY(&ptr, &len, &wrappedKey)) { free(rsp->param); res = TPM_FAIL; } free_TPM_KEY(wrappedKey); return res; }
static TPM_RESULT execute_MTM_InstallRIM(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; UINT32 rimCertSize; TPM_RIM_CERTIFICATE rimCertIn; TPM_RIM_CERTIFICATE rimCertOut; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_UINT32(&ptr, &len, &rimCertSize) || tpm_unmarshal_TPM_RIM_CERTIFICATE(&ptr, &len, &rimCertIn) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = MTM_InstallRIM(&rimCertIn, &req->auth1, &rimCertOut); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = 4 + sizeof_TPM_RIM_CERTIFICATE(rimCertOut); rsp->param = ptr = tpm_malloc(len); if (ptr == NULL || tpm_marshal_UINT32(&ptr, &len, sizeof_TPM_RIM_CERTIFICATE(rimCertOut)) || tpm_marshal_TPM_RIM_CERTIFICATE(&ptr, &len, &rimCertOut)) { tpm_free(rsp->param); res = TPM_FAIL; } free_TPM_RIM_CERTIFICATE(rimCertOut); return res; }
static TPM_RESULT execute_MTM_VerifyRIMCertAndExtend(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; UINT32 rimCertSize; TPM_RIM_CERTIFICATE rimCert; TPM_VERIFICATION_KEY_HANDLE rimKey; TPM_PCRVALUE outDigest; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_UINT32(&ptr, &len, &rimCertSize) || tpm_unmarshal_TPM_RIM_CERTIFICATE(&ptr, &len, &rimCert) || tpm_unmarshal_TPM_VERIFICATION_KEY_HANDLE(&ptr, &len, &rimKey) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = MTM_VerifyRIMCertAndExtend(&rimCert, rimKey, &outDigest); /* marshal output */ rsp->paramSize = len = 20; rsp->param = ptr = tpm_malloc(len); if (ptr == NULL || tpm_marshal_TPM_PCRVALUE(&ptr, &len, &outDigest)) { tpm_free(rsp->param); res = TPM_FAIL; } return res; }
static TPM_RESULT execute_MTM_LoadVerificationRootKeyDisable(TPM_REQUEST *req, TPM_RESPONSE *rsp) { TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* execute command */ res = MTM_LoadVerificationRootKeyDisable(); /* marshal output */ rsp->paramSize = 0; rsp->param = NULL; return res; }
static TPM_RESULT execute_MTM_SetVerifiedPCRSelection(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_PCR_SELECTION verifiedSelection; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &verifiedSelection) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = MTM_SetVerifiedPCRSelection(&verifiedSelection, &req->auth1); /* marshal output */ rsp->paramSize = len = 0; rsp->param = ptr = NULL; return res; }
static TPM_RESULT execute_TPM_CertifyKey(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_KEY_HANDLE certHandle; TPM_KEY_HANDLE keyHandle; TPM_NONCE antiReplay; TPM_CERTIFY_INFO certifyInfo; UINT32 outDataSize; BYTE *outData = NULL; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &certHandle) || tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &keyHandle) || tpm_unmarshal_TPM_NONCE(&ptr, &len, &antiReplay) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_CertifyKey(certHandle, keyHandle, &antiReplay, &req->auth1, &req->auth2, &certifyInfo, &outDataSize, &outData); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = sizeof_TPM_CERTIFY_INFO(certifyInfo) + 4 + outDataSize; rsp->param = ptr = ExtendBuf; if (ptr == NULL || tpm_marshal_TPM_CERTIFY_INFO(&ptr, &len, &certifyInfo) || tpm_marshal_UINT32(&ptr, &len, outDataSize) || tpm_marshal_BLOB(&ptr, &len, outData, outDataSize)) { free(rsp->param); res = TPM_FAIL; } free_TPM_CERTIFY_INFO(certifyInfo); free(outData); return res; }
static TPM_RESULT execute_TPM_TakeOwnership(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_PROTOCOL_ID protocolID; UINT32 encOwnerAuthSize; BYTE *encOwnerAuth; UINT32 encSrkAuthSize; BYTE *encSrkAuth; TPM_KEY srkParams; TPM_KEY srkPub; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_PROTOCOL_ID(&ptr, &len, &protocolID) || tpm_unmarshal_UINT32(&ptr, &len, &encOwnerAuthSize) || tpm_unmarshal_BLOB(&ptr, &len, &encOwnerAuth, encOwnerAuthSize) || tpm_unmarshal_UINT32(&ptr, &len, &encSrkAuthSize) || tpm_unmarshal_BLOB(&ptr, &len, &encSrkAuth, encSrkAuthSize) || tpm_unmarshal_TPM_KEY(&ptr, &len, &srkParams) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_TakeOwnership(protocolID, encOwnerAuthSize, encOwnerAuth, encSrkAuthSize, encSrkAuth, &srkParams, &req->auth1, &srkPub); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = sizeof_TPM_KEY(srkPub); rsp->param = ptr = malloc(len); if (ptr == NULL || tpm_marshal_TPM_KEY(&ptr, &len, &srkPub)) { free(rsp->param); res = TPM_FAIL; } free_TPM_KEY(srkPub); return res; }
static TPM_RESULT execute_TPM_Quote(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; TPM_KEY_HANDLE keyHandle; TPM_NONCE extrnalData; TPM_PCR_SELECTION targetPCR; TPM_PCR_COMPOSITE *pcrData; UINT32 sigSize; BYTE *sig = NULL; TPM_RESULT res; pcrData = (TPM_PCR_COMPOSITE *)InOutBuf; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len, &keyHandle) || tpm_unmarshal_TPM_NONCE(&ptr, &len, &extrnalData) || tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &targetPCR) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = TPM_Quote(keyHandle, &extrnalData, &targetPCR, &req->auth1, pcrData, &sigSize, &sig); if (res != TPM_SUCCESS) return res; /* marshal output */ rsp->paramSize = len = sizeof_TPM_PCR_COMPOSITE((*pcrData)) + 4 + sigSize; rsp->param = ptr = ExtendBuf; if (ptr == NULL || tpm_marshal_TPM_PCR_COMPOSITE(&ptr, &len, pcrData) || tpm_marshal_UINT32(&ptr, &len, sigSize) || tpm_marshal_BLOB(&ptr, &len, sig, sigSize)) { free(rsp->param); res = TPM_FAIL; } free(sig); return res; }
static TPM_RESULT execute_MTM_IncrementBootstrapCounter(TPM_REQUEST *req, TPM_RESPONSE *rsp) { BYTE *ptr; UINT32 len; UINT32 rimCertSize; TPM_RIM_CERTIFICATE rimCert; TPM_VERIFICATION_KEY_HANDLE rimKey; TPM_RESULT res; /* compute parameter digest */ tpm_compute_in_param_digest(req); /* unmarshal input */ ptr = req->param; len = req->paramSize; if (tpm_unmarshal_UINT32(&ptr, &len, &rimCertSize) || tpm_unmarshal_TPM_RIM_CERTIFICATE(&ptr, &len, &rimCert) || tpm_unmarshal_TPM_VERIFICATION_KEY_HANDLE(&ptr, &len, &rimKey) || len != 0) return TPM_BAD_PARAMETER; /* execute command */ res = MTM_IncrementBootstrapCounter(&rimCert, rimKey); /* marshal output */ rsp->paramSize = len = 0; rsp->param = ptr = NULL; return res; }
TPM_RESULT TPM_ExecuteTransport(UINT32 inWrappedCmdSize, BYTE *inWrappedCmd, TPM_AUTH *auth1, UINT64 *currentTicks, TPM_MODIFIER_INDICATOR *locality, UINT32 *outWrappedCmdSize, BYTE **outWrappedCmd) { TPM_RESULT res; TPM_SESSION_DATA *session; TPM_REQUEST req; TPM_RESPONSE rsp; BYTE *ptr, buf[4 * 4 + 8 + 20]; UINT32 len, offset; tpm_sha1_ctx_t sha1; info("TPM_ExecuteTransport()"); /* get transport session */ session = tpm_get_transport(auth1->authHandle); if (session == NULL) return TPM_BAD_PARAMETER; /* unmarshal wrapped command */ len = inWrappedCmdSize; ptr = inWrappedCmd; if (tpm_unmarshal_TPM_REQUEST(&ptr, &len, &req)) return TPM_FAIL; /* decrypt wrapped command if needed */ ptr = tpm_malloc(req.paramSize); if (ptr == NULL) return TPM_FAIL; memcpy(ptr, req.param, req.paramSize); if (session->transInternal.transPublic.transAttributes & TPM_TRANSPORT_ENCRYPT) { if (req.ordinal == TPM_ORD_OIAP || req.ordinal == TPM_ORD_OSAP) { offset = req.paramSize; } else if (req.ordinal == TPM_ORD_DSAP) { offset = 30; } else { offset = tpm_get_in_param_offset(req.ordinal); } debug("decrypting %d bytes, starting at pos %d", req.paramSize - offset, offset); decrypt_wrapped_command(ptr + offset, req.paramSize - offset, auth1, session); } req.param = ptr; /* verify authorization */ tpm_compute_in_param_digest(&req); tpm_sha1_init(&sha1); tpm_sha1_update_be32(&sha1, TPM_ORD_ExecuteTransport); tpm_sha1_update_be32(&sha1, inWrappedCmdSize); tpm_sha1_update(&sha1, req.auth1.digest, sizeof(req.auth1.digest)); tpm_sha1_final(&sha1, auth1->digest); res = tpm_verify_auth(auth1, session->transInternal.authData, TPM_INVALID_HANDLE); if (res != TPM_SUCCESS) { tpm_free(req.param); return res; } /* nested transport sessions are not allowed */ if (req.ordinal == TPM_ORD_EstablishTransport || req.ordinal == TPM_ORD_ExecuteTransport || req.ordinal == TPM_ORD_ReleaseTransportSigned) { tpm_free(req.param); return TPM_NO_WRAP_TRANSPORT; } /* log input parameters */ if (session->transInternal.transPublic.transAttributes & TPM_TRANSPORT_LOG) { TPM_DIGEST keyDigest; compute_key_digest(&req, &keyDigest); transport_log_in(req.auth1.digest, keyDigest.digest, &session->transInternal.transDigest); } /* execute and audit command*/ tpm_audit_request(req.ordinal, &req); tpm_execute_command(&req, &rsp); tpm_audit_response(req.ordinal, &rsp); tpm_free(req.param); /* get locality and ticks */ *locality = tpmData.stany.flags.localityModifier; *currentTicks = tpmData.stany.data.currentTicks.currentTicks; /* if required, compute digest of internal output parameters */ debug("result = %d", rsp.result); if (rsp.result == TPM_SUCCESS) { if (rsp.tag == TPM_TAG_RSP_COMMAND) { rsp.auth1 = &req.auth1; tpm_compute_out_param_digest(req.ordinal, &rsp); } /* encrypt parameters */ if (session->transInternal.transPublic.transAttributes & TPM_TRANSPORT_ENCRYPT) { if (req.ordinal == TPM_ORD_OIAP || req.ordinal == TPM_ORD_OSAP) { offset = rsp.paramSize; } else if (req.ordinal == TPM_ORD_DSAP) { offset = rsp.paramSize; } else { offset = tpm_get_out_param_offset(req.ordinal); } debug("encrypting %d bytes, starting at pos %d", rsp.paramSize - offset, offset); encrypt_wrapped_command(rsp.param + offset, rsp.paramSize - offset, auth1, session); } } else { rsp.auth1 = &req.auth1; memset(rsp.auth1->digest, 0, sizeof(*rsp.auth1->digest)); } /* marshal response */ *outWrappedCmdSize = len = rsp.size; *outWrappedCmd = ptr = tpm_malloc(len); if (ptr == NULL) { tpm_free(rsp.param); return TPM_FAIL; } tpm_marshal_TPM_RESPONSE(&ptr, &len, &rsp); debug("marshalling done."); /* log output parameters */ if (session->transInternal.transPublic.transAttributes & TPM_TRANSPORT_LOG) { transport_log_out(rsp.auth1->digest, &session->transInternal.transDigest); } tpm_free(rsp.param); /* compute digest of output parameters */ ptr = buf; len = sizeof(buf); tpm_marshal_UINT32(&ptr, &len, TPM_SUCCESS); tpm_marshal_TPM_COMMAND_CODE(&ptr, &len, TPM_ORD_ExecuteTransport); tpm_marshal_UINT64(&ptr, &len, *currentTicks); tpm_marshal_TPM_MODIFIER_INDICATOR(&ptr, &len, *locality); tpm_marshal_UINT32(&ptr, &len, *outWrappedCmdSize); memcpy(ptr, rsp.auth1->digest, sizeof(rsp.auth1->digest)); tpm_sha1_init(&sha1); tpm_sha1_update(&sha1, buf, sizeof(buf)); tpm_sha1_final(&sha1, auth1->digest); return TPM_SUCCESS; }