@@ -16,6 +16,9 @@ use std::{
1616 sync:: { Arc , Mutex , OnceLock } ,
1717} ;
1818use thiserror:: Error ;
19+ use tss_esapi:: handles:: SessionHandle ;
20+ use tss_esapi:: interface_types:: session_handles:: PolicySession ;
21+ use tss_esapi:: structures:: { DigestList , SymmetricDefinition } ;
1922
2023use openssl:: {
2124 hash:: { Hasher , MessageDigest } ,
@@ -27,7 +30,6 @@ use openssl::{
2730use tss_esapi:: {
2831 abstraction:: {
2932 ak,
30- cipher:: Cipher ,
3133 ek, nv,
3234 pcr:: { read_all, PcrData } ,
3335 DefaultKey ,
@@ -41,7 +43,7 @@ use tss_esapi::{
4143 } ,
4244 handles:: {
4345 AuthHandle , KeyHandle , ObjectHandle , PcrHandle , PersistentTpmHandle ,
44- SessionHandle , TpmHandle ,
46+ TpmHandle ,
4547 } ,
4648 interface_types:: {
4749 algorithm:: { AsymmetricAlgorithm , HashingAlgorithm , PublicAlgorithm } ,
@@ -120,6 +122,47 @@ const UNIQUE_IAK: [u8; 3] = [0x49, 0x41, 0x4b];
120122const RSA_EK_CERTIFICATE_CHAIN_START : u32 = 0x01c00100 ;
121123const RSA_EK_CERTIFICATE_CHAIN_END : u32 = 0x01c001ff ;
122124
125+ // Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.5 Revision 2
126+ // Section B.6
127+ const POLICY_A_SHA384 : [ u8 ; 48 ] = [
128+ 0x8b , 0xbf , 0x22 , 0x66 , 0x53 , 0x7c , 0x17 , 0x1c , 0xb5 , 0x6e , 0x40 , 0x3c ,
129+ 0x4d , 0xc1 , 0xd4 , 0xb6 , 0x4f , 0x43 , 0x26 , 0x11 , 0xdc , 0x38 , 0x6e , 0x6f ,
130+ 0x53 , 0x20 , 0x50 , 0xc3 , 0x27 , 0x8c , 0x93 , 0x0e , 0x14 , 0x3e , 0x8b , 0xb1 ,
131+ 0x13 , 0x38 , 0x24 , 0xcc , 0xb4 , 0x31 , 0x05 , 0x38 , 0x71 , 0xc6 , 0xdb , 0x53 ,
132+ ] ;
133+ const POLICY_A_SHA512 : [ u8 ; 64 ] = [
134+ 0x1e , 0x3b , 0x76 , 0x50 , 0x2c , 0x8a , 0x14 , 0x25 , 0xaa , 0x0b , 0x7b , 0x3f ,
135+ 0xc6 , 0x46 , 0xa1 , 0xb0 , 0xfa , 0xe0 , 0x63 , 0xb0 , 0x3b , 0x53 , 0x68 , 0xf9 ,
136+ 0xc4 , 0xcd , 0xde , 0xca , 0xff , 0x08 , 0x91 , 0xdd , 0x68 , 0x2b , 0xac , 0x1a ,
137+ 0x85 , 0xd4 , 0xd8 , 0x32 , 0xb7 , 0x81 , 0xea , 0x45 , 0x19 , 0x15 , 0xde , 0x5f ,
138+ 0xc5 , 0xbf , 0x0d , 0xc4 , 0xa1 , 0x91 , 0x7c , 0xd4 , 0x2f , 0xa0 , 0x41 , 0xe3 ,
139+ 0xf9 , 0x98 , 0xe0 , 0xee ,
140+ ] ;
141+ const POLICY_A_SM3_256 : [ u8 ; 32 ] = [
142+ 0xc6 , 0x7f , 0x7d , 0x35 , 0xf6 , 0x6f , 0x3b , 0xec , 0x13 , 0xc8 , 0x9f , 0xe8 ,
143+ 0x98 , 0x92 , 0x1c , 0x65 , 0x1b , 0x0c , 0xb5 , 0xa3 , 0x8a , 0x92 , 0x69 , 0x0a ,
144+ 0x62 , 0xa4 , 0x3c , 0x00 , 0x12 , 0xe4 , 0xfb , 0x8b ,
145+ ] ;
146+ const POLICY_C_SHA384 : [ u8 ; 48 ] = [
147+ 0xd6 , 0x03 , 0x2c , 0xe6 , 0x1f , 0x2f , 0xb3 , 0xc2 , 0x40 , 0xeb , 0x3c , 0xf6 ,
148+ 0xa3 , 0x32 , 0x37 , 0xef , 0x2b , 0x6a , 0x16 , 0xf4 , 0x29 , 0x3c , 0x22 , 0xb4 ,
149+ 0x55 , 0xe2 , 0x61 , 0xcf , 0xfd , 0x21 , 0x7a , 0xd5 , 0xb4 , 0x94 , 0x7c , 0x2d ,
150+ 0x73 , 0xe6 , 0x30 , 0x05 , 0xee , 0xd2 , 0xdc , 0x2b , 0x35 , 0x93 , 0xd1 , 0x65 ,
151+ ] ;
152+ const POLICY_C_SHA512 : [ u8 ; 64 ] = [
153+ 0x58 , 0x9e , 0xe1 , 0xe1 , 0x46 , 0x54 , 0x47 , 0x16 , 0xe8 , 0xde , 0xaf , 0xe6 ,
154+ 0xdb , 0x24 , 0x7b , 0x01 , 0xb8 , 0x1e , 0x9f , 0x9c , 0x7d , 0xd1 , 0x6b , 0x81 ,
155+ 0x4a , 0xa1 , 0x59 , 0x13 , 0x87 , 0x49 , 0x10 , 0x5f , 0xba , 0x53 , 0x88 , 0xdd ,
156+ 0x1d , 0xea , 0x70 , 0x2f , 0x35 , 0x24 , 0x0c , 0x18 , 0x49 , 0x33 , 0x12 , 0x1e ,
157+ 0x2c , 0x61 , 0xb8 , 0xf5 , 0x0d , 0x3e , 0xf9 , 0x13 , 0x93 , 0xa4 , 0x9a , 0x38 ,
158+ 0xc3 , 0xf7 , 0x3f , 0xc8 ,
159+ ] ;
160+ const POLICY_C_SM3_256 : [ u8 ; 32 ] = [
161+ 0x2d , 0x4e , 0x81 , 0x57 , 0x8c , 0x35 , 0x31 , 0xd9 , 0xbd , 0x1c , 0xdd , 0x7d ,
162+ 0x02 , 0xba , 0x29 , 0x8d , 0x56 , 0x99 , 0xa3 , 0xe3 , 0x9f , 0xc3 , 0x55 , 0x1b ,
163+ 0xfe , 0xff , 0xcf , 0x13 , 0x2b , 0x49 , 0xe1 , 0x1d ,
164+ ] ;
165+
123166/// TpmError wraps all possible errors raised in tpm.rs
124167#[ derive( Error , Debug ) ]
125168pub enum TpmError {
@@ -1267,19 +1310,14 @@ impl Context<'_> {
12671310 /// Creates an empty authentication session
12681311fn create_empty_session (
12691312 & mut self ,
1313+ ctx : & mut tss_esapi:: Context ,
12701314 ses_type : SessionType ,
1315+ symmetric : SymmetricDefinition ,
1316+ hash_alg : HashingAlgorithm ,
12711317 ) -> Result < AuthSession > {
1272- let mut ctx = self . inner . lock ( ) . unwrap ( ) ; //#[allow_ci]
12731318 let Some ( session) = ctx
12741319 . start_auth_session (
1275- None ,
1276- None ,
1277- None ,
1278- ses_type,
1279- Cipher :: aes_128_cfb ( ) . try_into ( ) . map_err ( |source| {
1280- TpmError :: TSSSymmetricDefinitionFromCipher { source }
1281- } ) ?,
1282- HashingAlgorithm :: Sha256 ,
1320+ None , None , None , ses_type, symmetric, hash_alg,
12831321 )
12841322 . map_err ( |source| {
12851323 TpmError :: TSSStartAuthenticationSessionError { source }
@@ -1307,35 +1345,83 @@ impl Context<'_> {
13071345 ak : KeyHandle ,
13081346 ek : KeyHandle ,
13091347 ) -> Result < Digest > {
1310- let ( credential, secret) = parse_cred_and_secret ( keyblob) ?;
1311-
1312- let ek_auth = self . create_empty_session ( SessionType :: Policy ) ?;
1313-
13141348 let mut ctx = self . inner . lock ( ) . unwrap ( ) ; //#[allow_ci]
13151349
1316- // We authorize ses2 with PolicySecret(ENDORSEMENT) as per PolicyA
1317- let _ = ctx. execute_with_nullauth_session ( |context| {
1318- context. policy_secret (
1319- ek_auth. try_into ( ) ?,
1320- AuthHandle :: Endorsement ,
1321- Default :: default ( ) ,
1322- Default :: default ( ) ,
1323- Default :: default ( ) ,
1324- None ,
1325- )
1326- } ) ?;
1350+ let ( credential, secret) = parse_cred_and_secret ( keyblob) ?;
1351+ let mut policy_digests = DigestList :: new ( ) ;
1352+ let ( parent_public, _, _) = ctx. read_public ( ek) ?;
1353+ let ek_hash_alg = parent_public. name_hashing_algorithm ( ) ;
1354+ let ek_symmetric =
1355+ parent_public. symmetric_algorithm ( ) . ok_or_else ( || {
1356+ TpmError :: TSSReadPublicError {
1357+ source : tss_esapi:: Error :: WrapperError (
1358+ tss_esapi:: WrapperErrorKind :: InvalidParam ,
1359+ ) ,
1360+ }
1361+ } ) ?;
1362+ match ek_hash_alg {
1363+ HashingAlgorithm :: Sha384 => {
1364+ policy_digests
1365+ . add ( Digest :: try_from ( POLICY_A_SHA384 . as_slice ( ) ) ?) ?;
1366+ policy_digests
1367+ . add ( Digest :: try_from ( POLICY_C_SHA384 . as_slice ( ) ) ?) ?;
1368+ }
1369+ HashingAlgorithm :: Sha512 => {
1370+ policy_digests
1371+ . add ( Digest :: try_from ( POLICY_A_SHA512 . as_slice ( ) ) ?) ?;
1372+ policy_digests
1373+ . add ( Digest :: try_from ( POLICY_C_SHA512 . as_slice ( ) ) ?) ?;
1374+ }
1375+ HashingAlgorithm :: Sm3_256 => {
1376+ policy_digests
1377+ . add ( Digest :: try_from ( POLICY_A_SM3_256 . as_slice ( ) ) ?) ?;
1378+ policy_digests
1379+ . add ( Digest :: try_from ( POLICY_C_SM3_256 . as_slice ( ) ) ?) ?;
1380+ }
1381+ _ => ( ) ,
1382+ } ;
1383+
1384+ let ek_auth = self . create_empty_session (
1385+ & mut ctx,
1386+ SessionType :: Policy ,
1387+ ek_symmetric. into ( ) ,
1388+ ek_hash_alg,
1389+ ) ?;
13271390
1391+ // We authorize session according to the EK profile spec
13281392 let result = ctx
1329- . execute_with_sessions (
1330- ( Some ( AuthSession :: Password ) , Some ( ek_auth) , None ) ,
1331- |context| {
1332- context. activate_credential ( ak, ek, credential, secret)
1393+ . execute_with_temporary_object (
1394+ SessionHandle :: from ( ek_auth) . into ( ) ,
1395+ |ctx, _| {
1396+ let _ = ctx. execute_with_nullauth_session ( |ctx| {
1397+ ctx. policy_secret (
1398+ PolicySession :: try_from ( ek_auth) ?,
1399+ AuthHandle :: Endorsement ,
1400+ Default :: default ( ) ,
1401+ Default :: default ( ) ,
1402+ Default :: default ( ) ,
1403+ None ,
1404+ )
1405+ } ) ?;
1406+ if !policy_digests. is_empty ( ) {
1407+ ctx. policy_or (
1408+ PolicySession :: try_from ( ek_auth) ?,
1409+ policy_digests,
1410+ ) ?
1411+ }
1412+ ctx. execute_with_sessions (
1413+ ( Some ( AuthSession :: Password ) , Some ( ek_auth) , None ) ,
1414+ |ctx| {
1415+ ctx. activate_credential (
1416+ ak, ek, credential, secret,
1417+ )
1418+ } ,
1419+ )
13331420 } ,
13341421 )
13351422 . map_err ( TpmError :: from) ;
13361423
13371424 // Clear sessions after use
1338- ctx. flush_context ( SessionHandle :: from ( ek_auth) . into ( ) ) ?;
13391425 ctx. clear_sessions ( ) ;
13401426
13411427 result
0 commit comments