libtpmtss: Retrieve TPM 1.2 version info
[strongswan.git] / src / libtpmtss / tpm_tss_trousers.c
1 /*
2 * Copyright (C) 2016 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (c) 2008 Hal Finney
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23 * THE SOFTWARE.
24 */
25
26 #include "tpm_tss_trousers.h"
27
28 #ifdef TSS_TROUSERS
29
30 #include <trousers/tss.h>
31 #include <trousers/trousers.h>
32
33 #define LABEL "TPM 1.2 -"
34
35 /* size in bytes of a TSS AIK public key blob */
36 #define AIK_PUBKEY_BLOB_SIZE 284
37
38 typedef struct private_tpm_tss_trousers_t private_tpm_tss_trousers_t;
39
40 /**
41 * Private data of an tpm_tss_trousers_t object.
42 */
43 struct private_tpm_tss_trousers_t {
44
45 /**
46 * Public tpm_tss_trousers_t interface.
47 */
48 tpm_tss_t public;
49
50 /**
51 * TSS context
52 */
53 TSS_HCONTEXT hContext;
54
55 /**
56 * TPM version info
57 */
58 chunk_t version_info;
59
60 };
61
62 /**
63 * Initialize TSS context
64 *
65 * TPM 1.2 Specification, Part 2 TPM Structures, 21.6 TPM_CAP_VERSION_INFO
66 *
67 * typedef struct tdTPM_VERSION {
68 * TPM_VERSION_BYTE major;
69 * TPM_VERSION_BYTE minor;
70 * BYTE revMajor;
71 * BYTE revMinor;
72 * } TPM_VERSION;
73 *
74 * typedef struct tdTPM_CAP_VERSION_INFO {
75 * TPM_STRUCTURE_TAG tag;
76 * TPM_VERSION version;
77 * UINT16 specLevel;
78 * BYTE errataRev;
79 * BYTE tpmVendorID[4];
80 * UINT16 vendorSpecificSize;
81 * [size_is(vendorSpecificSize)] BYTE* vendorSpecific;
82 * } TPM_CAP_VERSION_INFO;
83 */
84 static bool initialize_context(private_tpm_tss_trousers_t *this)
85 {
86 uint8_t *version_ptr;
87 uint32_t version_len;
88
89 TSS_HTPM hTPM;
90 TSS_RESULT result;
91 TPM_CAP_VERSION_INFO *info;
92
93 result = Tspi_Context_Create(&this->hContext);
94 if (result != TSS_SUCCESS)
95 {
96 DBG1(DBG_PTS, "%s could not created context: 0x%x",
97 LABEL, result);
98 return FALSE;
99 }
100
101 result = Tspi_Context_Connect(this->hContext, NULL);
102 if (result != TSS_SUCCESS)
103 {
104 DBG1(DBG_PTS, "%s could not connect with context: 0x%x",
105 LABEL, result);
106 return FALSE;
107 }
108
109 result = Tspi_Context_GetTpmObject (this->hContext, &hTPM);
110 if (result != TSS_SUCCESS)
111 {
112 DBG1(DBG_PTS, "%s could not get TPM object: 0x%x",
113 LABEL, result);
114 return FALSE;
115 }
116
117 result = Tspi_TPM_GetCapability(hTPM, TSS_TPMCAP_VERSION_VAL, 0, NULL,
118 &version_len, &version_ptr);
119 if (result != TSS_SUCCESS)
120 {
121 DBG1(DBG_PTS, "%s Tspi_TPM_GetCapability failed: 0x%x",
122 LABEL, result);
123 return FALSE;
124 }
125
126 info = (TPM_CAP_VERSION_INFO *)version_ptr;
127 DBG2(DBG_PTS, "TPM Version Info: Chip Version: %u.%u.%u.%u, "
128 "Spec Level: %u, Errata Rev: %u, Vendor ID: %.4s",
129 info->version.major, info->version.minor,
130 info->version.revMajor, info->version.revMinor,
131 untoh16(&info->specLevel), info->errataRev, info->tpmVendorID);
132
133 this->version_info = chunk_clone(chunk_create(version_ptr, version_len));
134
135 return TRUE;
136 }
137
138 /**
139 * Finalize TSS context
140 */
141 static void finalize_context(private_tpm_tss_trousers_t *this)
142 {
143 if (this->hContext)
144 {
145 Tspi_Context_FreeMemory(this->hContext, NULL);
146 Tspi_Context_Close(this->hContext);
147 }
148 }
149
150 METHOD(tpm_tss_t, get_version, tpm_version_t,
151 private_tpm_tss_trousers_t *this)
152 {
153 return TPM_VERSION_1_2;
154 }
155
156 METHOD(tpm_tss_t, get_version_info, chunk_t,
157 private_tpm_tss_trousers_t *this)
158 {
159 return this->version_info;
160 }
161
162 METHOD(tpm_tss_t, generate_aik, bool,
163 private_tpm_tss_trousers_t *this, chunk_t ca_modulus, chunk_t *aik_blob,
164 chunk_t *aik_pubkey, chunk_t *identity_req)
165 {
166 chunk_t aik_pubkey_blob;
167 chunk_t aik_modulus;
168 chunk_t aik_exponent;
169
170 TSS_RESULT result;
171 TSS_HTPM hTPM;
172 TSS_HKEY hSRK;
173 TSS_HKEY hPCAKey;
174 TSS_HPOLICY hSrkPolicy;
175 TSS_HPOLICY hTPMPolicy;
176 TSS_HKEY hIdentKey;
177 TSS_UUID SRK_UUID = TSS_UUID_SRK;
178 BYTE secret[] = TSS_WELL_KNOWN_SECRET;
179 BYTE *IdentityReq;
180 UINT32 IdentityReqLen;
181 BYTE *blob;
182 UINT32 blobLen;
183
184 /* get SRK plus SRK policy and set SRK secret */
185 result = Tspi_Context_LoadKeyByUUID(this->hContext, TSS_PS_TYPE_SYSTEM,
186 SRK_UUID, &hSRK);
187 if (result != TSS_SUCCESS)
188 {
189 DBG1(DBG_PTS, "%s Tspi_Context_LoadKeyByUUID for SRK failed: 0x%x",
190 LABEL, result);
191 return FALSE;
192 }
193 result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hSrkPolicy);
194 if (result != TSS_SUCCESS)
195 {
196 DBG1(DBG_PTS, "%s Tspi_GetPolicyObject or SRK failed: 0x%x ",
197 LABEL, result);
198 return FALSE;
199 }
200 result = Tspi_Policy_SetSecret(hSrkPolicy, TSS_SECRET_MODE_SHA1, 20, secret);
201 if (result != TSS_SUCCESS)
202 {
203 DBG1(DBG_PTS, "%s Tspi_Policy_SetSecret for SRK failed: 0x%x ",
204 LABEL, result);
205 return FALSE;
206 }
207
208 /* get TPM plus TPM policy and set TPM secret */
209 result = Tspi_Context_GetTpmObject (this->hContext, &hTPM);
210 if (result != TSS_SUCCESS)
211 {
212 DBG1(DBG_PTS, "%s Tspi_Context_GetTpmObject failed: 0x%x",
213 LABEL, result);
214 return FALSE;
215 }
216 result = Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hTPMPolicy);
217 if (result != TSS_SUCCESS)
218 {
219 DBG1(DBG_PTS, "%s Tspi_GetPolicyObject for TPM failed: 0x%x",
220 LABEL, result);
221 return FALSE;
222 }
223 result = Tspi_Policy_SetSecret(hTPMPolicy, TSS_SECRET_MODE_SHA1, 20, secret);
224 if (result != TSS_SUCCESS)
225 {
226 DBG1(DBG_PTS,"%s Tspi_Policy_SetSecret for TPM failed: 0x%x",
227 LABEL, result);
228 return FALSE;
229 }
230
231 /* create context for a 2048 bit AIK */
232 result = Tspi_Context_CreateObject(this->hContext, TSS_OBJECT_TYPE_RSAKEY,
233 TSS_KEY_TYPE_IDENTITY | TSS_KEY_SIZE_2048 |
234 TSS_KEY_VOLATILE | TSS_KEY_NOT_MIGRATABLE, &hIdentKey);
235 if (result != TSS_SUCCESS)
236 {
237 DBG1(DBG_PTS, "%s Tspi_Context_CreateObject for key failed: 0x%x",
238 LABEL, result);
239 return FALSE;
240 }
241
242 /* create context for the Privacy CA public key and assign modulus */
243 result = Tspi_Context_CreateObject(this->hContext, TSS_OBJECT_TYPE_RSAKEY,
244 TSS_KEY_TYPE_LEGACY|TSS_KEY_SIZE_2048, &hPCAKey);
245 if (result != TSS_SUCCESS)
246 {
247 DBG1(DBG_PTS, "%s Tspi_Context_CreateObject for PCA failed: 0x%x",
248 LABEL, result);
249 return FALSE;
250 }
251 result = Tspi_SetAttribData (hPCAKey, TSS_TSPATTRIB_RSAKEY_INFO,
252 TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, ca_modulus.len,
253 ca_modulus.ptr);
254 if (result != TSS_SUCCESS)
255 {
256 DBG1(DBG_PTS, "%s Tspi_SetAttribData for PCA modulus failed: 0x%x",
257 LABEL, result);
258 return FALSE;
259 }
260 result = Tspi_SetAttribUint32(hPCAKey, TSS_TSPATTRIB_KEY_INFO,
261 TSS_TSPATTRIB_KEYINFO_ENCSCHEME, TSS_ES_RSAESPKCSV15);
262 if (result != TSS_SUCCESS)
263 {
264 DBG1(DBG_PTS,"%s Tspi_SetAttribUint32 for PCA encryption scheme "
265 "failed: 0x%x", LABEL, result);
266 return FALSE;
267 }
268
269 /* generate AIK */
270 DBG1(DBG_LIB, "Generating identity key...");
271 result = Tspi_TPM_CollateIdentityRequest(hTPM, hSRK, hPCAKey, 0, NULL,
272 hIdentKey, TSS_ALG_AES, &IdentityReqLen, &IdentityReq);
273 if (result != TSS_SUCCESS)
274 {
275 DBG1(DBG_PTS, "%s Tspi_TPM_CollateIdentityRequest failed: 0x%x",
276 LABEL, result);
277 return FALSE;
278 }
279 *identity_req = chunk_create(IdentityReq, IdentityReqLen);
280 DBG3(DBG_LIB, "%s Identity Request: %B", LABEL, identity_req);
281
282 /* load identity key */
283 result = Tspi_Key_LoadKey (hIdentKey, hSRK);
284 if (result != TSS_SUCCESS)
285 {
286 DBG1(DBG_PTS, "%s Tspi_Key_LoadKey for AIK failed: 0x%x",
287 LABEL, result);
288 return FALSE;
289 }
290
291 /* output AIK private key in TSS blob format */
292 result = Tspi_GetAttribData (hIdentKey, TSS_TSPATTRIB_KEY_BLOB,
293 TSS_TSPATTRIB_KEYBLOB_BLOB, &blobLen, &blob);
294 if (result != TSS_SUCCESS)
295 {
296 DBG1(DBG_PTS, "%s Tspi_GetAttribData for private key blob failed: 0x%x",
297 LABEL, result);
298 return FALSE;
299 }
300 *aik_blob = chunk_create(blob, blobLen);
301 DBG3(DBG_LIB, "%s AIK private key blob: %B", LABEL, aik_blob);
302
303 /* output AIK Public Key in TSS blob format */
304 result = Tspi_GetAttribData (hIdentKey, TSS_TSPATTRIB_KEY_BLOB,
305 TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, &blobLen, &blob);
306 if (result != TSS_SUCCESS)
307 {
308 DBG1(DBG_PTS, "%s Tspi_GetAttribData for public key blob failed: 0x%x",
309 LABEL, result);
310 return FALSE;
311 }
312 aik_pubkey_blob = chunk_create(blob, blobLen);
313 DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_pubkey_blob);
314
315 /* create a trusted AIK public key */
316 if (aik_pubkey_blob.len != AIK_PUBKEY_BLOB_SIZE)
317 {
318 DBG1(DBG_PTS, "%s AIK public key is not in TSS blob format",
319 LABEL);
320 return FALSE;
321 }
322 aik_modulus = chunk_skip(aik_pubkey_blob, AIK_PUBKEY_BLOB_SIZE - 256);
323 aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
324
325 /* output subjectPublicKeyInfo encoding of AIK public key */
326 if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER, NULL,
327 aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
328 CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
329 {
330 DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key failed",
331 LABEL);
332 return FALSE;
333 }
334 return TRUE;
335 }
336
337 METHOD(tpm_tss_t, get_public, chunk_t,
338 private_tpm_tss_trousers_t *this, uint32_t handle)
339 {
340 return chunk_empty;
341 }
342
343 METHOD(tpm_tss_t, destroy, void,
344 private_tpm_tss_trousers_t *this)
345 {
346 finalize_context(this);
347 free(this->version_info.ptr);
348 free(this);
349 }
350
351 /**
352 * See header
353 */
354 tpm_tss_t *tpm_tss_trousers_create()
355 {
356 private_tpm_tss_trousers_t *this;
357 bool available;
358
359 INIT(this,
360 .public = {
361 .get_version = _get_version,
362 .get_version_info = _get_version_info,
363 .generate_aik = _generate_aik,
364 .get_public = _get_public,
365 .destroy = _destroy,
366 },
367 );
368
369 available = initialize_context(this);
370 DBG1(DBG_PTS, "TPM 1.2 via TrouSerS %savailable", available ? "" : "not ");
371
372 if (!available)
373 {
374 destroy(this);
375 return NULL;
376 }
377 return &this->public;
378 }
379
380 #else /* TSS_TROUSERS */
381
382 tpm_tss_t *tpm_tss_trousers_create()
383 {
384 return NULL;
385 }
386
387 #endif /* TSS_TROUSERS */
388
389
390