-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtake_ownership.c
145 lines (122 loc) · 4.37 KB
/
take_ownership.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/*
* Copyright (C) 2020 Intel Corporation
* SPDX-License-Identifier: BSD-3-Clause
*/
#include "tpm20linux.h"
static int change_auth(TSS2_SYS_CONTEXT* sys,
TPM2B_AUTH* newSecretKey,
TPM2B_AUTH* oldSecretKey,
const char* desc,
TPMI_RH_HIERARCHY_AUTH auth_handle)
{
TSS2_RC rval;
TSS2L_SYS_AUTH_COMMAND sessionsData = {0};
if (newSecretKey == NULL)
{
ERROR("The new secret key must be provided");
return -1;
}
if (oldSecretKey == NULL)
{
ERROR("The old secret key must be provided");
return -1;
}
sessionsData.count = 1;
sessionsData.auths[0].sessionHandle = TPM2_RS_PW;
memcpy(&sessionsData.auths[0].hmac, oldSecretKey, sizeof(TPM2B_AUTH));
sessionsData.auths[0].sessionAttributes = 0;
rval = Tss2_Sys_HierarchyChangeAuth(sys, auth_handle, &sessionsData, newSecretKey, 0);
if (rval != TPM2_RC_SUCCESS)
{
DEBUG("Could not change hierarchy for %s: 0x%x", desc, rval);
}
return rval;
}
static int take_ownership(TSS2_SYS_CONTEXT* sys,
TPM2B_AUTH* newSecretKey,
TPM2B_AUTH* oldSecretKey)
{
TSS2_RC rc;
rc = change_auth(sys, newSecretKey, oldSecretKey, "Owner", TPM2_RH_OWNER);
if(rc != TPM2_RC_SUCCESS)
{
return rc;
}
rc = change_auth(sys, newSecretKey, oldSecretKey, "Endorsement", TPM2_RH_ENDORSEMENT);
if(rc != TPM2_RC_SUCCESS)
{
return rc;
}
rc = change_auth(sys, newSecretKey, oldSecretKey, "Lockout", TPM2_RH_LOCKOUT);
if(rc != TPM2_RC_SUCCESS)
{
return rc;
}
return rc;
}
//-------------------------------------------------------------------------------------------------
// 'TakeOwnership' wraps three tpm2-tools commands: tpm2_takeownership, tpm2_createprimary
// and tpm2_evictcontrol
//-------------------------------------------------------------------------------------------------
int TakeOwnership(const tpmCtx* ctx,
const uint8_t* ownerSecretKey,
size_t ownerSecretKeyLength)
{
TSS2_RC rval = 0;
// TPM2_HANDLE handle2048rsa = 0;
TPM2B_AUTH newSecretKey = {0};
TPM2B_AUTH oldSecretKey = {0}; // create an empty TPM2B_AUTH when provisioning the TPM
// note: We assume that this function is only called when the
// trust agent does not have a password configured AND WHEN
// THE TPM IS CLEARED. Changing the password is a feature
// enhancement.
rval = InitializeTpmAuth(&newSecretKey, ownerSecretKey, ownerSecretKeyLength);
if(rval != 0)
{
ERROR("There was an error creating the new TPM2B_AUTH");
return rval;
}
//
// TakeOwnership of 'owner', 'endorsement' and 'lockout' similar to running...
// tpm2_takeownership -o hex:c758af994ac60743fdf1ad5d8186ca216657f99f -e hex:c758af994ac60743fdf1ad5d8186ca216657f99f -l hex:c758af994ac60743fdf1ad5d8186ca216657f99f
//
rval = take_ownership(ctx->sys, &newSecretKey, &oldSecretKey);
if(rval != TPM2_RC_SUCCESS)
{
return rval;
}
return TPM2_RC_SUCCESS;
}
//
// This function operates similar to the TpmLinuxV20.java implementation: if 'change_auth' is successfull
// when applying the same password for new/old keys, then consider the TPM owned with password 'secretKey'.
//
// Returns zero (true) if the secretKey works against the TPM, -1 if not owned. All other values non-zero
// values are error codes.
//
int IsOwnedWithAuth(const tpmCtx* ctx,
const uint8_t* ownerSecretKey,
size_t keyLength)
{
int rval;
TPM2B_AUTH newSecretKey = {0};
TPM2B_AUTH oldSecretKey = {0};
rval = InitializeTpmAuth(&newSecretKey, ownerSecretKey, keyLength);
if(rval != 0)
{
ERROR("There was an error creating the new TPM2B_AUTH");
return -2;
}
rval = InitializeTpmAuth(&oldSecretKey, ownerSecretKey, keyLength);
if(rval != 0)
{
ERROR("There was an error creating the old TPM2B_AUTH");
return -2;
}
rval = change_auth(ctx->sys, &newSecretKey, &oldSecretKey, "Owner", TPM2_RH_OWNER);
if (rval == 0x9a2)
{
rval = -1;
}
return rval;
}