3
* Licensed Materials - Property of IBM
5
* trousers - An open source TCG Software Stack
7
* (C) Copyright International Business Machines Corp. 2004
17
#include "trousers/tss.h"
18
#include "spi_internal_types.h"
19
#include "tcs_internal_types.h"
22
#include "tcs_utils.h"
23
#include "tcs_int_literals.h"
24
#include "capabilities.h"
27
#include "tcsd_wrap.h"
31
TCSP_SetOwnerInstall_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
32
TSS_BOOL state /* in */
38
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
40
LogDebug("Entering SetOwnerInstall");
41
if ((result = ctx_verify_context(hContext)))
45
LoadBlob_BOOL(&offset, state, txBlob, "State");
46
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_SetOwnerInstall,
49
if ((result = req_mgr_submit_req(txBlob)))
52
result = UnloadBlob_Header(txBlob, ¶mSize);
54
LogResult("SetOwnerInstall", result);
59
TCSP_TakeOwnership_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
60
UINT16 protocolID, /* in */
61
UINT32 encOwnerAuthSize, /* in */
62
BYTE * encOwnerAuth, /* in */
63
UINT32 encSrkAuthSize, /* in */
64
BYTE * encSrkAuth, /* in */
65
UINT32 srkInfoSize, /*in */
66
BYTE * srkInfo, /*in */
67
TPM_AUTH * ownerAuth, /* in, out */
68
UINT32 * srkKeySize, /*out */
69
BYTE ** srkKey /*out */
75
TCPA_KEY srkKeyContainer;
76
BYTE oldAuthDataUsage;
79
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
81
if ((result = ctx_verify_context(hContext)))
84
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
87
/* Check on the Atmel Bug Patch */
89
UnloadBlob_KEY(&offset, srkInfo, &srkKeyContainer);
90
oldAuthDataUsage = srkKeyContainer.authDataUsage;
91
LogDebug("auth data usage is %.2X", oldAuthDataUsage);
94
LoadBlob_UINT16(&offset, protocolID, txBlob, "prot id");
95
LoadBlob_UINT32(&offset, encOwnerAuthSize, txBlob,
96
"enc owner auth size");
97
LoadBlob(&offset, encOwnerAuthSize, txBlob, encOwnerAuth,
99
LoadBlob_UINT32(&offset, encSrkAuthSize, txBlob,
101
LoadBlob(&offset, encSrkAuthSize, txBlob, encSrkAuth,
104
LoadBlob(&offset, srkInfoSize, txBlob, srkInfo, "srk");
106
LoadBlob_Auth(&offset, txBlob, ownerAuth);
107
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
108
TPM_ORD_TakeOwnership, txBlob);
110
if ((result = req_mgr_submit_req(txBlob)))
113
result = UnloadBlob_Header(txBlob, ¶mSize);
117
if ((result = UnloadBlob_KEY(&offset, txBlob, &srkKeyContainer)))
120
*srkKeySize = offset - 10;
121
*srkKey = calloc(1, *srkKeySize);
122
if (*srkKey == NULL) {
123
destroy_key_refs(&srkKeyContainer);
124
LogError("malloc of %u bytes failed.", *srkKeySize);
125
result = TCSERR(TSS_E_OUTOFMEMORY);
128
if (srkKeyContainer.authDataUsage != oldAuthDataUsage) {
129
LogDebug("AuthDataUsage was changed by TPM. Atmel Bug. Fixing it in PS");
130
srkKeyContainer.authDataUsage = oldAuthDataUsage;
132
memcpy(*srkKey, &txBlob[10], *srkKeySize);
134
memset(srkKeyContainer.pubKey.key, 0, srkKeyContainer.pubKey.keyLength);
136
LoadBlob_KEY(&bugOffset, newSRK, &srkKeyContainer);
138
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
140
/* Once the key file is created, it stays forever. There could be
141
* migratable keys in the hierarchy that are still useful to someone.
143
result = ps_remove_key(&SRK_UUID);
144
if (result != TSS_SUCCESS && result != TCSERR(TSS_E_PS_KEY_NOTFOUND)) {
145
destroy_key_refs(&srkKeyContainer);
146
LogError("Error removing SRK from key file.");
150
if ((result = ps_write_key(&SRK_UUID, &NULL_UUID, NULL, 0, newSRK, bugOffset))) {
151
destroy_key_refs(&srkKeyContainer);
152
LogError("Error writing SRK to disk");
155
result = mc_add_entry_srk(SRK_TPM_HANDLE, SRK_TPM_HANDLE, &srkKeyContainer);
156
if (result != TSS_SUCCESS) {
157
destroy_key_refs(&srkKeyContainer);
158
LogError("Error creating SRK mem cache entry");
162
destroy_key_refs(&srkKeyContainer);
164
LogResult("TakeOwnership", result);
166
auth_mgr_release_auth(ownerAuth, NULL, hContext);
171
TCSP_OIAP_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
172
TCS_AUTHHANDLE *authHandle, /* out */
173
TCPA_NONCE *nonce0 /* out */
179
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
181
LogDebug("Entering TCSI_OIAP");
183
if ((result = ctx_verify_context(hContext)))
187
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_OIAP, txBlob);
189
if ((result = req_mgr_submit_req(txBlob)))
193
result = UnloadBlob_Header(txBlob, ¶mSize);
196
UnloadBlob_UINT32(&offset, authHandle, txBlob, "authHandle");
197
UnloadBlob(&offset, TCPA_NONCE_SIZE, txBlob,
198
nonce0->nonce, "n0");
201
LogResult("OIAP", result);
206
TCSP_OSAP_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
207
TCPA_ENTITY_TYPE entityType, /* in */
208
UINT32 entityValue, /* in */
209
TCPA_NONCE nonceOddOSAP, /* in */
210
TCS_AUTHHANDLE * authHandle, /* out */
211
TCPA_NONCE * nonceEven, /* out */
212
TCPA_NONCE * nonceEvenOSAP /* out */
218
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
220
LogDebug("Entering OSAP");
221
if ((result = ctx_verify_context(hContext)))
225
LoadBlob_UINT16(&offset, entityType, txBlob, "entity type");
226
LoadBlob_UINT32(&offset, entityValue, txBlob, "entity value");
227
LoadBlob(&offset, TCPA_NONCE_SIZE, txBlob, nonceOddOSAP.nonce, "nonce osap");
228
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_OSAP, txBlob);
230
if ((result = req_mgr_submit_req(txBlob)))
235
result = UnloadBlob_Header(txBlob, ¶mSize);
237
UnloadBlob_UINT32(&offset, authHandle, txBlob, "auth handle");
238
UnloadBlob(&offset, TCPA_NONCE_SIZE, txBlob, nonceEven->nonce, "n0");
239
UnloadBlob(&offset, TCPA_NONCE_SIZE, txBlob, nonceEvenOSAP->nonce, "n0 osap");
241
LogResult("OSAP", result);
247
TCSP_ChangeAuth_Internal(TCS_CONTEXT_HANDLE contextHandle, /* in */
248
TCS_KEY_HANDLE parentHandle, /* in */
249
TCPA_PROTOCOL_ID protocolID, /* in */
250
TCPA_ENCAUTH newAuth, /* in */
251
TCPA_ENTITY_TYPE entityType, /* in */
252
UINT32 encDataSize, /* in */
253
BYTE *encData, /* in */
254
TPM_AUTH *ownerAuth, /* in, out */
255
TPM_AUTH *entityAuth, /* in, out */
256
UINT32 *outDataSize, /* out */
257
BYTE **outData /* out */
263
TCPA_KEY_HANDLE keySlot;
264
TCS_KEY_HANDLE tcsKeyHandleToEvict;
265
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
267
LogDebug("Entering Changeauth");
268
if ((result = ctx_verify_context(contextHandle)))
271
if ((result = auth_mgr_check(contextHandle, ownerAuth->AuthHandle)))
273
if ((result = auth_mgr_check(contextHandle, entityAuth->AuthHandle)))
276
if ((result = ensureKeyIsLoaded(contextHandle, parentHandle, &keySlot)))
280
LoadBlob_UINT32(&offset, keySlot, txBlob, "handle");
281
LoadBlob_UINT16(&offset, protocolID, txBlob, "prot ID");
282
LoadBlob(&offset, TCPA_ENCAUTH_SIZE, txBlob,
283
newAuth.authdata, "encauth");
284
LoadBlob_UINT16(&offset, entityType, txBlob, "entity type");
285
LoadBlob_UINT32(&offset, encDataSize, txBlob, "enc data size");
286
LoadBlob(&offset, encDataSize, txBlob, encData, "enc data");
287
LoadBlob_Auth(&offset, txBlob, ownerAuth);
288
LoadBlob_Auth(&offset, txBlob, entityAuth);
290
LoadBlob_Header(TPM_TAG_RQU_AUTH2_COMMAND, offset,
291
TPM_ORD_ChangeAuth, txBlob);
293
if ((result = req_mgr_submit_req(txBlob)))
297
result = UnloadBlob_Header(txBlob, ¶mSize);
300
UnloadBlob_UINT32(&offset, outDataSize, txBlob,
302
*outData = calloc(1, *outDataSize);
303
if (*outData == NULL) {
304
LogError("malloc of %d bytes failed.", *outDataSize);
305
result = TCSERR(TSS_E_OUTOFMEMORY);
307
UnloadBlob(&offset, *outDataSize, txBlob, *outData, "outdata");
309
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
310
UnloadBlob_Auth(&offset, txBlob, entityAuth);
312
/* if the malloc above failed, terminate the 2 new auth handles and exit */
316
/****************************************
317
* Check if ET is a key. If it is, we need to
318
* 1 - Evict the key if loaded
319
* 2 - update the knowledge entries where applicable.
320
* 3 - Update the PS if applicable.
321
* 4 - Reload the key ( optional ) - Not doing it here
322
****************************************/
323
if (entityType == TCPA_ET_KEYHANDLE ||
324
entityType == TCPA_ET_KEY) {
325
LogDebug("entity type is a key. Check if storage/knowledge must be updated");
326
/*--- Compare the EncData against the TCS tables */
329
LogDebug("Checking PS");
330
uuidKeyToEvict = mc_get_uuid_by_encdata(encData);
331
if (uuidKeyToEvict != NULL) {
332
LogDebug("UUID is not NULL, replace storage");
333
replaceEncData_PS(*uuidKeyToEvict, encData, *outData);
336
tcsKeyHandleToEvict = mc_get_handle_by_encdata(encData);
337
LogDebug("tcsKeyHandle being evicted is %.8X", tcsKeyHandleToEvict);
338
/*--- If it was found in knowledge, replace it */
339
if (tcsKeyHandleToEvict != 0) {
340
key_mgr_evict(contextHandle, tcsKeyHandleToEvict);
341
mc_update_encdata(encData, *outData);
346
LogResult("ChangeAuth", result);
348
auth_mgr_release_auth(ownerAuth, entityAuth, contextHandle);
353
TCSP_ChangeAuthOwner_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
354
TCPA_PROTOCOL_ID protocolID, /* in */
355
TCPA_ENCAUTH newAuth, /* in */
356
TCPA_ENTITY_TYPE entityType, /* in */
357
TPM_AUTH * ownerAuth /* in, out */
363
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
365
LogDebug("Entering ChangeAuthOwner");
367
if ((result = ctx_verify_context(hContext)))
370
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
374
LoadBlob_UINT16(&offset, protocolID, txBlob, "prot id");
375
LoadBlob(&offset, 20, txBlob, newAuth.authdata, "enc auth");
376
LoadBlob_UINT16(&offset, entityType, txBlob, "entity type");
377
LoadBlob_Auth(&offset, txBlob, ownerAuth);
378
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset, TPM_ORD_ChangeAuthOwner, txBlob);
380
if ((result = req_mgr_submit_req(txBlob)))
384
result = UnloadBlob_Header(txBlob, ¶mSize);
385
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
387
LogResult("ChangeAuthOwner", result);
389
auth_mgr_release_auth(ownerAuth, NULL, hContext);
394
TCSP_ChangeAuthAsymStart_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
395
TCS_KEY_HANDLE idHandle, /* in */
396
TCPA_NONCE antiReplay, /* in */
397
UINT32 KeySizeIn, /* in */
398
BYTE * KeyDataIn, /* in */
399
TPM_AUTH * pAuth, /* in, out */
400
UINT32 * KeySizeOut, /* out */
401
BYTE ** KeyDataOut, /* out */
402
UINT32 * CertifyInfoSize, /* out */
403
BYTE ** CertifyInfo, /* out */
404
UINT32 * sigSize, /* out */
405
BYTE ** sig, /* out */
406
TCS_KEY_HANDLE * ephHandle /* out */
410
#warning Locking trouble in evictFirstKey
415
TCPA_CERTIFY_INFO certifyInfo;
418
TCPA_KEY_PARMS keyParmsContainer;
420
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
422
LogDebug("Entering ChangeAuthAsymStart");
423
if ((result = ctx_verify_context(hContext)))
427
LogDebug("Auth Command");
428
if ((result = auth_mgr_check(hContext, pAuth->AuthHandle)))
434
if ((result = ensureKeyIsLoaded(hContext, idHandle, &keySlot)))
437
LogDebug("Checking for room to load the eph key");
439
if ((result = UnloadBlob_KEY_PARMS(&offset, KeyDataIn, &keyParmsContainer)))
442
/* if we can't load the key, evict keys until we can */
443
if ((result = canILoadThisKey(&keyParmsContainer, &canLoad)))
446
while (canLoad == FALSE) {
447
/* Evict a key that isn't the parent */
448
if ((result = evictFirstKey(idHandle)))
451
if ((result = canILoadThisKey(&keyParmsContainer, &canLoad)))
456
LoadBlob_UINT32(&offset, keySlot, txBlob, "idhandle");
457
LoadBlob(&offset, TCPA_NONCE_SIZE, txBlob, antiReplay.nonce, "nonce");
458
/* LoadBlob_KEY_PARMS( &offset, txBlob, &tempKeyParms ); */
459
/* LoadBlob_UINT32( &offset, KeySizeIn, txBlob, "temp key size" ); */
460
LoadBlob(&offset, KeySizeIn, txBlob, KeyDataIn, "Temp Key");
463
LoadBlob_Auth(&offset, txBlob, pAuth);
464
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
465
TPM_ORD_ChangeAuthAsymStart, txBlob);
467
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
468
TPM_ORD_ChangeAuthAsymStart, txBlob);
471
if ((result = req_mgr_submit_req(txBlob)))
475
result = UnloadBlob_Header(txBlob, ¶mSize);
477
UnloadBlob_CERTIFY_INFO(&offset, txBlob, &certifyInfo);
478
*CertifyInfoSize = offset - 10;
479
*CertifyInfo = malloc(*CertifyInfoSize);
480
if (*CertifyInfo == NULL) {
481
LogError("malloc of %u bytes failed.", *CertifyInfoSize);
482
result = TCSERR(TSS_E_OUTOFMEMORY);
485
memcpy(*CertifyInfo, &txBlob[offset - *CertifyInfoSize],
487
UnloadBlob_UINT32(&offset, sigSize, txBlob, "sig size");
488
*sig = malloc(*sigSize);
490
LogError("malloc of %u bytes failed.", *sigSize);
491
result = TCSERR(TSS_E_OUTOFMEMORY);
494
UnloadBlob(&offset, *sigSize, txBlob, *sig, "sig");
495
UnloadBlob_UINT32(&offset, ephHandle, txBlob, "eph handle");
497
UnloadBlob_KEY(&offset, txBlob, &tempKey);
498
*KeySizeOut = offset - tempSize;
499
*KeyDataOut = malloc(*KeySizeOut);
500
if (*KeyDataOut == NULL) {
501
LogError("malloc of %u bytes failed.", *KeySizeOut);
502
result = TCSERR(TSS_E_OUTOFMEMORY);
505
memcpy(*KeyDataOut, &txBlob[offset - *KeySizeOut], *KeySizeOut);
507
UnloadBlob_Auth(&offset, txBlob, pAuth);
510
LogResult("ChangeAuthAsymStart", result);
512
auth_mgr_release_auth(pAuth, NULL, hContext);
515
return TSPERR(TSS_E_NOTIMPL);
520
TCSP_ChangeAuthAsymFinish_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
521
TCS_KEY_HANDLE parentHandle, /* in */
522
TCS_KEY_HANDLE ephHandle, /* in */
523
TCPA_ENTITY_TYPE entityType, /* in */
524
TCPA_HMAC newAuthLink, /* in */
525
UINT32 newAuthSize, /* in */
526
BYTE * encNewAuth, /* in */
527
UINT32 encDataSizeIn, /* in */
528
BYTE * encDataIn, /* in */
529
TPM_AUTH * ownerAuth, /* in, out */
530
UINT32 * encDataSizeOut, /* out */
531
BYTE ** encDataOut, /* out */
532
TCPA_SALT_NONCE * saltNonce, /* out */
533
TCPA_DIGEST * changeProof /* out */
541
TCPA_CERTIFY_INFO certifyInfo;
544
TSS_UUID *uuidKeyToEvict;
546
TCS_KEY_HANDLE tcsKeyHandleToEvict;
547
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
549
LogDebug("Entering ChangeAuthAsymFinish");
550
if ((result = ctx_verify_context(hContext)))
553
if (ownerAuth != NULL) {
554
LogDebug("Auth used");
555
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
560
if ((result = ensureKeyIsLoaded(hContext, parentHandle, &keySlot)))
564
LoadBlob_UINT32(&offset, keySlot, txBlob, "idhandle");
565
LoadBlob_UINT32(&offset, ephHandle, txBlob, "ephHandle");
566
LoadBlob_UINT16(&offset, entityType, txBlob, "entity Type");
567
LoadBlob(&offset, 20, txBlob, newAuthLink.digest, "newAuthLink");
568
LoadBlob_UINT32(&offset, newAuthSize, txBlob, "newAuthSize");
569
LoadBlob(&offset, newAuthSize, txBlob, encNewAuth, "encNewauth");
570
LoadBlob_UINT32(&offset, encDataSizeIn, txBlob, "encDatasize ");
571
LoadBlob(&offset, encDataSizeIn, txBlob, encDataIn, "encDataIn");
573
if (ownerAuth != NULL) {
574
LoadBlob_Auth(&offset, txBlob, ownerAuth);
575
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
576
TPM_ORD_ChangeAuthAsymFinish, txBlob);
578
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
579
TPM_ORD_ChangeAuthAsymFinish, txBlob);
582
if ((result = req_mgr_submit_req(txBlob)))
586
result = UnloadBlob_Header(txBlob, ¶mSize);
588
UnloadBlob_UINT32(&offset, encDataSizeOut, txBlob,
590
*encDataOut = calloc(1, *encDataSizeOut);
591
if (*encDataOut == NULL) {
592
LogError("malloc of %u bytes failed.", *encDataSizeOut);
593
result = TCSERR(TSS_E_OUTOFMEMORY);
596
UnloadBlob(&offset, *encDataSizeOut, txBlob,
597
*encDataOut, "outData");
598
UnloadBlob(&offset, 20, txBlob, saltNonce->nonce, "salt Nonce");
599
UnloadBlob(&offset, 20, txBlob, changeProof->digest,
601
if (ownerAuth != NULL)
602
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
604
/****************************************
605
* Check if ET is a key. If it is, we need to
606
* 1 - Evict the key if loaded
607
* 2 - update the knowledge entries where applicable.
608
* 3 - Update the PS if applicable.
609
* 4 - Reload the key ( optional ) - Not doing it here
610
****************************************/
611
if (entityType == TCPA_ET_KEYHANDLE ||
612
entityType == TCPA_ET_KEY) {
613
/*--- Compare the EncData against the TCS tables */
614
tcsKeyHandleToEvict = mc_get_handle_by_encdata(encDataIn);
617
uuidKeyToEvict = mc_get_uuid_by_encdata(encDataIn);
618
if (uuidKeyToEvict != NULL) {
619
replaceEncData_PS(*uuidKeyToEvict,
620
encDataIn, *encDataOut);
623
/*--- If it was found in knowledge, replace it */
624
if (tcsKeyHandleToEvict != 0) {
625
key_mgr_evict(hContext, tcsKeyHandleToEvict);
626
mc_update_encdata(encDataIn, *encDataOut);
631
LogResult("ChangeAuthAsymFinish", result);
633
auth_mgr_release_auth(ownerAuth, NULL, hContext);
638
internal_TerminateHandle(TCS_AUTHHANDLE handle)
643
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
646
LoadBlob_UINT32(&offset, handle, txBlob, "handle");
647
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_Terminate_Handle, txBlob);
649
if ((result = req_mgr_submit_req(txBlob)))
653
return UnloadBlob_Header(txBlob, ¶mSize);
657
TCSP_TerminateHandle_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
658
TCS_AUTHHANDLE handle /* in */
663
LogDebug("Entering TCSI_TerminateHandle");
664
if ((result = ctx_verify_context(hContext)))
667
if ((result = auth_mgr_check(hContext, handle)))
670
result = auth_mgr_release_auth_handle(handle, hContext, 1);
672
LogResult("Terminate Handle", result);
677
TCSP_ActivateTPMIdentity_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
678
TCS_KEY_HANDLE idKey, /* in */
679
UINT32 blobSize, /* in */
680
BYTE * blob, /* in */
681
TPM_AUTH * idKeyAuth, /* in, out */
682
TPM_AUTH * ownerAuth, /* in, out */
683
UINT32 * SymmetricKeySize, /* out */
684
BYTE ** SymmetricKey /* out */
689
TCPA_SYMMETRIC_KEY symKey;
693
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
695
LogDebug("TCSP_ActivateTPMIdentity");
697
if ((result = ctx_verify_context(hContext)))
700
if (idKeyAuth != NULL) {
701
if ((result = auth_mgr_check(hContext, idKeyAuth->AuthHandle)))
704
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
707
if ((result = ensureKeyIsLoaded(hContext, idKey, &keySlot)))
711
LoadBlob_UINT32(&offset, keySlot, txBlob, "id key handle");
712
LoadBlob_UINT32(&offset, blobSize, txBlob, "blob size");
713
LoadBlob(&offset, blobSize, txBlob, blob, "in blob");
714
if (idKeyAuth != NULL) {
715
LoadBlob_Auth(&offset, txBlob, idKeyAuth);
716
LoadBlob_Auth(&offset, txBlob, ownerAuth);
717
LoadBlob_Header(TPM_TAG_RQU_AUTH2_COMMAND,
719
TPM_ORD_ActivateTPMIdentity, txBlob);
721
LoadBlob_Auth(&offset, txBlob, ownerAuth);
722
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
724
TPM_ORD_ActivateTPMIdentity, txBlob);
727
if ((result = req_mgr_submit_req(txBlob)))
730
result = UnloadBlob_Header(txBlob, ¶mSize);
733
/* We don't know what kind of key the symmetric key is, or how big it is.
734
* So, call UnloadBlob_SYMMETRIC_KEY to parse through the returned data
735
* and create the expanded TCPA_SYMMETRIC_KEY structure. Then, serialize
736
* that data to pass back to the TSP. */
738
if ((result = UnloadBlob_SYMMETRIC_KEY(&offset, txBlob, &symKey)))
741
/* After parsing through the symmetric key, offset will point to the auth
745
*SymmetricKey = calloc(1, offset - 10);
746
if (*SymmetricKey == NULL) {
748
LogError("malloc of %" PRIu64 " bytes failed.", offset - 10);
749
result = TCSERR(TSS_E_OUTOFMEMORY);
752
*SymmetricKeySize = offset - 10;
754
LoadBlob_SYMMETRIC_KEY(&offset, *SymmetricKey, &symKey);
757
if (idKeyAuth != NULL) {
758
UnloadBlob_Auth(&authOffset, txBlob, idKeyAuth);
760
UnloadBlob_Auth(&authOffset, txBlob, ownerAuth);
764
auth_mgr_release_auth(idKeyAuth, ownerAuth, hContext);
769
TCSP_Extend_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
770
TCPA_PCRINDEX pcrNum, /* in */
771
TCPA_DIGEST inDigest, /* in */
772
TCPA_PCRVALUE * outDigest /* out */
778
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
780
LogDebug("Entering Extend");
781
if ((result = ctx_verify_context(hContext)))
784
/* PCRs are numbered 0 - (NUM_PCRS - 1), thus the >= */
785
if (pcrNum >= tpm_metrics.num_pcrs)
786
return TCSERR(TSS_E_BAD_PARAMETER);
788
if (tcsd_options.kernel_pcrs & (1 << pcrNum)) {
789
LogInfo("PCR %d is configured to be kernel controlled. Extend request denied.",
791
return TCSERR(TSS_E_FAIL);
794
if (tcsd_options.firmware_pcrs & (1 << pcrNum)) {
795
LogInfo("PCR %d is configured to be firmware controlled. Extend request denied.",
797
return TCSERR(TSS_E_FAIL);
802
LoadBlob_UINT32(&offset, pcrNum, txBlob, "pcrNum");
803
LoadBlob(&offset, TCPA_DIGEST_SIZE, txBlob, inDigest.digest,
806
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_Extend, txBlob);
808
if ((result = req_mgr_submit_req(txBlob)))
812
result = UnloadBlob_Header(txBlob, ¶mSize);
814
UnloadBlob(&offset, TCPA_DIGEST_SIZE, txBlob,
815
outDigest->digest, "digest");
817
LogResult("Extend", result);
822
TCSP_PcrRead_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
823
TCPA_PCRINDEX pcrNum, /* in */
824
TCPA_PCRVALUE * outDigest /* out */
830
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
832
LogDebug("Entering PCRRead");
834
if ((result = ctx_verify_context(hContext)))
837
/* PCRs are numbered 0 - (NUM_PCRS - 1), thus the >= */
838
if (pcrNum >= tpm_metrics.num_pcrs)
839
return TCSERR(TSS_E_BAD_PARAMETER);
842
LoadBlob_UINT32(&offset, pcrNum, txBlob, "pcrnum");
844
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_PcrRead, txBlob);
846
if ((result = req_mgr_submit_req(txBlob)))
850
result = UnloadBlob_Header(txBlob, ¶mSize);
852
UnloadBlob(&offset, TCPA_DIGEST_SIZE, txBlob,
853
outDigest->digest, "digest");
855
LogResult("PCR Read", result);
860
TCSP_Quote_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
861
TCS_KEY_HANDLE keyHandle, /* in */
862
TCPA_NONCE antiReplay, /* in */
863
UINT32 pcrDataSizeIn, /* in */
864
BYTE * pcrDataIn, /* in */
865
TPM_AUTH * privAuth, /* in, out */
866
UINT32 * pcrDataSizeOut, /* out */
867
BYTE ** pcrDataOut, /* out */
868
UINT32 * sigSize, /* out */
869
BYTE ** sig /* out */
877
TCPA_PCR_COMPOSITE pcrComp;
878
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
880
LogDebug("Entering quote");
882
if ((result = ctx_verify_context(hContext)))
885
if (privAuth != NULL) {
886
LogDebug("Auth Used");
887
if ((result = auth_mgr_check(hContext, privAuth->AuthHandle)))
892
if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot)))
896
LoadBlob_UINT32(&offset, keySlot, txBlob, "key handle");
897
LoadBlob(&offset, TCPA_NONCE_SIZE, txBlob, antiReplay.nonce, "anti nonce");
898
LoadBlob(&offset, pcrDataSizeIn, txBlob, pcrDataIn, "Pcr Data");
899
if (privAuth != NULL) {
900
LoadBlob_Auth(&offset, txBlob, privAuth);
901
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
902
offset, TPM_ORD_Quote, txBlob);
904
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
905
TPM_ORD_Quote, txBlob);
907
if ((result = req_mgr_submit_req(txBlob)))
911
result = UnloadBlob_Header(txBlob, ¶mSize);
914
if ((result = UnloadBlob_PCR_COMPOSITE(&offset, txBlob, &pcrComp)))
916
free(pcrComp.select.pcrSelect);
917
free(pcrComp.pcrValue);
919
*pcrDataSizeOut = offset - 10;
920
*pcrDataOut = calloc(1, *pcrDataSizeOut);
921
if (*pcrDataOut == NULL) {
922
LogError("malloc of %u bytes failed.", *pcrDataSizeOut);
923
result = TCSERR(TSS_E_OUTOFMEMORY);
926
memcpy(*pcrDataOut, &txBlob[10], *pcrDataSizeOut);
927
UnloadBlob_UINT32(&offset, sigSize, txBlob, "sigsize");
928
*sig = calloc(1, *sigSize);
931
LogError("malloc of %u bytes failed.", *sigSize);
932
result = TCSERR(TSS_E_OUTOFMEMORY);
935
UnloadBlob(&offset, *sigSize, txBlob, *sig, "sig");
936
if (privAuth != NULL)
937
UnloadBlob_Auth(&offset, txBlob, privAuth);
939
LogResult("Quote", result);
941
auth_mgr_release_auth(privAuth, NULL, hContext);
946
TCSP_DirWriteAuth_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
947
TCPA_DIRINDEX dirIndex, /* in */
948
TCPA_DIRVALUE newContents, /* in */
949
TPM_AUTH * ownerAuth /* in, out */
955
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
957
LogDebug("Entering dirwriteauth");
958
if ((result = ctx_verify_context(hContext)))
961
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
964
if (dirIndex > tpm_metrics.num_dirs) {
965
result = TCSERR(TSS_E_BAD_PARAMETER);
970
LoadBlob_UINT32(&offset, dirIndex, txBlob, "dir index");
971
LoadBlob(&offset, TCPA_DIRVALUE_SIZE, txBlob,
972
newContents.digest, "new contents");
973
LoadBlob_Auth(&offset, txBlob, ownerAuth);
974
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
975
TPM_ORD_DirWriteAuth, txBlob);
977
if ((result = req_mgr_submit_req(txBlob)))
981
result = UnloadBlob_Header(txBlob, ¶mSize);
984
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
986
LogResult("DirWriteAuth", result);
988
auth_mgr_release_auth(ownerAuth, NULL, hContext);
993
TCSP_DirRead_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
994
TCPA_DIRINDEX dirIndex, /* in */
995
TCPA_DIRVALUE * dirValue /* out */
1001
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1003
LogDebug("Entering DirRead");
1004
if ((result = ctx_verify_context(hContext)))
1007
if (dirValue == NULL)
1008
return TCSERR(TSS_E_BAD_PARAMETER);
1010
if (dirIndex > tpm_metrics.num_dirs)
1011
return TCSERR(TSS_E_BAD_PARAMETER);
1014
LoadBlob_UINT32(&offset, dirIndex, txBlob, "dir index");
1015
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_DirRead, txBlob);
1017
if ((result = req_mgr_submit_req(txBlob)))
1021
result = UnloadBlob_Header(txBlob, ¶mSize);
1023
UnloadBlob(&offset, TCPA_DIRVALUE_SIZE, txBlob,
1024
dirValue->digest, "digest");
1026
LogResult("DirRead", result);
1031
TCSP_Seal_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1032
TCS_KEY_HANDLE keyHandle, /* in */
1033
TCPA_ENCAUTH encAuth, /* in */
1034
UINT32 pcrInfoSize, /* in */
1035
BYTE * PcrInfo, /* in */
1036
UINT32 inDataSize, /* in */
1037
BYTE * inData, /* in */
1038
TPM_AUTH * pubAuth, /* in, out */
1039
UINT32 * SealedDataSize, /* out */
1040
BYTE ** SealedData /* out */
1046
TCPA_KEY_HANDLE keySlot;
1047
TCPA_STORED_DATA storedData;
1048
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1050
LogDebug("Entering Seal");
1052
return TCSERR(TSS_E_BAD_PARAMETER);
1054
if ((result = ctx_verify_context(hContext)))
1057
if ((result = auth_mgr_check(hContext, pubAuth->AuthHandle)))
1060
if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot)))
1064
result = TCSERR(TSS_E_FAIL);
1069
LoadBlob_UINT32(&offset, keySlot, txBlob, "handle");
1070
LoadBlob(&offset, TCPA_ENCAUTH_SIZE, txBlob,
1071
encAuth.authdata, "encauth");
1072
LoadBlob_UINT32(&offset, pcrInfoSize, txBlob, "pcr info size");
1073
LoadBlob(&offset, pcrInfoSize, txBlob, PcrInfo, "pcr info");
1074
LoadBlob_UINT32(&offset, inDataSize, txBlob, "in data size");
1075
LoadBlob(&offset, inDataSize, txBlob, inData, "in data");
1077
LoadBlob_Auth(&offset, txBlob, pubAuth);
1078
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset, TPM_ORD_Seal, txBlob);
1080
if ((result = req_mgr_submit_req(txBlob)))
1084
result = UnloadBlob_Header(txBlob, ¶mSize);
1087
if ((result = UnloadBlob_STORED_DATA(&offset, txBlob, &storedData)))
1089
free(storedData.sealInfo);
1090
free(storedData.encData);
1092
*SealedDataSize = offset - 10;
1093
*SealedData = calloc(1, *SealedDataSize);
1094
if (*SealedData == NULL) {
1095
LogError("malloc of %u bytes failed.", *SealedDataSize);
1096
result = TCSERR(TSS_E_OUTOFMEMORY);
1099
memcpy(*SealedData, &txBlob[10], *SealedDataSize);
1100
UnloadBlob_Auth(&offset, txBlob, pubAuth);
1102
LogResult("Seal", result);
1104
auth_mgr_release_auth(pubAuth, NULL, hContext);
1109
TCSP_Unseal_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1110
TCS_KEY_HANDLE parentHandle, /* in */
1111
UINT32 SealedDataSize, /* in */
1112
BYTE * SealedData, /* in */
1113
TPM_AUTH * parentAuth, /* in, out */
1114
TPM_AUTH * dataAuth, /* in, out */
1115
UINT32 * DataSize, /* out */
1116
BYTE ** Data /* out */
1122
TCPA_KEY_HANDLE keySlot;
1123
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1125
LogDebug("Entering Unseal");
1127
if (dataAuth == NULL)
1128
return TCSERR(TSS_E_BAD_PARAMETER);
1130
if ((result = ctx_verify_context(hContext)))
1133
if (parentAuth != NULL) {
1134
LogDebug("Auth used");
1135
if ((result = auth_mgr_check(hContext, parentAuth->AuthHandle)))
1138
LogDebug("No Auth");
1141
if ((result = auth_mgr_check(hContext, dataAuth->AuthHandle)))
1144
if ((result = ensureKeyIsLoaded(hContext, parentHandle, &keySlot)))
1148
result = TCSERR(TSS_E_FAIL);
1153
LoadBlob_UINT32(&offset, keySlot, txBlob, "handle");
1154
LoadBlob(&offset, SealedDataSize, txBlob, SealedData, "data");
1155
if (parentAuth != NULL) {
1156
LoadBlob_Auth(&offset, txBlob, parentAuth);
1157
LoadBlob_Auth(&offset, txBlob, dataAuth);
1158
LoadBlob_Header(TPM_TAG_RQU_AUTH2_COMMAND,
1159
offset, TPM_ORD_Unseal, txBlob);
1161
LoadBlob_Auth(&offset, txBlob, dataAuth);
1162
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
1163
offset, TPM_ORD_Unseal, txBlob);
1165
if ((result = req_mgr_submit_req(txBlob)))
1169
result = UnloadBlob_Header(txBlob, ¶mSize);
1172
UnloadBlob_UINT32(&offset, DataSize, txBlob,
1173
"sealed data size");
1174
*Data = calloc(1, *DataSize);
1175
if (*Data == NULL) {
1176
LogError("malloc of %u bytes failed.", *DataSize);
1177
result = TCSERR(TSS_E_OUTOFMEMORY);
1180
UnloadBlob(&offset, *DataSize, txBlob, *Data, "sealed data");
1181
if (parentAuth != NULL)
1182
UnloadBlob_Auth(&offset, txBlob, parentAuth);
1183
UnloadBlob_Auth(&offset, txBlob, dataAuth);
1185
LogResult("Unseal", result);
1187
auth_mgr_release_auth(parentAuth, dataAuth, hContext);
1192
TCSP_UnBind_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1193
TCS_KEY_HANDLE keyHandle, /* in */
1194
UINT32 inDataSize, /* in */
1195
BYTE * inData, /* in */
1196
TPM_AUTH * privAuth, /* in, out */
1197
UINT32 * outDataSize, /* out */
1198
BYTE ** outData /* out */
1204
TCPA_KEY_HANDLE keySlot;
1205
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1207
LogDebug("Entering TCSI_UnBind");
1208
if ((result = ctx_verify_context(hContext)))
1211
if (privAuth != NULL) {
1212
LogDebug("Auth Used");
1213
if ((result = auth_mgr_check(hContext, privAuth->AuthHandle)))
1216
LogDebug("No Auth");
1219
LogDebugFn("calling ensureKeyIsLoaded for TCS handle 0x%x",
1221
if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot)))
1225
LoadBlob_UINT32(&offset, keySlot, txBlob, "key handle");
1226
LoadBlob_UINT32(&offset, inDataSize, txBlob, "data size");
1227
LoadBlob(&offset, inDataSize, txBlob, inData, "in data");
1228
if (privAuth != NULL) {
1229
LoadBlob_Auth(&offset, txBlob, privAuth);
1230
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
1231
offset, TPM_ORD_UnBind, txBlob);
1233
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
1234
TPM_ORD_UnBind, txBlob);
1236
if ((result = req_mgr_submit_req(txBlob)))
1240
result = UnloadBlob_Header(txBlob, ¶mSize);
1243
UnloadBlob_UINT32(&offset, outDataSize, txBlob, "out data size");
1244
*outData = calloc(1, *outDataSize);
1245
if (*outData == NULL) {
1246
LogError("malloc of %d bytes failed.", *outDataSize);
1247
result = TCSERR(TSS_E_OUTOFMEMORY);
1249
UnloadBlob(&offset, (*outDataSize), txBlob, *outData, "out data");
1251
if (privAuth != NULL)
1252
UnloadBlob_Auth(&offset, txBlob, privAuth);
1256
auth_mgr_release_auth(privAuth, NULL, hContext);
1261
TCSP_CreateMigrationBlob_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1262
TCS_KEY_HANDLE parentHandle, /* in */
1263
TSS_MIGRATE_SCHEME migrationType, /* in */
1264
UINT32 MigrationKeyAuthSize, /* in */
1265
BYTE * MigrationKeyAuth, /* in */
1266
UINT32 encDataSize, /* in */
1267
BYTE * encData, /* in */
1268
TPM_AUTH * parentAuth, /* in, out */
1269
TPM_AUTH * entityAuth, /* in, out */
1270
UINT32 * randomSize, /* out */
1271
BYTE ** random, /* out */
1272
UINT32 * outDataSize, /* out */
1273
BYTE ** outData /* out */
1279
TCPA_KEY_HANDLE keyHandle;
1280
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1282
LogDebug("Entering TPM_CreateMigrationBlob");
1284
if ((result = ctx_verify_context(hContext)))
1287
if (parentAuth != NULL) {
1288
if ((result = auth_mgr_check(hContext, parentAuth->AuthHandle)))
1292
if ((result = auth_mgr_check(hContext, entityAuth->AuthHandle)))
1295
if ((result = ensureKeyIsLoaded(hContext, parentHandle, &keyHandle)))
1298
switch (migrationType) {
1299
case TSS_MS_MIGRATE:
1300
migrationType = TCPA_MS_MIGRATE;
1303
migrationType = TCPA_MS_REWRAP;
1306
migrationType = TCPA_MS_MAINT;
1309
/* Let the TPM return an error */
1314
LoadBlob_UINT32(&offset, keyHandle, txBlob, "parent handle");
1315
LoadBlob_UINT16(&offset, migrationType, txBlob, "mig type");
1316
LoadBlob(&offset, MigrationKeyAuthSize, txBlob,
1317
MigrationKeyAuth, "mig key auth");
1318
LoadBlob_UINT32(&offset, encDataSize, txBlob, "enc size");
1319
LoadBlob(&offset, encDataSize, txBlob, encData, "enc data");
1321
LoadBlob_Auth(&offset, txBlob, parentAuth);
1322
LoadBlob_Auth(&offset, txBlob, entityAuth);
1323
LoadBlob_Header(TPM_TAG_RQU_AUTH2_COMMAND, offset,
1324
TPM_ORD_CreateMigrationBlob, txBlob);
1326
LoadBlob_Auth(&offset, txBlob, entityAuth);
1327
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
1328
TPM_ORD_CreateMigrationBlob, txBlob);
1331
if ((result = req_mgr_submit_req(txBlob)))
1335
result = UnloadBlob_Header(txBlob, ¶mSize);
1337
if (result == TSS_SUCCESS) {
1338
UnloadBlob_UINT32(&offset, randomSize, txBlob, "random size");
1339
*random = calloc(1, *randomSize);
1340
if (*random == NULL) {
1341
LogError("malloc of %u bytes failed.", *randomSize);
1342
result = TCSERR(TSS_E_OUTOFMEMORY);
1346
UnloadBlob(&offset, *randomSize, txBlob, *random, "random");
1347
UnloadBlob_UINT32(&offset, outDataSize, txBlob, "out data size");
1348
*outData = calloc(1, *outDataSize);
1349
if (*outData == NULL) {
1351
LogError("malloc of %u bytes failed.", *outDataSize);
1352
result = TCSERR(TSS_E_OUTOFMEMORY);
1355
UnloadBlob(&offset, *outDataSize, txBlob, *outData, "out data");
1357
if (parentAuth != NULL)
1358
UnloadBlob_Auth(&offset, txBlob, parentAuth);
1359
UnloadBlob_Auth(&offset, txBlob, entityAuth);
1361
LogResult("TPM_CreateMigrationBlob", result);
1364
auth_mgr_release_auth(entityAuth, parentAuth, hContext);
1369
TCSP_ConvertMigrationBlob_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1370
TCS_KEY_HANDLE parentHandle, /* in */
1371
UINT32 inDataSize, /* in */
1372
BYTE * inData, /* in */
1373
UINT32 randomSize, /* in */
1374
BYTE * random, /* in */
1375
TPM_AUTH * parentAuth, /* in, out */
1376
UINT32 * outDataSize, /* out */
1377
BYTE ** outData /* out */
1383
TCPA_KEY_HANDLE keySlot;
1384
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1386
LogDebug("ConvertMigBlob");
1387
if ((result = ctx_verify_context(hContext)))
1390
if (parentAuth != NULL) {
1391
LogDebug("Auth Used");
1392
if ((result = auth_mgr_check(hContext, parentAuth->AuthHandle)))
1395
LogDebug("No Auth");
1397
if ((result = ensureKeyIsLoaded(hContext, parentHandle, &keySlot)))
1401
LoadBlob_UINT32(&offset, keySlot, txBlob, "parent handle");
1402
LoadBlob_UINT32(&offset, inDataSize, txBlob, "in data size");
1403
LoadBlob(&offset, inDataSize, txBlob, inData, "in data");
1404
LoadBlob_UINT32(&offset, randomSize, txBlob, "random size");
1405
LoadBlob(&offset, randomSize, txBlob, random, "random");
1406
if (parentAuth != NULL) {
1407
LoadBlob_Auth(&offset, txBlob, parentAuth);
1408
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
1410
TPM_ORD_ConvertMigrationBlob, txBlob);
1412
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
1413
TPM_ORD_ConvertMigrationBlob, txBlob);
1416
if ((result = req_mgr_submit_req(txBlob)))
1420
result = UnloadBlob_Header(txBlob, ¶mSize);
1423
UnloadBlob_UINT32(&offset, outDataSize, txBlob,
1425
*outData = calloc(1, *outDataSize);
1426
if (*outData == NULL) {
1427
LogError("malloc of %d bytes failed.", *outDataSize);
1428
result = TCSERR(TSS_E_OUTOFMEMORY);
1430
UnloadBlob(&offset, *outDataSize, txBlob, *outData, "out data");
1432
if (parentAuth != NULL) {
1433
UnloadBlob_Auth(&offset, txBlob, parentAuth);
1436
LogResult("***Leaving ConvertMigrationBlob with result ", result);
1438
auth_mgr_release_auth(parentAuth, NULL, hContext);
1443
TCSP_AuthorizeMigrationKey_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1444
TSS_MIGRATE_SCHEME migrateScheme, /* in */
1445
UINT32 MigrationKeySize, /* in */
1446
BYTE * MigrationKey, /* in */
1447
TPM_AUTH * ownerAuth, /* in, out */
1448
UINT32 * MigrationKeyAuthSize, /* out */
1449
BYTE ** MigrationKeyAuth /* out */
1456
TCPA_MIGRATIONKEYAUTH container;
1457
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1459
LogDebug("TCSP_AuthorizeMigrationKey");
1460
if ((result = ctx_verify_context(hContext)))
1463
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
1466
switch (migrateScheme) {
1467
case TSS_MS_MIGRATE:
1468
migrateScheme = TCPA_MS_MIGRATE;
1471
migrateScheme = TCPA_MS_REWRAP;
1474
migrateScheme = TCPA_MS_MAINT;
1477
/* Let the TPM return an error */
1482
LoadBlob_UINT16(&offset, migrateScheme, txBlob, "migation scheme");
1483
LoadBlob(&offset, MigrationKeySize, txBlob, MigrationKey, "pubKey");
1484
LoadBlob_Auth(&offset, txBlob, ownerAuth);
1485
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
1486
TPM_ORD_AuthorizeMigrationKey, txBlob);
1487
if ((result = req_mgr_submit_req(txBlob)))
1491
result = UnloadBlob_Header(txBlob, ¶mSize);
1494
if ((result = UnloadBlob_MIGRATIONKEYAUTH(&offset, txBlob, &container)))
1496
free(container.migrationKey.pubKey.key);
1497
free(container.migrationKey.algorithmParms.parms);
1499
*MigrationKeyAuthSize = offset - 10;
1500
*MigrationKeyAuth = calloc(1, *MigrationKeyAuthSize);
1501
if (*MigrationKeyAuth == NULL) {
1502
LogError("malloc of %d bytes failed.", *MigrationKeyAuthSize);
1503
result = TCSERR(TSS_E_OUTOFMEMORY);
1505
memcpy(*MigrationKeyAuth, &txBlob[10], *MigrationKeyAuthSize);
1508
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
1510
LogDebugFn("TPM_AuthorizeMigrationKey result: 0x%x", result);
1512
auth_mgr_release_auth(ownerAuth, NULL, hContext);
1518
TCSP_CertifyKey_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1519
TCS_KEY_HANDLE certHandle, /* in */
1520
TCS_KEY_HANDLE keyHandle, /* in */
1521
TCPA_NONCE antiReplay, /* in */
1522
TPM_AUTH * certAuth, /* in, out */
1523
TPM_AUTH * keyAuth, /* in, out */
1524
UINT32 * CertifyInfoSize, /* out */
1525
BYTE ** CertifyInfo, /* out */
1526
UINT32 * outDataSize, /* out */
1527
BYTE ** outData /* out */
1533
TCPA_KEY_HANDLE certKeySlot, keySlot;
1534
TCPA_CERTIFY_INFO certifyContainer;
1536
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1538
LogDebug("Entering Certify Key");
1540
if ((result = ctx_verify_context(hContext)))
1543
if (certAuth != NULL) {
1544
LogDebug("Auth Used for Cert signing key");
1545
if ((result = auth_mgr_check(hContext, certAuth->AuthHandle)))
1548
LogDebug("No Auth used for Cert signing key");
1551
if (keyAuth != NULL) {
1552
LogDebug("Auth Used for Key being signed");
1553
if ((result = auth_mgr_check(hContext, keyAuth->AuthHandle)))
1556
LogDebug("No Auth used for Key being signed");
1559
if ((result = ensureKeyIsLoaded(hContext, certHandle, &certKeySlot)))
1562
if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot)))
1565
LoadBlob_UINT32(&offset, certKeySlot, txBlob, "cert handle");
1566
LoadBlob_UINT32(&offset, keySlot, txBlob, "key handle");
1567
LoadBlob(&offset, TCPA_NONCE_SIZE, txBlob,
1568
antiReplay.nonce, "anti replay");
1570
tag = TPM_TAG_RQU_COMMAND;
1571
if (certAuth != NULL) {
1573
LoadBlob_Auth(&offset, txBlob, certAuth);
1575
if (keyAuth != NULL) {
1577
LoadBlob_Auth(&offset, txBlob, keyAuth);
1579
LoadBlob_Header(tag, offset, TPM_ORD_CertifyKey, txBlob);
1581
if ((result = req_mgr_submit_req(txBlob)))
1586
result = UnloadBlob_Header(txBlob, ¶mSize);
1589
if ((result = UnloadBlob_CERTIFY_INFO(&offset, txBlob, &certifyContainer)))
1591
free(certifyContainer.algorithmParms.parms);
1592
free(certifyContainer.PCRInfo);
1594
*CertifyInfoSize = offset - 10;
1595
*CertifyInfo = calloc(1, *CertifyInfoSize);
1596
if (*CertifyInfo == NULL) {
1597
LogError("malloc of %u bytes failed.", *CertifyInfoSize);
1598
result = TCSERR(TSS_E_OUTOFMEMORY);
1601
memcpy(*CertifyInfo, &txBlob[10], *CertifyInfoSize);
1604
UnloadBlob_UINT32(&offset, outDataSize, txBlob, "out data size");
1605
*outData = calloc(1, *outDataSize);
1606
if (*outData == NULL) {
1608
LogError("malloc of %u bytes failed.", *outDataSize);
1609
result = TCSERR(TSS_E_OUTOFMEMORY);
1612
UnloadBlob(&offset, *outDataSize, txBlob, *outData, "out data");
1615
if (certAuth != NULL) {
1616
UnloadBlob_Auth(&offset, txBlob, certAuth);
1618
if (keyAuth != NULL) {
1619
UnloadBlob_Auth(&offset, txBlob, keyAuth);
1622
LogResult("Certify Key", result);
1624
auth_mgr_release_auth(certAuth, keyAuth, hContext);
1629
TCSP_Sign_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1630
TCS_KEY_HANDLE keyHandle, /* in */
1631
UINT32 areaToSignSize, /* in */
1632
BYTE * areaToSign, /* in */
1633
TPM_AUTH * privAuth, /* in, out */
1634
UINT32 * sigSize, /* out */
1635
BYTE ** sig /* out */
1641
TCPA_KEY_HANDLE keySlot;
1642
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1644
LogDebug("Entering Sign");
1645
if ((result = ctx_verify_context(hContext)))
1648
if (privAuth != NULL) {
1649
LogDebug("Auth Used");
1650
if ((result = auth_mgr_check(hContext, privAuth->AuthHandle)))
1653
LogDebug("No Auth");
1656
if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot)))
1661
LoadBlob_UINT32(&offset, keySlot, txBlob, "key handle");
1662
LoadBlob_UINT32(&offset, areaToSignSize, txBlob, "size");
1663
LoadBlob(&offset, areaToSignSize, txBlob, areaToSign,
1665
if (privAuth != NULL) {
1666
LoadBlob_Auth(&offset, txBlob, privAuth);
1667
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
1668
offset, TPM_ORD_Sign, txBlob);
1670
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
1671
TPM_ORD_Sign, txBlob);
1674
if ((result = req_mgr_submit_req(txBlob)))
1678
result = UnloadBlob_Header(txBlob, ¶mSize);
1681
UnloadBlob_UINT32(&offset, sigSize, txBlob, "sig size");
1682
*sig = calloc(1, *sigSize);
1684
LogError("malloc of %d bytes failed.", *sigSize);
1685
result = TCSERR(TSS_E_OUTOFMEMORY);
1688
UnloadBlob(&offset, *sigSize, txBlob, *sig, "sig");
1689
if (privAuth != NULL)
1690
UnloadBlob_Auth(&offset, txBlob, privAuth);
1692
LogResult("sign", result);
1694
auth_mgr_release_auth(privAuth, NULL, hContext);
1699
* Get a random number generated by the TPM. Most (all?) TPMs return a maximum number of random
1700
* bytes that's less than the max allowed to be returned at the TSP level, which is 4K bytes.
1701
* According to the TPM compliance work posted here: http://www.prosec.rub.de/tpmcompliance.html,
1702
* some TPMs return as little as 132 bytes per query, which would require about 30 loops to get 4K.
1703
* We'll be extremely conservative here and loop 50 times, since it won't affect performance on
1704
* TPMs that return more bytes.
1707
TCSP_GetRandom_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1708
UINT32 * bytesRequested, /* in, out */
1709
BYTE ** randomBytes /* out */
1714
UINT32 paramSize, totalReturned = 0, bytesReturned, retries = 50;
1715
BYTE txBlob[TSS_TPM_TXBLOB_SIZE], *rnd_tmp = NULL;
1717
LogDebugFn("%u bytes", *bytesRequested);
1719
if ((result = ctx_verify_context(hContext)))
1724
LoadBlob_UINT32(&offset, *bytesRequested - totalReturned,
1725
txBlob, "requested");
1726
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_GetRandom,
1729
if ((result = req_mgr_submit_req(txBlob)))
1733
result = UnloadBlob_Header(txBlob, ¶mSize);
1735
UnloadBlob_UINT32(&offset, &bytesReturned, txBlob,
1736
"random bytes size");
1738
LogDebugFn("received %u bytes from the TPM",
1741
rnd_tmp = realloc(rnd_tmp, totalReturned + bytesReturned);
1742
if (rnd_tmp == NULL) {
1743
LogError("malloc of %d bytes failed.",
1745
return TCSERR(TSS_E_OUTOFMEMORY);
1747
UnloadBlob(&offset, bytesReturned, txBlob,
1748
&rnd_tmp[totalReturned], "random bytes");
1749
totalReturned += bytesReturned;
1754
} while (totalReturned < *bytesRequested && retries--);
1756
if (totalReturned != *bytesRequested) {
1757
LogDebugFn("Only %u random bytes recieved from TPM.", totalReturned);
1759
result = TCSERR(TSS_E_FAIL);
1761
*randomBytes = rnd_tmp;
1767
TCSP_StirRandom_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1768
UINT32 inDataSize, /* in */
1769
BYTE * inData /* in */
1775
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1777
LogDebug("Entering stir random");
1779
if ((result = ctx_verify_context(hContext)))
1782
if (inDataSize > 255) {
1783
LogDebugFn("inData is too large! (%u bytes)", inDataSize);
1784
return TCSERR(TSS_E_BAD_PARAMETER);
1788
LoadBlob_UINT32(&offset, inDataSize, txBlob, "in data size");
1789
LoadBlob(&offset, inDataSize, txBlob, inData, "in data");
1790
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_StirRandom,
1793
if ((result = req_mgr_submit_req(txBlob)))
1797
result = UnloadBlob_Header(txBlob, ¶mSize);
1798
LogResult("Stir random", result);
1803
internal_TCSGetCap(TCS_CONTEXT_HANDLE hContext,
1804
TCPA_CAPABILITY_AREA capArea,
1805
UINT32 subCapSize, BYTE * subCap,
1806
UINT32 * respSize, BYTE ** resp)
1808
UINT32 tcsSubCapContainer;
1811
TCPA_VERSION tcsVersion = INTERNAL_CAP_TCS_VERSION;
1813
if ((result = ctx_verify_context(hContext)))
1816
LogDebug("Checking Software Cap of TCS");
1818
case TSS_TCSCAP_ALG:
1819
LogDebug("TSS_TCSCAP_ALG");
1820
tcsSubCapContainer = Decode_UINT32(subCap);
1823
if (*resp == NULL) {
1824
LogError("malloc of %d bytes failed.", 1);
1825
return TCSERR(TSS_E_OUTOFMEMORY);
1827
switch (tcsSubCapContainer) {
1829
(*resp)[0] = INTERNAL_CAP_TCS_ALG_RSA;
1832
(*resp)[0] = INTERNAL_CAP_TCS_ALG_DES;
1835
(*resp)[0] = INTERNAL_CAP_TCS_ALG_3DES;
1838
(*resp)[0] = INTERNAL_CAP_TCS_ALG_SHA;
1841
(*resp)[0] = INTERNAL_CAP_TCS_ALG_AES;
1844
(*resp)[0] = INTERNAL_CAP_TCS_ALG_HMAC;
1849
return TCSERR(TSS_E_FAIL);
1852
case TSS_TCSCAP_VERSION:
1853
LogDebug("TSS_TCSCAP_VERSION");
1854
*resp = calloc(1, 4);
1855
if (*resp == NULL) {
1856
LogError("malloc of %d bytes failed.", 4);
1857
return TCSERR(TSS_E_OUTOFMEMORY);
1860
LoadBlob_VERSION(&offset, *resp, &tcsVersion);
1863
case TSS_TCSCAP_PERSSTORAGE:
1864
LogDebug("TSS_TCSCAP_PERSSTORAGE");
1867
if (*resp == NULL) {
1868
LogError("malloc of %d byte failed.", 1);
1869
return TCSERR(TSS_E_OUTOFMEMORY);
1871
(*resp)[0] = INTERNAL_CAP_TCS_PERSSTORAGE;
1874
case TSS_TCSCAP_CACHING:
1875
LogDebug("TSS_TCSCAP_CACHING");
1876
tcsSubCapContainer = Decode_UINT32(subCap);
1877
if (tcsSubCapContainer == TSS_TCSCAP_PROP_KEYCACHE) {
1880
if (*resp == NULL) {
1881
LogError("malloc of %d byte failed.", 1);
1882
return TCSERR(TSS_E_OUTOFMEMORY);
1884
(*resp)[0] = INTERNAL_CAP_TCS_CACHING_KEYCACHE;
1885
} else if (tcsSubCapContainer == TSS_TCSCAP_PROP_AUTHCACHE) {
1888
if (*resp == NULL) {
1889
LogError("malloc of %d byte failed.", 1);
1890
return TCSERR(TSS_E_OUTOFMEMORY);
1892
(*resp)[0] = INTERNAL_CAP_TCS_CACHING_AUTHCACHE;
1894
LogDebugFn("Bad subcap");
1895
return TCSERR(TSS_E_FAIL);
1898
case TSS_TCSCAP_MANUFACTURER:
1899
tcsSubCapContainer = Decode_UINT32(subCap);
1900
if (tcsSubCapContainer == TSS_TCSCAP_PROP_MANUFACTURER_ID) {
1901
*respSize = sizeof(UINT32);
1902
*resp = malloc(sizeof(UINT32));
1903
if (*resp == NULL) {
1904
LogError("malloc of %zd byte failed.", sizeof(UINT32));
1905
return TCSERR(TSS_E_OUTOFMEMORY);
1907
*(UINT32 *)(*resp) = INTERNAL_CAP_TCS_MANUFACTURER_ID;
1908
} else if (tcsSubCapContainer == TSS_TCSCAP_PROP_MANUFACTURER_STR) {
1909
BYTE str[] = INTERNAL_CAP_TCS_MANUFACTURER_STR;
1911
*respSize = INTERNAL_CAP_TCS_MANUFACTURER_STR_LEN;
1912
*resp = malloc(INTERNAL_CAP_TCS_MANUFACTURER_STR_LEN);
1913
if (*resp == NULL) {
1914
LogError("malloc of %d byte failed.", 1);
1915
return TCSERR(TSS_E_OUTOFMEMORY);
1917
memcpy(*resp, str, INTERNAL_CAP_TCS_MANUFACTURER_STR_LEN);
1919
LogDebugFn("Bad subcap");
1920
return TCSERR(TSS_E_FAIL);
1924
return TCSERR(TSS_E_FAIL);
1931
TCS_GetCapability_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1932
TCPA_CAPABILITY_AREA capArea, /* in */
1933
UINT32 subCapSize, /* in */
1934
BYTE * subCap, /* in */
1935
UINT32 * respSize, /* out */
1936
BYTE ** resp /* out */
1941
if ((result = ctx_verify_context(hContext)))
1944
return internal_TCSGetCap(hContext, capArea, subCapSize, subCap,
1949
TCSP_GetCapability_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1950
TCPA_CAPABILITY_AREA capArea, /* in */
1951
UINT32 subCapSize, /* in */
1952
BYTE * subCap, /* in */
1953
UINT32 * respSize, /* out */
1954
BYTE ** resp /* out */
1960
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
1962
if ((result = ctx_verify_context(hContext)))
1965
LogDebug("Entering Get Cap");
1967
LoadBlob_UINT32(&offset, capArea, txBlob, "capArea");
1968
LoadBlob_UINT32(&offset, subCapSize, txBlob, "sub cap size");
1969
LoadBlob(&offset, subCapSize, txBlob, subCap, "sub cap");
1970
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
1971
TPM_ORD_GetCapability, txBlob);
1973
if ((result = req_mgr_submit_req(txBlob)))
1977
result = UnloadBlob_Header(txBlob, ¶mSize);
1979
UnloadBlob_UINT32(&offset, respSize, txBlob, "resp size");
1980
*resp = malloc(*respSize);
1981
if (*resp == NULL) {
1982
LogError("malloc of %d bytes failed.", *respSize);
1983
return TCSERR(TSS_E_OUTOFMEMORY);
1985
UnloadBlob(&offset, *respSize, txBlob, *resp, "resp");
1987
LogResult("Get Cap", result);
1992
TCSP_GetCapabilityOwner_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
1993
TPM_AUTH * pOwnerAuth, /* out */
1994
TCPA_VERSION * pVersion, /* out */
1995
UINT32 * pNonVolatileFlags, /* out */
1996
UINT32 * pVolatileFlags /* out */
2002
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2004
LogDebug("Entering Getcap owner");
2006
if ((result = ctx_verify_context(hContext)))
2009
if ((result = auth_mgr_check(hContext, pOwnerAuth->AuthHandle)))
2013
LoadBlob_Auth(&offset, txBlob, pOwnerAuth);
2014
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2015
TPM_ORD_GetCapabilityOwner, txBlob);
2017
if ((result = req_mgr_submit_req(txBlob)))
2021
result = UnloadBlob_Header(txBlob, ¶mSize);
2024
UnloadBlob_VERSION(&offset, txBlob, pVersion);
2025
UnloadBlob_UINT32(&offset, pNonVolatileFlags, txBlob,
2027
UnloadBlob_UINT32(&offset, pVolatileFlags, txBlob, "vol flags");
2028
UnloadBlob_Auth(&offset, txBlob, pOwnerAuth);
2031
LogResult("GetCapowner", result);
2033
auth_mgr_release_auth(pOwnerAuth, NULL, hContext);
2038
TCSP_CreateEndorsementKeyPair_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2039
TCPA_NONCE antiReplay, /* in */
2040
UINT32 endorsementKeyInfoSize, /* in */
2041
BYTE * endorsementKeyInfo, /* in */
2042
UINT32 * endorsementKeySize, /* out */
2043
BYTE ** endorsementKey, /* out */
2044
TCPA_DIGEST * checksum /* out */
2051
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2053
if ((result = ctx_verify_context(hContext)))
2057
LoadBlob(&offset, TCPA_NONCE_SIZE, txBlob, antiReplay.nonce,
2059
LoadBlob(&offset, endorsementKeyInfoSize, txBlob,
2060
endorsementKeyInfo, "ek stuff");
2061
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
2062
TPM_ORD_CreateEndorsementKeyPair, txBlob);
2064
if ((result = req_mgr_submit_req(txBlob)))
2068
result = UnloadBlob_Header(txBlob, ¶mSize);
2070
if ((result = UnloadBlob_PUBKEY(&offset, txBlob, &pubKey)))
2072
free(pubKey.pubKey.key);
2073
free(pubKey.algorithmParms.parms);
2075
*endorsementKeySize = offset - 10;
2076
*endorsementKey = malloc(*endorsementKeySize);
2077
if (*endorsementKey == NULL) {
2078
LogError("malloc of %u bytes failed.",
2079
*endorsementKeySize);
2080
return TCSERR(TSS_E_OUTOFMEMORY);
2082
memcpy(*endorsementKey, &txBlob[10], *endorsementKeySize);
2084
UnloadBlob(&offset, TCPA_DIGEST_SIZE, txBlob,
2085
checksum->digest, "digest");
2088
LogDebug("Leaving CreateEKPair with result: 0x%x", result);
2093
TCSP_ReadPubek_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2094
TCPA_NONCE antiReplay, /* in */
2095
UINT32 * pubEndorsementKeySize, /* out */
2096
BYTE ** pubEndorsementKey, /* out */
2097
TCPA_DIGEST * checksum /* out */
2104
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2106
LogDebugFn("Enter");
2108
if ((result = ctx_verify_context(hContext)))
2112
LoadBlob(&offset, 20, txBlob, antiReplay.nonce, "anti replay");
2113
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset, TPM_ORD_ReadPubek, txBlob);
2114
if ((result = req_mgr_submit_req(txBlob)))
2118
result = UnloadBlob_Header(txBlob, ¶mSize);
2121
if ((result = UnloadBlob_PUBKEY(&offset, txBlob, &pubkey)))
2123
free(pubkey.pubKey.key);
2124
free(pubkey.algorithmParms.parms);
2126
*pubEndorsementKeySize = (UINT32) (offset - 10);
2127
*pubEndorsementKey = malloc(*pubEndorsementKeySize);
2128
if (*pubEndorsementKey == NULL) {
2129
LogError("malloc of %u bytes failed.", *pubEndorsementKeySize);
2130
return TCSERR(TSS_E_OUTOFMEMORY);
2132
memcpy(*pubEndorsementKey, &txBlob[10], *pubEndorsementKeySize);
2133
UnloadBlob(&offset, TCPA_DIGEST_SIZE, txBlob,
2134
checksum->digest, "digest");
2137
LogDebugFn("result: 0x%x", result);
2142
TCSP_DisablePubekRead_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2143
TPM_AUTH * ownerAuth /* in, out */
2149
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2151
LogDebug("DisablePubekRead");
2153
if ((result = ctx_verify_context(hContext)))
2156
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2160
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2161
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2162
TPM_ORD_DisablePubekRead, txBlob);
2164
if ((result = req_mgr_submit_req(txBlob)))
2168
result = UnloadBlob_Header(txBlob, ¶mSize);
2171
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2174
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2179
TCSP_OwnerReadPubek_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2180
TPM_AUTH * ownerAuth, /* in, out */
2181
UINT32 * pubEndorsementKeySize, /* out */
2182
BYTE ** pubEndorsementKey /* out */
2188
TCPA_PUBKEY container;
2189
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2191
LogDebug("Entering OwnerReadPubek");
2193
if ((result = ctx_verify_context(hContext)))
2196
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2200
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2202
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2203
TPM_ORD_OwnerReadPubek, txBlob);
2205
if ((result = req_mgr_submit_req(txBlob)))
2208
result = UnloadBlob_Header(txBlob, ¶mSize);
2212
/* Call UnloadBlob to parse the data and set its size in &offset */
2213
if ((result = UnloadBlob_PUBKEY(&offset, txBlob, &container)))
2216
free(container.pubKey.key);
2217
free(container.algorithmParms.parms);
2219
*pubEndorsementKeySize = offset - 10;
2220
*pubEndorsementKey = malloc(*pubEndorsementKeySize);
2221
if (*pubEndorsementKey == NULL) {
2222
LogError("malloc of %u bytes failed.", *pubEndorsementKeySize);
2223
result = TCSERR(TSS_E_OUTOFMEMORY);
2226
memcpy(*pubEndorsementKey, &txBlob[10], *pubEndorsementKeySize);
2227
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2229
LogResult("Owner Read Pubek", result);
2231
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2236
TCSP_SelfTestFull_Internal(TCS_CONTEXT_HANDLE hContext /* in */
2241
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2243
LogDebug("Entering Self Test Full");
2244
if ((result = ctx_verify_context(hContext)))
2247
LoadBlob_Header(TPM_TAG_RQU_COMMAND, 0x0A, TPM_ORD_SelfTestFull,
2250
if ((result = req_mgr_submit_req(txBlob)))
2253
result = UnloadBlob_Header(txBlob, ¶mSize);
2254
LogResult("Self Test Full", result);
2259
TCSP_CertifySelfTest_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2260
TCS_KEY_HANDLE keyHandle, /* in */
2261
TCPA_NONCE antiReplay, /* in */
2262
TPM_AUTH * privAuth, /* in, out */
2263
UINT32 * sigSize, /* out */
2264
BYTE ** sig /* out */
2270
TCPA_KEY_HANDLE keySlot;
2271
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2273
LogDebug("Entering Certify Self Test");
2275
if ((result = ctx_verify_context(hContext)))
2278
if (privAuth != NULL) {
2279
LogDebug("Auth Used");
2280
if ((result = auth_mgr_check(hContext, privAuth->AuthHandle)))
2283
LogDebug("No Auth");
2286
if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot)))
2290
LoadBlob_UINT32(&offset, keySlot, txBlob, "key handle");
2291
LoadBlob(&offset, TCPA_NONCE_SIZE, txBlob,
2292
antiReplay.nonce, "nonoce");
2293
if (privAuth != NULL) {
2294
LoadBlob_Auth(&offset, txBlob, privAuth);
2295
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
2296
offset, TPM_ORD_CertifySelfTest,
2299
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
2300
TPM_ORD_CertifySelfTest, txBlob);
2303
if ((result = req_mgr_submit_req(txBlob)))
2307
result = UnloadBlob_Header(txBlob, ¶mSize);
2310
UnloadBlob_UINT32(&offset, sigSize, txBlob, "sig size");
2311
*sig = malloc(*sigSize);
2313
LogError("malloc of %d bytes failed.", *sigSize);
2314
result = TCSERR(TSS_E_OUTOFMEMORY);
2317
UnloadBlob(&offset, *sigSize, txBlob, *sig, "sig");
2318
if (privAuth != NULL)
2319
UnloadBlob_Auth(&offset, txBlob, privAuth);
2321
LogResult("Certify Self Test", result);
2323
auth_mgr_release_auth(privAuth, NULL, hContext);
2328
TCSP_GetTestResult_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2329
UINT32 * outDataSize, /* out */
2330
BYTE ** outData /* out */
2336
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2338
LogDebug("Entering Get Test Result");
2339
if ((result = ctx_verify_context(hContext)))
2342
LoadBlob_Header(TPM_TAG_RQU_COMMAND, 0x0A, TPM_ORD_GetTestResult, txBlob);
2344
if ((result = req_mgr_submit_req(txBlob)))
2349
result = UnloadBlob_Header(txBlob, ¶mSize);
2351
UnloadBlob_UINT32(&offset, outDataSize, txBlob, "data size");
2352
*outData = malloc(*outDataSize);
2353
if (*outData == NULL) {
2354
LogError("malloc of %d bytes failed.", *outDataSize);
2355
return TCSERR(TSS_E_OUTOFMEMORY);
2357
UnloadBlob(&offset, *outDataSize, txBlob, *outData, "outdata");
2358
LogBlob(*outDataSize, *outData);
2360
LogResult("Get Test Result", result);
2365
TCSP_OwnerSetDisable_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2366
TSS_BOOL disableState, /* in */
2367
TPM_AUTH * ownerAuth /* in, out */
2373
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2377
if ((result = ctx_verify_context(hContext)))
2380
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2383
LoadBlob_BOOL(&offset, disableState, txBlob, "State");
2384
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2385
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2386
TPM_ORD_OwnerSetDisable, txBlob);
2388
if ((result = req_mgr_submit_req(txBlob)))
2392
result = UnloadBlob_Header(txBlob, ¶mSize);
2395
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2398
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2403
TCSP_OwnerClear_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2404
TPM_AUTH * ownerAuth /* in, out */
2410
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2412
LogDebug("Entering OwnerClear");
2414
if ((result = ctx_verify_context(hContext)))
2417
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2421
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2422
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2423
TPM_ORD_OwnerClear, txBlob);
2425
if ((result = req_mgr_submit_req(txBlob)))
2429
result = UnloadBlob_Header(txBlob, ¶mSize);
2432
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2434
LogResult("Ownerclear", result);
2436
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2441
TCSP_DisableOwnerClear_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2442
TPM_AUTH * ownerAuth /* in, out */
2448
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2450
LogDebug("Entering DisableownerClear");
2452
if ((result = ctx_verify_context(hContext)))
2455
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2459
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2460
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2461
TPM_ORD_DisableOwnerClear, txBlob);
2463
if ((result = req_mgr_submit_req(txBlob)))
2467
result = UnloadBlob_Header(txBlob, ¶mSize);
2470
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2472
LogResult("DisableOwnerClear", result);
2474
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2479
TCSP_ForceClear_Internal(TCS_CONTEXT_HANDLE hContext /* in */
2484
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2486
LogDebug("Entering Force Clear");
2487
if ((result = ctx_verify_context(hContext)))
2490
LoadBlob_Header(TPM_TAG_RQU_COMMAND, 0x0A, TPM_ORD_ForceClear, txBlob);
2492
if ((result = req_mgr_submit_req(txBlob)))
2495
result = UnloadBlob_Header(txBlob, ¶mSize);
2496
LogResult("Force Clear", result);
2501
TCSP_DisableForceClear_Internal(TCS_CONTEXT_HANDLE hContext /* in */
2506
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2508
LogDebug("Entering Disable Force Clear");
2509
if ((result = ctx_verify_context(hContext)))
2512
LoadBlob_Header(TPM_TAG_RQU_COMMAND, 0x0A,
2513
TPM_ORD_DisableForceClear, txBlob);
2515
if ((result = req_mgr_submit_req(txBlob)))
2518
result = UnloadBlob_Header(txBlob, ¶mSize);
2519
LogResult("Disable Force Clear", result);
2525
TCSP_PhysicalPresence_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2526
TCPA_PHYSICAL_PRESENCE fPhysicalPresence /* in */
2531
TSS_RESULT result = TCSERR(TSS_E_NOTIMPL);
2532
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2535
runlevel = platform_get_runlevel();
2537
if (runlevel != 's' && runlevel != 'S' && runlevel != '1') {
2538
LogInfo("Physical Presence command denied: Must be in single"
2540
return TCSERR(TSS_E_NOTIMPL);
2543
if ((result = ctx_verify_context(hContext)))
2547
LoadBlob_UINT16(&offset, fPhysicalPresence, txBlob, NULL);
2548
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
2549
TPM_ORD_PhysicalPresence, txBlob);
2551
if ((result = req_mgr_submit_req(txBlob)))
2554
return UnloadBlob_Header(txBlob, ¶mSize);
2558
TCSP_PhysicalDisable_Internal(TCS_CONTEXT_HANDLE hContext /* in */
2563
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2565
LogDebug("Entering Physical Disable");
2566
if ((result = ctx_verify_context(hContext)))
2569
/* XXX ooh, magic */
2570
LoadBlob_Header(TPM_TAG_RQU_COMMAND, 0x0A,
2571
TPM_ORD_PhysicalDisable, txBlob);
2573
if ((result = req_mgr_submit_req(txBlob)))
2576
result = UnloadBlob_Header(txBlob, ¶mSize);
2577
LogResult("Physical Disable", result);
2583
TCSP_PhysicalEnable_Internal(TCS_CONTEXT_HANDLE hContext /* in */
2588
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2590
LogDebug("Entering Physical Enable");
2591
if ((result = ctx_verify_context(hContext)))
2594
LoadBlob_Header(TPM_TAG_RQU_COMMAND, 0x0A,
2595
TPM_ORD_PhysicalEnable, txBlob);
2597
if ((result = req_mgr_submit_req(txBlob)))
2600
result = UnloadBlob_Header(txBlob, ¶mSize);
2601
LogResult("Physical Enable", result);
2607
TCSP_PhysicalSetDeactivated_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2608
TSS_BOOL state /* in */
2614
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2616
LogDebug("Entering Physical Set Decativated");
2617
if ((result = ctx_verify_context(hContext)))
2621
LoadBlob_BOOL(&offset, state, txBlob, "State");
2622
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
2623
TPM_ORD_PhysicalSetDeactivated, txBlob);
2625
if ((result = req_mgr_submit_req(txBlob)))
2628
result = UnloadBlob_Header(txBlob, ¶mSize);
2629
LogResult("PhysicalSetDeactivated", result);
2634
TCSP_SetTempDeactivated_Internal(TCS_CONTEXT_HANDLE hContext /* in */
2639
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2641
LogDebug("Entering Set Temp Deactivated");
2642
if ((result = ctx_verify_context(hContext)))
2645
LoadBlob_Header(TPM_TAG_RQU_COMMAND, 0x0A,
2646
TPM_ORD_SetTempDeactivated, txBlob);
2648
if ((result = req_mgr_submit_req(txBlob)))
2651
result = UnloadBlob_Header(txBlob, ¶mSize);
2652
LogResult("SetTempDeactivated", result);
2658
TCSP_FieldUpgrade_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2659
UINT32 dataInSize, /* in */
2660
BYTE * dataIn, /* in */
2661
UINT32 * dataOutSize, /* out */
2662
BYTE ** dataOut, /* out */
2663
TPM_AUTH * ownerAuth /* in, out */
2669
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2671
LogDebug("Field Upgrade");
2673
if ((result = ctx_verify_context(hContext)))
2676
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2680
if (dataInSize != 0) {
2681
LoadBlob_UINT32(&offset, dataInSize, txBlob,
2683
LoadBlob(&offset, dataInSize, txBlob, dataIn, "data");
2685
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2687
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2688
TPM_ORD_FieldUpgrade, txBlob);
2690
if ((result = req_mgr_submit_req(txBlob)))
2693
result = UnloadBlob_Header(txBlob, ¶mSize);
2697
if (dataInSize != 0) {
2698
UnloadBlob_UINT32(&offset, dataOutSize, txBlob, "size");
2699
*dataOut = malloc(*dataOutSize);
2700
if (*dataOut == NULL) {
2701
LogError("malloc of %u bytes failed.",
2703
result = TCSERR(TSS_E_OUTOFMEMORY);
2706
UnloadBlob(&offset, *dataOutSize, txBlob,
2709
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2711
LogResult("Field Upgrade", result);
2713
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2718
TCSP_SetRedirection_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2719
TCS_KEY_HANDLE keyHandle, /* in */
2722
TPM_AUTH * privAuth /* in, out */
2728
TCPA_KEY_HANDLE keySlot;
2729
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2731
LogDebug("Set Redirection");
2733
if ((result = ctx_verify_context(hContext)))
2736
if (privAuth != NULL) {
2737
if ((result = auth_mgr_check(hContext, privAuth->AuthHandle)))
2741
if ((result = ensureKeyIsLoaded(hContext, keyHandle, &keySlot))) {
2742
result = TCSERR(TSS_E_FAIL);
2747
LoadBlob_UINT32(&offset, keySlot, txBlob, "key slot");
2748
LoadBlob_UINT32(&offset, c1, txBlob, "c1");
2749
LoadBlob_UINT32(&offset, c2, txBlob, "c2");
2750
if (privAuth != NULL) {
2751
LoadBlob_Auth(&offset, txBlob, privAuth);
2752
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND,
2753
offset, TPM_ORD_SetRedirection, txBlob);
2755
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
2756
TPM_ORD_SetRedirection, txBlob);
2758
if ((result = req_mgr_submit_req(txBlob)))
2761
result = UnloadBlob_Header(txBlob, ¶mSize);
2765
if (privAuth != NULL)
2766
UnloadBlob_Auth(&offset, txBlob, privAuth);
2768
LogResult("Set Redirection", result);
2770
auth_mgr_release_auth(privAuth, NULL, hContext);
2775
TCSP_CreateMaintenanceArchive_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2776
TSS_BOOL generateRandom, /* in */
2777
TPM_AUTH * ownerAuth, /* in, out */
2778
UINT32 * randomSize, /* out */
2779
BYTE ** random, /* out */
2780
UINT32 * archiveSize, /* out */
2781
BYTE ** archive /* out */
2787
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2789
LogDebug("Create Main Archive");
2791
if ((result = ctx_verify_context(hContext)))
2794
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2798
LoadBlob_BOOL(&offset, generateRandom, txBlob, "gen rand");
2799
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2801
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2802
TPM_ORD_CreateMaintenanceArchive, txBlob);
2804
if ((result = req_mgr_submit_req(txBlob)))
2807
result = UnloadBlob_Header(txBlob, ¶mSize);
2811
UnloadBlob_UINT32(&offset, randomSize, txBlob, "random size");
2812
*random = malloc(*randomSize);
2813
if (*random == NULL) {
2814
LogError("malloc of %d bytes failed.", *randomSize);
2815
result = TCSERR(TSS_E_OUTOFMEMORY);
2818
UnloadBlob(&offset, *randomSize, txBlob, *random, "random");
2821
UnloadBlob_UINT32(&offset, archiveSize, txBlob, "archive size");
2822
*archive = malloc(*archiveSize);
2823
if (*archive == NULL) {
2825
LogError("malloc of %d bytes failed.", *archiveSize);
2826
result = TCSERR(TSS_E_OUTOFMEMORY);
2829
UnloadBlob(&offset, *archiveSize, txBlob, *archive, "archive");
2832
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2834
LogResult("Create Main Archive", result);
2836
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2841
TCSP_LoadMaintenanceArchive_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2842
UINT32 dataInSize, /* in */
2843
BYTE * dataIn, /* in */
2844
TPM_AUTH * ownerAuth, /* in, out */
2845
UINT32 * dataOutSize, /* out */
2846
BYTE ** dataOut /* out */
2852
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2854
LogDebug("Load Maint Archive");
2856
if ((result = ctx_verify_context(hContext)))
2859
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2863
if (dataInSize != 0) {
2864
LoadBlob_UINT32(&offset, dataInSize, txBlob,
2865
"vendor data size");
2866
LoadBlob(&offset, dataInSize, txBlob, dataIn,
2869
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2871
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2872
TPM_ORD_LoadMaintenanceArchive, txBlob);
2874
if ((result = req_mgr_submit_req(txBlob)))
2877
result = UnloadBlob_Header(txBlob, ¶mSize);
2881
if (dataInSize != 0) {
2882
UnloadBlob_UINT32(&offset, dataOutSize, txBlob, "vendor data size");
2883
*dataOut = calloc(1, *dataOutSize);
2884
if (*dataOut == NULL) {
2885
LogError("malloc of %u bytes failed.",
2887
result = TCSERR(TSS_E_OUTOFMEMORY);
2890
UnloadBlob(&offset, *dataOutSize, txBlob,
2891
*dataOut, "vendor data");
2893
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2895
LogResult("Load Maint Archive", result);
2897
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2902
TCSP_KillMaintenanceFeature_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2903
TPM_AUTH * ownerAuth /* in, out */
2909
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2911
if ((result = ctx_verify_context(hContext)))
2914
if ((result = auth_mgr_check(hContext, ownerAuth->AuthHandle)))
2918
LoadBlob_Auth(&offset, txBlob, ownerAuth);
2920
LoadBlob_Header(TPM_TAG_RQU_AUTH1_COMMAND, offset,
2921
TPM_ORD_KillMaintenanceFeature, txBlob);
2923
if ((result = req_mgr_submit_req(txBlob)))
2926
result = UnloadBlob_Header(txBlob, ¶mSize);
2930
UnloadBlob_Auth(&offset, txBlob, ownerAuth);
2933
auth_mgr_release_auth(ownerAuth, NULL, hContext);
2938
TCSP_LoadManuMaintPub_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2939
TCPA_NONCE antiReplay, /* in */
2940
UINT32 PubKeySize, /* in */
2941
BYTE * PubKey, /* in */
2942
TCPA_DIGEST * checksum /* out */
2948
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2950
LogDebug("Entering Load Manu Maint Pub");
2953
LoadBlob(&offset, 20, txBlob, antiReplay.nonce, "checksum");
2954
LoadBlob(&offset, PubKeySize, txBlob, PubKey, "pubkey");
2955
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
2956
TPM_ORD_LoadManuMaintPub, txBlob);
2958
if ((result = req_mgr_submit_req(txBlob)))
2961
result = UnloadBlob_Header(txBlob, ¶mSize);
2964
UnloadBlob(&offset, 20, txBlob, checksum->digest, "checksum");
2966
LogResult("Load Manu Maint Pub", result);
2971
TCSP_ReadManuMaintPub_Internal(TCS_CONTEXT_HANDLE hContext, /* in */
2972
TCPA_NONCE antiReplay, /* in */
2973
TCPA_DIGEST * checksum /* out */
2979
BYTE txBlob[TSS_TPM_TXBLOB_SIZE];
2981
LogDebug("Entering Read Manu Maint Pub");
2984
LoadBlob(&offset, 20, txBlob, antiReplay.nonce, "checksum");
2985
LoadBlob_Header(TPM_TAG_RQU_COMMAND, offset,
2986
TPM_ORD_ReadManuMaintPub, txBlob);
2988
if ((result = req_mgr_submit_req(txBlob)))
2991
result = UnloadBlob_Header(txBlob, ¶mSize);
2994
UnloadBlob(&offset, 20, txBlob, checksum->digest, "checksum");
2996
LogResult("Read Manu Maint Pub", result);