Merge pull request parallaxsecond#507 from Superhepper/native-tpms-context

Native tpms context

Author: wiktor-k

tss-esapi/src/abstraction/transient/mod.rs

@@ -20,10 +20,11 @@ use crate::{
     structures::{
         Auth, CreateKeyResult, Data, Digest, EccPoint, EccScheme, Name, Public, PublicBuilder,
         PublicEccParametersBuilder, PublicKeyRsa, PublicRsaParametersBuilder, RsaExponent,
-        RsaScheme, Signature, SignatureScheme, SymmetricDefinitionObject, VerifiedTicket,
+        RsaScheme, SavedTpmContext, Signature, SignatureScheme, SymmetricDefinitionObject,
+        VerifiedTicket,
     },
     tcti_ldr::TctiNameConf,
-    utils::{create_restricted_decryption_rsa_public, PublicKey, TpmsContext},
+    utils::{create_restricted_decryption_rsa_public, PublicKey},
     Context, Error, Result, ReturnCode, WrapperErrorKind as ErrorKind,
 };
 
@@ -341,7 +342,7 @@ impl TransientKeyContext {
     /// just a public key.
     pub fn migrate_key_from_ctx(
         &mut self,
-        context: TpmsContext,
+        context: SavedTpmContext,
         auth: Option<Auth>,
     ) -> Result<KeyMaterial> {
         self.set_session_attrs()?;

tss-esapi/src/constants/tss.rs

@@ -644,6 +644,10 @@ pub const TSS2_RESMGR_TPM_RC_LAYER: TSS2_RC = 0x000C0000; /* base is a TPM2_RC_*
 
 pub const TSS2_RC_SUCCESS: TSS2_RC = 0x00000000;
 
+pub const TPMI_DH_SAVED_TRANSIENT: TPMI_DH_SAVED = 0x80000000; /* an ordinary transient object */
+pub const TPMI_DH_SAVED_SEQUENCE: TPMI_DH_SAVED = 0x80000001; /* a sequence object */
+pub const TPMI_DH_SAVED_TRANSIENT_CLEAR: TPMI_DH_SAVED = 0x80000002; /* a transient object with the stClear attribute SET */
+
 pub use crate::tss2_esys::TSS2_BASE_RC_ABI_MISMATCH; /* Passed in ABI version doesn't match called module's ABI version */
 pub use crate::tss2_esys::TSS2_BASE_RC_BAD_CONTEXT; /* A context structure is bad */
 pub use crate::tss2_esys::TSS2_BASE_RC_BAD_REFERENCE; /* A pointer is NULL that isn't allowed to be NULL. */

tss-esapi/src/context/tpm_commands/context_management.rs

@@ -4,12 +4,12 @@ use crate::{
     context::handle_manager::HandleDropAction,
     handles::{handle_conversion::TryIntoNotNone, AuthHandle, ObjectHandle, PersistentTpmHandle},
     interface_types::{data_handles::Persistent, reserved_handles::Provision},
+    structures::SavedTpmContext,
     tss2_esys::{Esys_ContextLoad, Esys_ContextSave, Esys_EvictControl, Esys_FlushContext},
-    utils::TpmsContext,
     Context, Result, ReturnCode,
 };
 use log::error;
-use std::convert::{TryFrom, TryInto};
+use std::convert::TryFrom;
 use std::ptr::null_mut;
 
 impl Context {
@@ -18,32 +18,27 @@ impl Context {
     /// # Errors
     /// * if conversion from `TPMS_CONTEXT` to `TpmsContext` fails, a `WrongParamSize` error will
     /// be returned
-    pub fn context_save(&mut self, handle: ObjectHandle) -> Result<TpmsContext> {
+    pub fn context_save(&mut self, handle: ObjectHandle) -> Result<SavedTpmContext> {
         let mut context_ptr = null_mut();
         ReturnCode::ensure_success(
             unsafe { Esys_ContextSave(self.mut_context(), handle.into(), &mut context_ptr) },
             |ret| {
                 error!("Error in saving context: {:#010X}", ret);
             },
         )?;
-        TpmsContext::try_from(Context::ffi_data_to_owned(context_ptr))
+        SavedTpmContext::try_from(Context::ffi_data_to_owned(context_ptr))
     }
 
     /// Load a previously saved context into the TPM and return the object handle.
     ///
     /// # Errors
     /// * if conversion from `TpmsContext` to the native `TPMS_CONTEXT` fails, a `WrongParamSize`
     /// error will be returned
-    pub fn context_load(&mut self, context: TpmsContext) -> Result<ObjectHandle> {
+    pub fn context_load(&mut self, context: SavedTpmContext) -> Result<ObjectHandle> {
         let mut esys_loaded_handle = ObjectHandle::None.into();
+        let tpm_context = context.into();
         ReturnCode::ensure_success(
-            unsafe {
-                Esys_ContextLoad(
-                    self.mut_context(),
-                    &context.try_into()?,
-                    &mut esys_loaded_handle,
-                )
-            },
+            unsafe { Esys_ContextLoad(self.mut_context(), &tpm_context, &mut esys_loaded_handle) },
             |ret| {
                 error!("Error in loading context: {:#010X}", ret);
             },

tss-esapi/src/handles/tpm.rs

@@ -326,7 +326,10 @@ pub mod saved_session {
 pub mod transient {
     //! Module for transient TPM handles
     use super::*;
-    use crate::constants::tss::{TPM2_HT_TRANSIENT, TPM2_TRANSIENT_FIRST, TPM2_TRANSIENT_LAST};
+    use crate::constants::tss::{
+        TPM2_HT_TRANSIENT, TPM2_TRANSIENT_FIRST, TPM2_TRANSIENT_LAST, TPMI_DH_SAVED_SEQUENCE,
+        TPMI_DH_SAVED_TRANSIENT, TPMI_DH_SAVED_TRANSIENT_CLEAR,
+    };
 
     create_tpm_handle_type!(
         TransientTpmHandle,
@@ -335,6 +338,13 @@ pub mod transient {
         TPM2_TRANSIENT_FIRST,
         TPM2_TRANSIENT_LAST
     );
+    add_constant_handle!(TransientTpmHandle, SavedTransient, TPMI_DH_SAVED_TRANSIENT);
+    add_constant_handle!(TransientTpmHandle, SavedSequence, TPMI_DH_SAVED_SEQUENCE);
+    add_constant_handle!(
+        TransientTpmHandle,
+        SavedTransientClear,
+        TPMI_DH_SAVED_TRANSIENT_CLEAR
+    );
 }
 
 pub mod persistent {

tss-esapi/src/interface_types/data_handles.rs

@@ -1,10 +1,20 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
+/// This module contains native representations of the TPMI_DH types.
+use crate::{
+    handles::{
+        HmacSessionTpmHandle, NvIndexTpmHandle, PcrTpmHandle, PersistentTpmHandle,
+        PolicySessionTpmHandle, TpmHandle, TransientTpmHandle,
+    },
+    tss2_esys::{TPMI_DH_CONTEXT, TPMI_DH_SAVED},
+    Error, Result, WrapperErrorKind,
+};
+use std::convert::TryFrom;
 
-use crate::handles::{NvIndexTpmHandle, PcrTpmHandle, PersistentTpmHandle, TransientTpmHandle};
-
-/// Can be created with either a persistent
-/// or transient TPM handle.
+/// Enum representing the 'Object' data handles interface type.
+///
+/// # Details
+/// This corresponds to the TPMI_DH_OBJECT interface type.
 #[derive(Debug, Copy, Clone)]
 pub enum Object {
     Transient(TransientTpmHandle),
@@ -20,7 +30,6 @@ pub enum Parent {
     Endorsement,
 }
 
-///
 /// Enum representing the Persistent DH interface type
 /// (TPMI_DH_PERSISTENT)
 ///
@@ -53,10 +62,122 @@ pub enum Entity {
     Platform,
     Endorsement,
     Lockout,
-    // TODO: Handle Auth
+    // TODO: Handle Auth, that is vendor specific.
 }
 
 #[derive(Debug, Copy, Clone)]
 pub enum Pcr {
     Pcr(PcrTpmHandle),
 }
+
+/// Enum representing the 'Context' data handles interface type.
+///
+/// # Details
+/// This corresponds to the `TPMI_DH_CONTEXT` interface type. This only
+/// exist for compatibility purposes the specification is not entirely
+/// clear on whether this should still be used or be completely replaced by
+/// [Saved].
+#[derive(Debug, Copy, Clone, Eq, PartialEq)]
+pub enum ContextDataHandle {
+    Hmac(HmacSessionTpmHandle),
+    Policy(PolicySessionTpmHandle),
+    Transient(TransientTpmHandle),
+}
+
+impl From<HmacSessionTpmHandle> for ContextDataHandle {
+    fn from(hmac_session_tpm_handle: HmacSessionTpmHandle) -> Self {
+        ContextDataHandle::Hmac(hmac_session_tpm_handle)
+    }
+}
+
+impl From<PolicySessionTpmHandle> for ContextDataHandle {
+    fn from(policy_session_tpm_handle: PolicySessionTpmHandle) -> Self {
+        ContextDataHandle::Policy(policy_session_tpm_handle)
+    }
+}
+
+impl From<TransientTpmHandle> for ContextDataHandle {
+    fn from(transient_tpm_handle: TransientTpmHandle) -> Self {
+        ContextDataHandle::Transient(transient_tpm_handle)
+    }
+}
+
+impl TryFrom<TPMI_DH_CONTEXT> for ContextDataHandle {
+    type Error = Error;
+
+    fn try_from(ffi: TPMI_DH_CONTEXT) -> Result<Self> {
+        TpmHandle::try_from(ffi).and_then(|tpm_handle| match tpm_handle {
+            TpmHandle::HmacSession(handle) => Ok(Self::Hmac(handle)),
+            TpmHandle::PolicySession(handle) => Ok(Self::Policy(handle)),
+            TpmHandle::Transient(handle) => Ok(Self::Transient(handle)),
+            _ => Err(Error::local_error(WrapperErrorKind::InvalidParam)),
+        })
+    }
+}
+
+/// Enum representing the 'Saved' data handles interface type.
+///
+/// # Details
+/// This corresponds to the `TPMI_DH_SAVED` interface type.
+#[derive(Debug, Copy, Clone, Eq, PartialEq)]
+pub enum Saved {
+    /// A HMAC session context.
+    Hmac(HmacSessionTpmHandle),
+    /// A policy session context.
+    Policy(PolicySessionTpmHandle),
+    /// An ordinary transient object.
+    Transient,
+    /// A sequence object.
+    Sequence,
+    /// A transient object with stClear attribute SET.
+    TransientClear,
+}
+
+impl From<HmacSessionTpmHandle> for Saved {
+    fn from(hmac_session_tpm_handle: HmacSessionTpmHandle) -> Self {
+        Saved::Hmac(hmac_session_tpm_handle)
+    }
+}
+
+impl From<PolicySessionTpmHandle> for Saved {
+    fn from(policy_session_tpm_handle: PolicySessionTpmHandle) -> Self {
+        Saved::Policy(policy_session_tpm_handle)
+    }
+}
+
+impl TryFrom<TransientTpmHandle> for Saved {
+    type Error = Error;
+    fn try_from(transient_tpm_handle: TransientTpmHandle) -> Result<Self> {
+        match transient_tpm_handle {
+            TransientTpmHandle::SavedTransient => Ok(Saved::Transient),
+            TransientTpmHandle::SavedSequence => Ok(Saved::Sequence),
+            TransientTpmHandle::SavedTransientClear => Ok(Saved::TransientClear),
+            _ => Err(Error::local_error(WrapperErrorKind::InvalidParam)),
+        }
+    }
+}
+
+impl TryFrom<TPMI_DH_SAVED> for Saved {
+    type Error = Error;
+
+    fn try_from(ffi: TPMI_DH_SAVED) -> Result<Self> {
+        TpmHandle::try_from(ffi).and_then(|tpm_handle| match tpm_handle {
+            TpmHandle::HmacSession(handle) => Ok(Self::Hmac(handle)),
+            TpmHandle::PolicySession(handle) => Ok(Self::Policy(handle)),
+            TpmHandle::Transient(handle) => Saved::try_from(handle),
+            _ => Err(Error::local_error(WrapperErrorKind::InvalidParam)),
+        })
+    }
+}
+
+impl From<Saved> for TPMI_DH_SAVED {
+    fn from(native: Saved) -> TPMI_DH_SAVED {
+        match native {
+            Saved::Hmac(handle) => handle.into(),
+            Saved::Policy(handle) => handle.into(),
+            Saved::Transient => TransientTpmHandle::SavedTransient.into(),
+            Saved::Sequence => TransientTpmHandle::SavedSequence.into(),
+            Saved::TransientClear => TransientTpmHandle::SavedTransientClear.into(),
+        }
+    }
+}

tss-esapi/src/structures/buffers.rs

@@ -390,3 +390,12 @@ pub mod symmetric_key {
 pub mod timeout {
     buffer_type!(Timeout, 8, TPM2B_TIMEOUT);
 }
+
+pub mod tpm_context_data {
+    use crate::tss2_esys::TPMS_CONTEXT_DATA;
+    buffer_type!(
+        TpmContextData,
+        std::mem::size_of::<TPMS_CONTEXT_DATA>(),
+        TPM2B_CONTEXT_DATA
+    );
+}

tss-esapi/src/structures/mod.rs

@@ -41,7 +41,7 @@ pub use self::buffers::{
     private_key_rsa::PrivateKeyRsa, private_vendor_specific::PrivateVendorSpecific,
     public::PublicBuffer, public_key_rsa::PublicKeyRsa, sensitive::SensitiveBuffer,
     sensitive_create::SensitiveCreateBuffer, sensitive_data::SensitiveData,
-    symmetric_key::SymmetricKey, timeout::Timeout,
+    symmetric_key::SymmetricKey, timeout::Timeout, tpm_context_data::TpmContextData,
 };
 /////////////////////////////////////////////////////////
 /// The creation section
@@ -212,3 +212,8 @@ pub use nv::storage::{NvPublic, NvPublicBuilder};
 /////////////////////////////////////////////////////////
 mod algorithm;
 pub use algorithm::symmetric::sensitive_create::SensitiveCreate;
+/////////////////////////////////////////////////////////
+/// TPM context structures
+/////////////////////////////////////////////////////////
+mod tpm_context;
+pub use tpm_context::SavedTpmContext;

tss-esapi/src/structures/tagged/public.rs

@@ -495,7 +495,7 @@ impl TryFrom<TPMT_PUBLIC> for Public {
 impl_mu_standard!(Public, TPMT_PUBLIC);
 
 impl Serialize for Public {
-    /// Serialise the [Public] data into it's bytes representation of the TCG
+    /// Serialize the [Public] data into it's bytes representation of the TCG
     /// TPMT_PUBLIC structure.
     fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
     where