Add support for ek certificate chain, stored in TPM NVRAM.

Eugen Matery · ansasaki · commit 244eea9c3148 · 2025-04-08T17:45:31.000+02:00
See enhancement-1552: EK Certificate Chain support

Signed-off-by: Eugen Matery &lt;e.matery@digitalendoscopy.de&gt;
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
@@ -635,8 +635,8 @@ async fn main() -> Result<()> {
         }
 
         // If the certificate is not None add it to the builder
-        if let Some(ek_cert) = ek_result.ek_cert {
-            builder = builder.ek_cert(ek_cert);
+        if let Some(ekchain) = ek_result.to_pem() {
+            builder = builder.ek_cert(ekchain);
         }
 
         // Set the IAK/IDevID related fields, if enabled
diff --git a/keylime/src/registrar_client.rs b/keylime/src/registrar_client.rs
@@ -75,7 +75,7 @@ pub enum RegistrarClientBuilderError {
 pub struct RegistrarClientBuilder<'a> {
     ak_pub: Option<&'a [u8]>,
     ek_pub: Option<&'a [u8]>,
-    ek_cert: Option<Vec<u8>>,
+    ek_cert: Option<String>,
     enabled_api_versions: Option<Vec<&'a str>>,
     iak_attest: Option<Vec<u8>>,
     iak_cert: Option<X509>,
@@ -135,8 +135,8 @@ impl<'a> RegistrarClientBuilder<'a> {
     ///
     /// # Arguments:
     ///
-    /// * ek_cert (Vec<u8>): A vector containing the EK certificate in DER format
-    pub fn ek_cert(mut self, ek_cert: Vec<u8>) -> Self {
+    /// * ek_cert (String): A string containing the EK certificate in PEM format
+    pub fn ek_cert(mut self, ek_cert: String) -> Self {
         self.ek_cert = Some(ek_cert);
         self
     }
@@ -445,7 +445,7 @@ impl<'a> RegistrarClientBuilder<'a> {
             ak_pub,
             api_version: registrar_api_version,
             ek_pub,
-            ek_cert: self.ek_cert.take(),
+            ek_cert: self.ek_cert,
             iak_attest: self.iak_attest.take(),
             iak_cert,
             iak_sign: self.iak_sign.take(),
@@ -489,7 +489,7 @@ pub enum RegistrarClientError {
 pub struct RegistrarClient<'a> {
     ak_pub: &'a [u8],
     api_version: String,
-    ek_cert: Option<Vec<u8>>,
+    ek_cert: Option<String>,
     ek_pub: &'a [u8],
     enabled_api_versions: Vec<&'a str>,
     iak_attest: Option<Vec<u8>>,
@@ -536,8 +536,8 @@ struct Register<'a> {
         skip_serializing_if = "is_empty"
     )]
     ek_tpm: &'a [u8],
-    #[serde(serialize_with = "serialize_maybe_base64")]
-    ekcert: Option<Vec<u8>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    ekcert: Option<String>,
     #[serde(
         serialize_with = "serialize_maybe_base64",
         skip_serializing_if = "Option::is_none"
@@ -783,6 +783,7 @@ mod tests {
         let port = uri[1].parse().unwrap(); //#[allow_ci]
 
         let mock_data = [0u8; 1];
+        let mock_chain = String::from("");
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
         let cert = crypto::x509::CertificateBuilder::new()
             .private_key(&priv_key)
@@ -794,7 +795,7 @@ mod tests {
         let response = RegistrarClientBuilder::new()
             .ak_pub(&mock_data)
             .ek_pub(&mock_data)
-            .ek_cert(mock_data.to_vec())
+            .ek_cert(mock_chain)
             .enabled_api_versions(vec!["1.2"])
             .iak_attest(vec![0])
             .iak_cert(cert.clone())
@@ -841,6 +842,7 @@ mod tests {
         let port = uri[1].parse().unwrap(); //#[allow_ci]
 
         let mock_data = [0u8; 1];
+        let mock_chain = String::from("");
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
         let cert = crypto::x509::CertificateBuilder::new()
             .private_key(&priv_key)
@@ -852,7 +854,7 @@ mod tests {
         let builder = RegistrarClientBuilder::new()
             .ak_pub(&mock_data)
             .ek_pub(&mock_data)
-            .ek_cert(mock_data.to_vec())
+            .ek_cert(mock_chain)
             .enabled_api_versions(vec!["1.2", "3.4"])
             .mtls_cert(cert)
             .ip("1.2.3.4".to_string())
@@ -906,6 +908,7 @@ mod tests {
         let port = uri[1].parse().unwrap(); //#[allow_ci]
 
         let mock_data = [0u8; 1];
+        let mock_chain = String::from("");
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
         let cert = crypto::x509::CertificateBuilder::new()
             .private_key(&priv_key)
@@ -917,7 +920,7 @@ mod tests {
         let builder = RegistrarClientBuilder::new()
             .ak_pub(&mock_data)
             .ek_pub(&mock_data)
-            .ek_cert(mock_data.to_vec())
+            .ek_cert(mock_chain)
             .enabled_api_versions(vec!["1.2", "3.4"])
             .mtls_cert(cert)
             .ip("1.2.3.4".to_string())
@@ -1078,6 +1081,7 @@ mod tests {
         let port = uri[1].parse().unwrap(); //#[allow_ci]
 
         let mock_data = [0u8; 1];
+        let mock_chain = String::from("");
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
         let cert = crypto::x509::CertificateBuilder::new()
             .private_key(&priv_key)
@@ -1090,7 +1094,7 @@ mod tests {
         let response = RegistrarClientBuilder::new()
             .ak_pub(&mock_data)
             .ek_pub(&mock_data)
-            .ek_cert(mock_data.to_vec())
+            .ek_cert(mock_chain)
             .enabled_api_versions(vec!["1.2"])
             .mtls_cert(cert)
             .ip("1.2.3.4".to_string())
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
@@ -28,7 +28,7 @@ use tss_esapi::{
     abstraction::{
         ak,
         cipher::Cipher,
-        ek,
+        ek, nv,
         pcr::{read_all, PcrData},
         DefaultKey,
     },
@@ -37,6 +37,7 @@ use tss_esapi::{
     },
     constants::{
         response_code::Tss2ResponseCodeKind, session_type::SessionType,
+        CapabilityType,
     },
     handles::{
         AuthHandle, KeyHandle, ObjectHandle, PcrHandle, PersistentTpmHandle,
@@ -46,14 +47,14 @@ use tss_esapi::{
         algorithm::{AsymmetricAlgorithm, HashingAlgorithm, PublicAlgorithm},
         ecc::EccCurve,
         key_bits::RsaKeyBits,
-        resource_handles::Hierarchy,
+        resource_handles::{Hierarchy, NvAuth},
         session_handles::AuthSession,
         structure_tags::AttestationType,
     },
     structures::{
-        Attest, AttestInfo, Auth, Data, Digest, DigestValues, EccParameter,
-        EccPoint, EccScheme, EncryptedSecret, HashScheme, IdObject,
-        KeyDerivationFunctionScheme, Name, PcrSelectionList,
+        Attest, AttestInfo, Auth, CapabilityData, Data, Digest, DigestValues,
+        EccParameter, EccPoint, EccScheme, EncryptedSecret, HashScheme,
+        IdObject, KeyDerivationFunctionScheme, Name, PcrSelectionList,
         PcrSelectionListBuilder, PcrSlot, Private as TssPrivate,
         Public as TssPublic, PublicBuilder, PublicEccParametersBuilder,
         PublicKeyRsa, PublicRsaParametersBuilder, RsaExponent, RsaScheme,
@@ -116,6 +117,9 @@ const IAK_AUTH_POLICY_SHA256: [u8; 32] = [
 ];
 const UNIQUE_IAK: [u8; 3] = [0x49, 0x41, 0x4b];
 
+const RSA_EK_CERTIFICATE_CHAIN_START: u32 = 0x01c00100;
+const RSA_EK_CERTIFICATE_CHAIN_END: u32 = 0x01c001ff;
+
 /// TpmError wraps all possible errors raised in tpm.rs
 #[derive(Error, Debug)]
 pub enum TpmError {
@@ -444,6 +448,39 @@ pub struct EKResult {
     pub key_handle: KeyHandle,
     pub ek_cert: Option<Vec<u8>>,
     pub public: TssPublic,
+    pub ek_chain: Option<Vec<u8>>,
+}
+
+impl EKResult {
+    pub fn to_pem(&self) -> Option<String> {
+        let mut ca_chain: Vec<Vec<u8>> = Vec::new();
+
+        match &self.ek_chain {
+            Some(chain) => {
+                ca_chain.extend(split_der_certificates(chain));
+            }
+            None => {
+                debug!("* No EK certificate chain");
+            }
+        }
+
+        match &self.ek_cert {
+            Some(cert) => {
+                ca_chain.push(cert.clone());
+            }
+            None => {
+                debug!("* No EK certificate");
+            }
+        }
+
+        match der_to_pem(ca_chain) {
+            Ok(pem) => Some(pem),
+            Err(err) => {
+                error!("Failed to transform certificate chain to PEM format, due to {err:?}");
+                None
+            }
+        }
+    }
 }
 
 /// Holds the output of create_ak.
@@ -612,10 +649,25 @@ impl Context<'_> {
         let (tpm_pub, _, _) = ctx
             .read_public(key_handle)
             .map_err(|source| TpmError::TSSReadPublicError { source })?;
+
+        let chain = match read_ek_ca_chain(&mut ctx) {
+            Ok(der_data) => {
+                if !der_data.is_empty() {
+                    info!("Found EK certificate chain in TPM NVRAM")
+                }
+                Some(der_data)
+            }
+            Err(_) => {
+                warn!("Failed reading EK certificate chain from TPM NVRAM");
+                None
+            }
+        };
+
         Ok(EKResult {
             key_handle,
             ek_cert: cert,
             public: tpm_pub,
+            ek_chain: chain,
         })
     }
 
@@ -1947,6 +1999,116 @@ pub fn check_pubkey_match_cert(
     }
 }
 
+/// Find certificates (DER format) in binary data and split them
+///
+/// # Arguments
+///
+/// `der_data`: Binary data containing certificates in DER format
+///
+/// # Returns
+///
+/// 'Vec<Vec<u8>>', a vector ob certificates in DER format
+pub fn split_der_certificates(der_data: &[u8]) -> Vec<Vec<u8>> {
+    let mut certificates = Vec::new();
+    let mut offset = 0;
+    while offset < der_data.len() {
+        // Check if the current byte indicates the start of a sequence (0x30)
+        if der_data[offset] != 0x30 {
+            break; // Not a valid certificate start
+        }
+        // Read the length of the sequence
+        let length_byte = der_data[offset + 1];
+        let cert_length = if length_byte & 0x80 == 0 {
+            // Short form length
+            length_byte as usize + 2 // +2 for the tag and length byte
+        } else {
+            // Long form length
+            let length_of_length = (length_byte & 0x7F) as usize;
+            let length_bytes =
+                &der_data[offset + 2..offset + 2 + length_of_length];
+            let cert_length = length_bytes
+                .iter()
+                .fold(0, |acc, &b| (acc << 8) | b as usize);
+            cert_length + 2 + length_of_length // +2 for the tag and length byte
+        };
+        // Extract the certificate
+        let cert = der_data[offset..offset + cert_length].to_vec();
+        certificates.push(cert);
+        // Move the offset to the next certificate
+        offset += cert_length;
+    }
+    certificates
+}
+
+/// Convert a vector of der certificates into a single string with all certificates in PEM format.
+///
+/// # Arguments
+///
+/// `der_certificates`: Vector of certificates in DER format
+///
+/// # Returns
+///
+/// A `String` containing all concatenated certificates in PEM format (order is maintained)
+pub fn der_to_pem(
+    der_certificates: Vec<Vec<u8>>,
+) -> std::result::Result<String, Box<dyn std::error::Error>> {
+    let mut pem_string = String::new();
+    for der in der_certificates.iter().rev() {
+        // Convert DER to X509
+        let cert = X509::from_der(der)?;
+        // Convert X509 to PEM format
+        let pem = cert.to_pem()?;
+        // Append the PEM string to the result
+        pem_string.push_str(&String::from_utf8(pem)?);
+    }
+    Ok(pem_string)
+}
+
+/// Read certificate chain from TPM.
+///
+/// Read content of NV Handle 0x01c00100 - 0x01c001ff
+///
+/// # Returns
+///
+/// `Vec<u8>', binary data of certificate chain
+pub fn read_ek_ca_chain(
+    context: &mut tss_esapi::Context,
+) -> tss_esapi::Result<Vec<u8>> {
+    let mut result: Vec<u8> = Vec::new();
+
+    // Get handles for NV-Index in range 0x01c00100 - 0x01c001ff
+    let (capabilities, _) = context.get_capability(
+        CapabilityType::Handles,
+        RSA_EK_CERTIFICATE_CHAIN_START,
+        RSA_EK_CERTIFICATE_CHAIN_END - RSA_EK_CERTIFICATE_CHAIN_START,
+    )?;
+
+    if let CapabilityData::Handles(handle_list) = capabilities {
+        for handle in handle_list.iter() {
+            if let TpmHandle::NvIndex(nv_idx) = handle {
+                // Attempt to get the NV authorization handle
+                let nv_auth_handle =
+                    context.execute_without_session(|ctx| {
+                        ctx.tr_from_tpm_public(*handle)
+                            .map(|v| NvAuth::NvIndex(v.into()))
+                    })?;
+
+                // Read the full NV data
+                let data = context.execute_with_nullauth_session(|ctx| {
+                    nv::read_full(ctx, nv_auth_handle, *nv_idx)
+                })?;
+
+                result.extend(data);
+            } else {
+                // Handle other types of handles if necessary
+                break; // Skip non-NvIndex handles
+            }
+        }
+    }
+
+    Ok(result) // Return the accumulated result
+}
+
 pub mod testing {
     use super::*;
     #[cfg(feature = "testing")]

Original file line number	Diff line number	Diff line change
`@@ -635,8 +635,8 @@ async fn main() -> Result<()> {`
`635`	`635`	`}`
`636`	`636`
`637`	`637`	`// If the certificate is not None add it to the builder`
`638`		`- if let Some(ek_cert) = ek_result.ek_cert {`
`639`		`- builder = builder.ek_cert(ek_cert);`
	`638`	`+ if let Some(ekchain) = ek_result.to_pem() {`
	`639`	`+ builder = builder.ek_cert(ekchain);`
`640`	`640`	`}`
`641`	`641`
`642`	`642`	`// Set the IAK/IDevID related fields, if enabled`