@@ -16,6 +16,9 @@ use std::{
1616 sync:: { Arc , Mutex , OnceLock } ,
1717} ;
1818use thiserror:: Error ;
19+ use tss_esapi:: handles:: SessionHandle ;
20+ use tss_esapi:: interface_types:: session_handles:: PolicySession ;
21+ use tss_esapi:: structures:: { DigestList , SymmetricDefinition } ;
1922
2023use openssl:: {
2124 hash:: { Hasher , MessageDigest } ,
@@ -26,9 +29,7 @@ use openssl::{
2629
2730use tss_esapi:: {
2831 abstraction:: {
29- ak,
30- cipher:: Cipher ,
31- ek, nv,
32+ ak, ek, nv,
3233 pcr:: { read_all, PcrData } ,
3334 DefaultKey ,
3435 } ,
@@ -41,7 +42,7 @@ use tss_esapi::{
4142 } ,
4243 handles:: {
4344 AuthHandle , KeyHandle , ObjectHandle , PcrHandle , PersistentTpmHandle ,
44- SessionHandle , TpmHandle ,
45+ TpmHandle ,
4546 } ,
4647 interface_types:: {
4748 algorithm:: { AsymmetricAlgorithm , HashingAlgorithm , PublicAlgorithm } ,
@@ -120,6 +121,47 @@ const UNIQUE_IAK: [u8; 3] = [0x49, 0x41, 0x4b];
120121const RSA_EK_CERTIFICATE_CHAIN_START : u32 = 0x01c00100 ;
121122const RSA_EK_CERTIFICATE_CHAIN_END : u32 = 0x01c001ff ;
122123
124+ // Source: TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.5 Revision 2
125+ // Section B.6
126+ const POLICY_A_SHA384 : [ u8 ; 48 ] = [
127+ 0x8b , 0xbf , 0x22 , 0x66 , 0x53 , 0x7c , 0x17 , 0x1c , 0xb5 , 0x6e , 0x40 , 0x3c ,
128+ 0x4d , 0xc1 , 0xd4 , 0xb6 , 0x4f , 0x43 , 0x26 , 0x11 , 0xdc , 0x38 , 0x6e , 0x6f ,
129+ 0x53 , 0x20 , 0x50 , 0xc3 , 0x27 , 0x8c , 0x93 , 0x0e , 0x14 , 0x3e , 0x8b , 0xb1 ,
130+ 0x13 , 0x38 , 0x24 , 0xcc , 0xb4 , 0x31 , 0x05 , 0x38 , 0x71 , 0xc6 , 0xdb , 0x53 ,
131+ ] ;
132+ const POLICY_A_SHA512 : [ u8 ; 64 ] = [
133+ 0x1e , 0x3b , 0x76 , 0x50 , 0x2c , 0x8a , 0x14 , 0x25 , 0xaa , 0x0b , 0x7b , 0x3f ,
134+ 0xc6 , 0x46 , 0xa1 , 0xb0 , 0xfa , 0xe0 , 0x63 , 0xb0 , 0x3b , 0x53 , 0x68 , 0xf9 ,
135+ 0xc4 , 0xcd , 0xde , 0xca , 0xff , 0x08 , 0x91 , 0xdd , 0x68 , 0x2b , 0xac , 0x1a ,
136+ 0x85 , 0xd4 , 0xd8 , 0x32 , 0xb7 , 0x81 , 0xea , 0x45 , 0x19 , 0x15 , 0xde , 0x5f ,
137+ 0xc5 , 0xbf , 0x0d , 0xc4 , 0xa1 , 0x91 , 0x7c , 0xd4 , 0x2f , 0xa0 , 0x41 , 0xe3 ,
138+ 0xf9 , 0x98 , 0xe0 , 0xee ,
139+ ] ;
140+ const POLICY_A_SM3_256 : [ u8 ; 32 ] = [
141+ 0xc6 , 0x7f , 0x7d , 0x35 , 0xf6 , 0x6f , 0x3b , 0xec , 0x13 , 0xc8 , 0x9f , 0xe8 ,
142+ 0x98 , 0x92 , 0x1c , 0x65 , 0x1b , 0x0c , 0xb5 , 0xa3 , 0x8a , 0x92 , 0x69 , 0x0a ,
143+ 0x62 , 0xa4 , 0x3c , 0x00 , 0x12 , 0xe4 , 0xfb , 0x8b ,
144+ ] ;
145+ const POLICY_C_SHA384 : [ u8 ; 48 ] = [
146+ 0xd6 , 0x03 , 0x2c , 0xe6 , 0x1f , 0x2f , 0xb3 , 0xc2 , 0x40 , 0xeb , 0x3c , 0xf6 ,
147+ 0xa3 , 0x32 , 0x37 , 0xef , 0x2b , 0x6a , 0x16 , 0xf4 , 0x29 , 0x3c , 0x22 , 0xb4 ,
148+ 0x55 , 0xe2 , 0x61 , 0xcf , 0xfd , 0x21 , 0x7a , 0xd5 , 0xb4 , 0x94 , 0x7c , 0x2d ,
149+ 0x73 , 0xe6 , 0x30 , 0x05 , 0xee , 0xd2 , 0xdc , 0x2b , 0x35 , 0x93 , 0xd1 , 0x65 ,
150+ ] ;
151+ const POLICY_C_SHA512 : [ u8 ; 64 ] = [
152+ 0x58 , 0x9e , 0xe1 , 0xe1 , 0x46 , 0x54 , 0x47 , 0x16 , 0xe8 , 0xde , 0xaf , 0xe6 ,
153+ 0xdb , 0x24 , 0x7b , 0x01 , 0xb8 , 0x1e , 0x9f , 0x9c , 0x7d , 0xd1 , 0x6b , 0x81 ,
154+ 0x4a , 0xa1 , 0x59 , 0x13 , 0x87 , 0x49 , 0x10 , 0x5f , 0xba , 0x53 , 0x88 , 0xdd ,
155+ 0x1d , 0xea , 0x70 , 0x2f , 0x35 , 0x24 , 0x0c , 0x18 , 0x49 , 0x33 , 0x12 , 0x1e ,
156+ 0x2c , 0x61 , 0xb8 , 0xf5 , 0x0d , 0x3e , 0xf9 , 0x13 , 0x93 , 0xa4 , 0x9a , 0x38 ,
157+ 0xc3 , 0xf7 , 0x3f , 0xc8 ,
158+ ] ;
159+ const POLICY_C_SM3_256 : [ u8 ; 32 ] = [
160+ 0x2d , 0x4e , 0x81 , 0x57 , 0x8c , 0x35 , 0x31 , 0xd9 , 0xbd , 0x1c , 0xdd , 0x7d ,
161+ 0x02 , 0xba , 0x29 , 0x8d , 0x56 , 0x99 , 0xa3 , 0xe3 , 0x9f , 0xc3 , 0x55 , 0x1b ,
162+ 0xfe , 0xff , 0xcf , 0x13 , 0x2b , 0x49 , 0xe1 , 0x1d ,
163+ ] ;
164+
123165/// TpmError wraps all possible errors raised in tpm.rs
124166#[ derive( Error , Debug ) ]
125167pub enum TpmError {
@@ -1267,19 +1309,14 @@ impl Context<'_> {
12671309 /// Creates an empty authentication session
12681310fn create_empty_session (
12691311 & mut self ,
1312+ ctx : & mut tss_esapi:: Context ,
12701313 ses_type : SessionType ,
1314+ symmetric : SymmetricDefinition ,
1315+ hash_alg : HashingAlgorithm ,
12711316 ) -> Result < AuthSession > {
1272- let mut ctx = self . inner . lock ( ) . unwrap ( ) ; //#[allow_ci]
12731317 let Some ( session) = ctx
12741318 . start_auth_session (
1275- None ,
1276- None ,
1277- None ,
1278- ses_type,
1279- Cipher :: aes_128_cfb ( ) . try_into ( ) . map_err ( |source| {
1280- TpmError :: TSSSymmetricDefinitionFromCipher { source }
1281- } ) ?,
1282- HashingAlgorithm :: Sha256 ,
1319+ None , None , None , ses_type, symmetric, hash_alg,
12831320 )
12841321 . map_err ( |source| {
12851322 TpmError :: TSSStartAuthenticationSessionError { source }
@@ -1307,35 +1344,83 @@ impl Context<'_> {
13071344 ak : KeyHandle ,
13081345 ek : KeyHandle ,
13091346 ) -> Result < Digest > {
1310- let ( credential, secret) = parse_cred_and_secret ( keyblob) ?;
1311-
1312- let ek_auth = self . create_empty_session ( SessionType :: Policy ) ?;
1313-
13141347 let mut ctx = self . inner . lock ( ) . unwrap ( ) ; //#[allow_ci]
13151348
1316- // We authorize ses2 with PolicySecret(ENDORSEMENT) as per PolicyA
1317- let _ = ctx. execute_with_nullauth_session ( |context| {
1318- context. policy_secret (
1319- ek_auth. try_into ( ) ?,
1320- AuthHandle :: Endorsement ,
1321- Default :: default ( ) ,
1322- Default :: default ( ) ,
1323- Default :: default ( ) ,
1324- None ,
1325- )
1326- } ) ?;
1349+ let ( credential, secret) = parse_cred_and_secret ( keyblob) ?;
1350+ let mut policy_digests = DigestList :: new ( ) ;
1351+ let ( parent_public, _, _) = ctx. read_public ( ek) ?;
1352+ let ek_hash_alg = parent_public. name_hashing_algorithm ( ) ;
1353+ let ek_symmetric =
1354+ parent_public. symmetric_algorithm ( ) . ok_or_else ( || {
1355+ TpmError :: TSSReadPublicError {
1356+ source : tss_esapi:: Error :: WrapperError (
1357+ tss_esapi:: WrapperErrorKind :: InvalidParam ,
1358+ ) ,
1359+ }
1360+ } ) ?;
1361+ match ek_hash_alg {
1362+ HashingAlgorithm :: Sha384 => {
1363+ policy_digests
1364+ . add ( Digest :: try_from ( POLICY_A_SHA384 . as_slice ( ) ) ?) ?;
1365+ policy_digests
1366+ . add ( Digest :: try_from ( POLICY_C_SHA384 . as_slice ( ) ) ?) ?;
1367+ }
1368+ HashingAlgorithm :: Sha512 => {
1369+ policy_digests
1370+ . add ( Digest :: try_from ( POLICY_A_SHA512 . as_slice ( ) ) ?) ?;
1371+ policy_digests
1372+ . add ( Digest :: try_from ( POLICY_C_SHA512 . as_slice ( ) ) ?) ?;
1373+ }
1374+ HashingAlgorithm :: Sm3_256 => {
1375+ policy_digests
1376+ . add ( Digest :: try_from ( POLICY_A_SM3_256 . as_slice ( ) ) ?) ?;
1377+ policy_digests
1378+ . add ( Digest :: try_from ( POLICY_C_SM3_256 . as_slice ( ) ) ?) ?;
1379+ }
1380+ _ => ( ) ,
1381+ } ;
1382+
1383+ let ek_auth = self . create_empty_session (
1384+ & mut ctx,
1385+ SessionType :: Policy ,
1386+ ek_symmetric. into ( ) ,
1387+ ek_hash_alg,
1388+ ) ?;
13271389
1390+ // We authorize session according to the EK profile spec
13281391 let result = ctx
1329- . execute_with_sessions (
1330- ( Some ( AuthSession :: Password ) , Some ( ek_auth) , None ) ,
1331- |context| {
1332- context. activate_credential ( ak, ek, credential, secret)
1392+ . execute_with_temporary_object (
1393+ SessionHandle :: from ( ek_auth) . into ( ) ,
1394+ |ctx, _| {
1395+ let _ = ctx. execute_with_nullauth_session ( |ctx| {
1396+ ctx. policy_secret (
1397+ PolicySession :: try_from ( ek_auth) ?,
1398+ AuthHandle :: Endorsement ,
1399+ Default :: default ( ) ,
1400+ Default :: default ( ) ,
1401+ Default :: default ( ) ,
1402+ None ,
1403+ )
1404+ } ) ?;
1405+ if !policy_digests. is_empty ( ) {
1406+ ctx. policy_or (
1407+ PolicySession :: try_from ( ek_auth) ?,
1408+ policy_digests,
1409+ ) ?
1410+ }
1411+ ctx. execute_with_sessions (
1412+ ( Some ( AuthSession :: Password ) , Some ( ek_auth) , None ) ,
1413+ |ctx| {
1414+ ctx. activate_credential (
1415+ ak, ek, credential, secret,
1416+ )
1417+ } ,
1418+ )
13331419 } ,
13341420 )
13351421 . map_err ( TpmError :: from) ;
13361422
13371423 // Clear sessions after use
1338- ctx. flush_context ( SessionHandle :: from ( ek_auth) . into ( ) ) ?;
13391424 ctx. clear_sessions ( ) ;
13401425
13411426 result
0 commit comments