Skip to content

Commit 78f6a88

Browse files
tpm2_certify: Add parameter qualifying-data.
The default for qualifying data is still 0x00, 0xff, 0x55, 0xaa. But the value now can be adjusted with the parameter --qualifying-data. Addresses: #3489 Signed-off-by: Juergen Repp <juergen_repp@web.de>
1 parent b4bf516 commit 78f6a88

File tree

4 files changed

+33
-7
lines changed

4 files changed

+33
-7
lines changed

lib/tpm2_util.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1338,3 +1338,4 @@ void tpm2_util_tpm2_nv_to_yaml(TPM2B_NV_PUBLIC *nv_public, UINT8 *data, UINT16 s
13381338
break;
13391339
}
13401340
}
1341+

man/tpm2_certify.1.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,13 @@ These options control the certification:
5858

5959
Output file name for the attestation data.
6060

61+
* **-q**, **\--qualifying-data**=_HEX\_STRING\_OR\_PATH_:
62+
63+
Data given as a Hex string or binary file to qualify the certification, optional.
64+
This is typically used to add a nonce against replay attacks.
65+
The default is: 0x00, 0xff, 0x55, 0xaa
66+
67+
6168
* **-s**, **\--signature**=_FILE_:
6269

6370
Output file name for the signature data.

test/integration/tests/certify.sh

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,4 +53,16 @@ tpm2 certify \
5353

5454
verify_signature_with_ssl
5555

56+
# Test with changed qualified data.
57+
58+
tpm2 certify \
59+
-c primary.ctx -P signedpass \
60+
-C certify.ctx -p certifypass \
61+
-q "0f0f0f0f" \
62+
-g sha256 -o attest.out -f plain -s sig.out
63+
64+
tpm2 print -t TPMS_ATTEST attest.out| grep 0f0f0f0f > /dev/null
65+
66+
verify_signature_with_ssl
67+
5668
exit 0

tools/tpm2_certify.c

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ struct tpm_certify_ctx {
3333
tpm2_convert_sig_fmt sig_fmt;
3434
TPMT_SIG_SCHEME scheme;
3535
TPMI_ALG_SIG_SCHEME sig_scheme;
36+
TPM2B_DATA qualifying_data;
3637

3738
/*
3839
* Outputs
@@ -71,22 +72,21 @@ static tpm_certify_ctx ctx = {
7172
.parameter_hash_algorithm = TPM2_ALG_ERROR,
7273
.scheme = {
7374
.scheme = TPM2_ALG_NULL,
75+
},
76+
.qualifying_data = {
77+
.size = 4,
78+
.buffer = { 0x00, 0xff, 0x55,0xaa },
7479
}
7580
};
7681

7782
static tool_rc certify(ESYS_CONTEXT *ectx) {
7883

79-
TPM2B_DATA qualifying_data = {
80-
.size = 4,
81-
.buffer = { 0x00, 0xff, 0x55,0xaa },
82-
};
83-
8484
/*
8585
* 1. TPM2_CC_<command> OR Retrieve cpHash
8686
*/
8787

8888
return tpm2_certify(ectx, &ctx.certified_key.object,
89-
&ctx.signing_key.object, &qualifying_data, &ctx.scheme,
89+
&ctx.signing_key.object, &ctx.qualifying_data, &ctx.scheme,
9090
&ctx.certify_info, &ctx.signature, &ctx.cp_hash, &ctx.rp_hash,
9191
ctx.parameter_hash_algorithm, ctx.aux_session_handle[0]);
9292
}
@@ -261,6 +261,11 @@ static bool on_option(char key, char *value) {
261261
case 's':
262262
ctx.file_path.sig = value;
263263
break;
264+
case 'q':
265+
ctx.qualifying_data.size = sizeof(ctx.qualifying_data.buffer);
266+
return tpm2_util_bin_from_hex_or_file(value,
267+
&ctx.qualifying_data.size, ctx.qualifying_data.buffer);
268+
break;
264269
case 0:
265270
ctx.cp_hash_path = value;
266271
break;
@@ -306,13 +311,14 @@ static bool tpm2_tool_onstart(tpm2_options **opts) {
306311
{ "attestation", required_argument, NULL, 'o' },
307312
{ "signature", required_argument, NULL, 's' },
308313
{ "format", required_argument, NULL, 'f' },
314+
{ "qualifying-data", required_argument, NULL, 'q' },
309315
{ "cphash", required_argument, NULL, 0 },
310316
{ "rphash", required_argument, NULL, 1 },
311317
{ "scheme", required_argument, NULL, 2 },
312318
{ "session", required_argument, NULL, 'S' },
313319
};
314320

315-
*opts = tpm2_options_new("P:p:g:o:s:c:C:f:S:", ARRAY_LEN(topts), topts,
321+
*opts = tpm2_options_new("P:p:g:o:s:c:C:f:S:q:", ARRAY_LEN(topts), topts,
316322
on_option, NULL, 0);
317323

318324
return *opts != NULL;

0 commit comments

Comments
 (0)