Added H5 test app support for pre-provisioned TPM (WOLFTPM_MFG_IDENTITY) "quote" and "signed_timestamp" using IAK

dgarske · dgarske · commit 3f6f6b5e85a5 · 2025-11-04T21:28:22.000-08:00
diff --git a/Makefile b/Makefile
@@ -105,7 +105,7 @@ CFLAGS+= \
 # Setup default optimizations (for GCC)
 ifeq ($(USE_GCC_HEADLESS),1)
   CFLAGS+=-Wall -Wextra -Wno-main -ffreestanding -Wno-unused -nostartfiles
-  CFLAGS+=-ffunction-sections -fdata-sections -fomit-frame-pointer
+  CFLAGS+=-ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-unused-variable
   LDFLAGS+=-Wl,-gc-sections -Wl,-Map=wolfboot.map -ffreestanding -nostartfiles
   # Not setting LDFLAGS directly since it is passed to the test-app
   LSCRIPT_FLAGS+=-T $(LSCRIPT)
diff --git a/include/tpm.h b/include/tpm.h
@@ -48,23 +48,32 @@ extern WOLFTPM2_KEY     wolftpm_srk;
 
 #define WOLFBOOT_MAX_SEAL_SZ              MAX_SYM_DATA
 
-
-int  wolfBoot_tpm2_init(void);
-void wolfBoot_tpm2_deinit(void);
-
-int wolfBoot_tpm2_clear(void);
-
 /* API's that are callable from non-secure code */
 int CSME_NSE_API wolfBoot_tpm2_caps(WOLFTPM2_CAPS* caps);
 int CSME_NSE_API wolfBoot_tpm2_get_handles(TPM_HANDLE handle, TPML_HANDLE* handles);
 const char* CSME_NSE_API wolfBoot_tpm2_get_alg_name(TPM_ALG_ID alg,
     char* name, int name_sz);
 const char* CSME_NSE_API wolfBoot_tpm2_get_rc_string(int rc,
     char* error, int error_sz);
-TPM_RC CSME_NSE_API wolfBoot_tpm2_get_capability(GetCapability_In* in, GetCapability_Out* out);
+int CSME_NSE_API wolfBoot_tpm2_get_capability(GetCapability_In* in, GetCapability_Out* out);
 int CSME_NSE_API wolfBoot_tpm2_read_pcr(uint8_t pcrIndex, uint8_t* digest, int* digestSz);
 int CSME_NSE_API wolfBoot_tpm2_read_cert(uint32_t handle, uint8_t* cert, uint32_t* certSz);
 
+#ifdef WOLFTPM_MFG_IDENTITY
+int CSME_NSE_API wolfBoot_tpm2_get_aik(WOLFTPM2_KEY* aik,
+    uint8_t* masterPassword, uint16_t masterPasswordSz);
+int CSME_NSE_API wolfBoot_tpm2_get_timestamp(WOLFTPM2_KEY* aik, GetTime_Out* getTime);
+int CSME_NSE_API wolfBoot_tpm2_quote(WOLFTPM2_KEY* aik,
+    byte* pcrArray, word32 pcrArraySz, Quote_Out* quoteResult);
+int CSME_NSE_API wolfBoot_tpm2_parse_attest(const TPM2B_ATTEST* in, TPMS_ATTEST* out);
+#endif
+
+/* Internal wolfBoot TPM API's */
+int  wolfBoot_tpm2_init(void);
+void wolfBoot_tpm2_deinit(void);
+
+int wolfBoot_tpm2_clear(void);
+
 #if defined(WOLFBOOT_TPM_VERIFY) || defined(WOLFBOOT_TPM_SEAL)
 int wolfBoot_load_pubkey(const uint8_t* pubkey_hint, WOLFTPM2_KEY* pubKey,
     TPM_ALG_ID* pAlg);
diff --git a/src/tpm.c b/src/tpm.c
@@ -1182,9 +1182,9 @@ const char* CSME_NSE_API wolfBoot_tpm2_get_rc_string(int rc, char* error, int er
     return (const char*)error;
 }
 
-TPM_RC CSME_NSE_API wolfBoot_tpm2_get_capability(GetCapability_In* in, GetCapability_Out* out)
+int CSME_NSE_API wolfBoot_tpm2_get_capability(GetCapability_In* in, GetCapability_Out* out)
 {
-    return TPM2_GetCapability(in, out);
+    return (int)TPM2_GetCapability(in, out);
 }
 
 int CSME_NSE_API wolfBoot_tpm2_read_pcr(uint8_t pcrIndex, uint8_t* digest, int* digestSz)
@@ -1195,9 +1195,111 @@ int CSME_NSE_API wolfBoot_tpm2_read_pcr(uint8_t pcrIndex, uint8_t* digest, int*
 
 int CSME_NSE_API wolfBoot_tpm2_read_cert(uint32_t handle, uint8_t* cert, uint32_t* certSz)
 {
+    wolfTPM2_SetAuthPassword(&wolftpm_dev, 0, NULL);
     return wolfTPM2_NVReadCert(&wolftpm_dev, handle, cert, certSz);
 }
 
+#ifdef WOLFTPM_MFG_IDENTITY
+int CSME_NSE_API wolfBoot_tpm2_get_aik(WOLFTPM2_KEY* aik,
+    uint8_t* masterPassword, uint16_t masterPasswordSz)
+{
+    int rc;
+    if (aik == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Load existing AIK and set auth */
+    rc = wolfTPM2_ReadPublicKey(&wolftpm_dev, aik, TPM2_IAK_KEY_HANDLE);
+    if (rc == 0) {
+        /* Custom should supply their own custom master password used during
+         * device provisioning. If using a sample TPM supply NULL to use the
+         * default password. */
+        rc = wolfTPM2_SetIdentityAuth(&wolftpm_dev, &aik->handle,
+            masterPassword, masterPasswordSz);
+    }
+    return rc;
+}
+
+int CSME_NSE_API wolfBoot_tpm2_get_timestamp(WOLFTPM2_KEY* aik, GetTime_Out* getTime)
+{
+    int rc;
+    WOLFTPM2_HANDLE eh_handle;
+    /* sample master password for EH */
+    uint8_t Master_EH_AuthValue[] = {
+        0xDE, 0xEF, 0x8C, 0xDF, 0x1B, 0x77, 0xBD, 0x00,
+        0x30, 0x58, 0x5E, 0x47, 0xB8, 0x21, 0x46, 0x0B
+    };
+
+    if (aik == NULL || getTime == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    memset(getTime, 0, sizeof(*getTime));
+    memset(&eh_handle, 0, sizeof(eh_handle));
+
+    eh_handle.hndl = TPM_RH_ENDORSEMENT;
+
+    /* Calculate EH auth value */
+    rc = wolfTPM2_SetIdentityAuth(&wolftpm_dev, &eh_handle,
+        Master_EH_AuthValue, (uint16_t)sizeof(Master_EH_AuthValue));
+    if (rc == 0) {
+        /* Set EH auth */
+        wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &eh_handle);
+
+        /* set auth for using the AIK */
+        wolfTPM2_SetAuthHandle(&wolftpm_dev, 1, &aik->handle);
+    }
+    if (rc == 0) {
+        rc = wolfTPM2_GetTime(aik, getTime);
+    }
+
+    wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
+    wolfTPM2_UnsetAuth(&wolftpm_dev, 0);
+
+    return rc;
+}
+
+int CSME_NSE_API wolfBoot_tpm2_parse_attest(const TPM2B_ATTEST* in, TPMS_ATTEST* out)
+{
+    return TPM2_ParseAttest(in, out);
+}
+
+int CSME_NSE_API wolfBoot_tpm2_quote(WOLFTPM2_KEY* aik,
+    byte* pcrArray, word32 pcrArraySz, Quote_Out* quoteResult)
+{
+    int rc;
+    Quote_In quoteAsk;
+    TPMT_ASYM_SCHEME* scheme;
+
+    if (aik == NULL || pcrArray == NULL || pcrArraySz == 0 ||
+        quoteResult == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* set auth for using the AIK */
+    wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &aik->handle);
+
+    /* Prepare Quote request */
+    XMEMSET(&quoteAsk, 0, sizeof(quoteAsk));
+    XMEMSET(quoteResult, 0, sizeof(*quoteResult));
+
+    scheme = &aik->pub.publicArea.parameters.asymDetail.scheme;
+    quoteAsk.signHandle = aik->handle.hndl;
+    quoteAsk.inScheme.scheme = scheme->scheme;
+    quoteAsk.inScheme.details.any.hashAlg = scheme->details.anySig.hashAlg;
+    quoteAsk.qualifyingData.size = 0; /* optional */
+    /* Choose PCR(s) for signing */
+    TPM2_SetupPCRSelArray(&quoteAsk.PCRselect, scheme->details.anySig.hashAlg,
+        pcrArray, pcrArraySz);
+
+    /* Get AIK signed attestation of PCR(s) */
+    rc = TPM2_Quote(&quoteAsk, quoteResult);
+
+    wolfTPM2_UnsetAuth(&wolftpm_dev, 0);
+
+    return rc;
+}
+#endif /* WOLFTPM_MFG_IDENTITY */
 
 
 /**
diff --git a/test-app/app_stm32h5.c b/test-app/app_stm32h5.c
@@ -166,8 +166,12 @@ static int cmd_update_xmodem(const char *args);
 static int cmd_reboot(const char *args);
 #ifdef WOLFBOOT_TPM
 static int cmd_tpm_info(const char *args);
+#ifdef WOLFTPM_MFG_IDENTITY
 static int cmd_tpm_idevid(const char *args);
 static int cmd_tpm_iak(const char *args);
+static int cmd_tpm_signed_timestamp(const char *args);
+static int cmd_tpm_quote(const char *args);
+#endif
 #endif
 
 
@@ -197,8 +201,12 @@ struct console_command COMMANDS[] =
     {cmd_reboot, "reboot", "reboot the system"},
 #ifdef WOLFBOOT_TPM
     {cmd_tpm_info, "tpm", "get TPM capabilities"},
+#ifdef WOLFTPM_MFG_IDENTITY
     {cmd_tpm_idevid, "idevid", "show Initial Device Identification (IDevID) certificate"},
     {cmd_tpm_iak, "iak", "show Initial Attestation Identification (IAK) certificate"},
+    {cmd_tpm_signed_timestamp, "signed_timestamp", "TPM IAK signed timestamp attestation report"},
+    {cmd_tpm_quote, "quote", "TPM IAK signed PCR(s) attestation report"},
+#endif
 #endif
     {NULL, "", ""}
 };
@@ -782,9 +790,8 @@ static int cmd_tpm_info(const char *args)
     /* Read measured boot PCR */
     if (rc == 0) {
         char algName[24];
-        printf("Measured boot: PCR %s %d\r\n",
-            wolfBoot_tpm2_get_alg_name(WOLFBOOT_TPM_PCR_ALG, algName, sizeof(algName)),
-            WOLFBOOT_MEASURED_PCR_A);
+        printf("Measured boot: PCR %d - %s\r\n", WOLFBOOT_MEASURED_PCR_A,
+            wolfBoot_tpm2_get_alg_name(WOLFBOOT_TPM_PCR_ALG, algName, sizeof(algName)));
         hashSz = 0;
         rc = wolfBoot_tpm2_read_pcr(WOLFBOOT_MEASURED_PCR_A, hashBuf, &hashSz);
         if (rc == 0) {
@@ -807,6 +814,7 @@ static int cmd_tpm_info(const char *args)
     return rc;
 }
 
+#ifdef WOLFTPM_MFG_IDENTITY
 static int cmd_tpm_idevid(const char *args)
 {
     int rc;
@@ -819,6 +827,11 @@ static int cmd_tpm_idevid(const char *args)
         printf("IDevID Handle 0x%x\r\n", (unsigned int)handle);
         print_hex(cert, certSz, 1);
     }
+    else {
+        char error[100];
+        printf("TPM error 0x%x: %s\r\n",
+            rc, wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error)));
+    }
     return rc;
 }
 
@@ -834,8 +847,126 @@ static int cmd_tpm_iak(const char *args)
         printf("IAK Handle 0x%x\r\n", (unsigned int)handle);
         print_hex(cert, certSz, 1);
     }
+    else {
+        char error[100];
+        printf("TPM error 0x%x: %s\r\n",
+            rc, wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error)));
+    }
     return rc;
 }
+
+static int cmd_tpm_signed_timestamp(const char *args)
+{
+    int rc;
+    WOLFTPM2_KEY aik;
+    GetTime_Out getTime;
+    TPMS_ATTEST timeAttest;
+
+    rc = wolfBoot_tpm2_get_aik(&aik, NULL, 0);
+    if (rc == 0) {
+        rc = wolfBoot_tpm2_get_timestamp(&aik, &getTime);
+    }
+    if (rc == 0) {
+        rc = wolfBoot_tpm2_parse_attest(&getTime.timeInfo, &timeAttest);
+    }
+    if (rc == 0) {
+        if (timeAttest.magic != TPM_GENERATED_VALUE) {
+            printf("\tError, attested data not generated by the TPM = 0x%X\n",
+                (unsigned int)timeAttest.magic);
+        }
+
+        printf("TPM with signature attests (type 0x%x):\n", timeAttest.type);
+        /* time value in milliseconds that advances while the TPM is powered */
+        printf("\tTPM uptime since last power-up (in ms): %lu\n",
+            (unsigned long)timeAttest.attested.time.time.time);
+        /* time value in milliseconds that advances while the TPM is powered */
+        printf("\tTPM clock, total time the TPM has been on (in ms): %lu\n",
+            (unsigned long)timeAttest.attested.time.time.clockInfo.clock);
+        /* number of occurrences of TPM Reset since the last TPM2_Clear() */
+        printf("\tReset Count: %u\n",
+            (unsigned int)timeAttest.attested.time.time.clockInfo.resetCount);
+        /* number of times that TPM2_Shutdown() or _TPM_Hash_Start have occurred since the last TPM Reset or TPM2_Clear(). */
+        printf("\tRestart Count: %u\n",
+            (unsigned int)timeAttest.attested.time.time.clockInfo.restartCount);
+        /* This parameter is set to YES when the value reported in Clock is guaranteed to be unique for the current Owner */
+        printf("\tClock Safe: %u\n",
+            timeAttest.attested.time.time.clockInfo.safe);
+        /* a TPM vendor-specific value indicating the version number of the firmware */
+        printf("\tFirmware Version (vendor specific): 0x%lX\n",
+            (unsigned long)timeAttest.attested.time.firmwareVersion);
+    }
+
+    if (rc != 0) {
+        char error[100];
+        printf("TPM get timestamp error 0x%x: %s\r\n",
+            rc, wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error)));
+    }
+
+    return rc;
+}
+
+static int cmd_tpm_quote(const char *args)
+{
+    int rc;
+    WOLFTPM2_KEY aik;
+    Quote_Out quoteResult;
+    TPMS_ATTEST quoteAttest;
+    uint8_t  pcrArray[1];
+    uint32_t pcrArraySz = 0;
+    char algName[24];
+
+#ifdef WOLFBOOT_MEASURED_PCR_A
+    pcrArray[0] = WOLFBOOT_MEASURED_PCR_A;
+    pcrArraySz++;
+#else
+    pcrArray[0] = 16; /* test PCR */
+    pcrArraySz++;
+#endif
+
+    rc = wolfBoot_tpm2_get_aik(&aik, NULL, 0);
+    if (rc == 0) {
+        rc = wolfBoot_tpm2_quote(&aik, pcrArray, pcrArraySz, &quoteResult);
+    }
+    if (rc == 0) {
+        rc = wolfBoot_tpm2_parse_attest(&quoteResult.quoted, &quoteAttest);
+    }
+    if (rc == 0) {
+        TPMT_SIGNATURE* sig = &quoteResult.signature;
+        printf("TPM with signature attests (type 0x%x):\n", quoteAttest.type);
+        printf("\tTPM signed %lu count of PCRs\n",
+            (unsigned long)quoteAttest.attested.quote.pcrSelect.count);
+
+        printf("\tPCR digest:\n");
+        print_hex(quoteAttest.attested.quote.pcrDigest.buffer,
+                  quoteAttest.attested.quote.pcrDigest.size, 0);
+
+        printf("\tTPM generated %s signature:\n",
+            wolfBoot_tpm2_get_alg_name(sig->sigAlg, algName, sizeof(algName)));
+        printf("\tHash algorithm: %s\n",
+            wolfBoot_tpm2_get_alg_name(sig->signature.any.hashAlg, algName, sizeof(algName)));
+        switch (sig->sigAlg) {
+            case TPM_ALG_ECDSA:
+            case TPM_ALG_ECDAA:
+                printf("\tR size: %d\n", sig->signature.ecdsa.signatureR.size);
+                print_hex(sig->signature.ecdsa.signatureR.buffer, sig->signature.ecdsa.signatureR.size, 0);
+                printf("\tS size: %d\n", sig->signature.ecdsa.signatureS.size);
+                print_hex(sig->signature.ecdsa.signatureS.buffer, sig->signature.ecdsa.signatureS.size, 0);
+                break;
+            case TPM_ALG_RSASSA:
+            case TPM_ALG_RSAPSS:
+                printf("\tSignature size: %d\n", sig->signature.rsassa.sig.size);
+                print_hex(sig->signature.rsassa.sig.buffer, sig->signature.rsassa.sig.size, 0);
+                break;
+        };
+    }
+    else {
+        char error[100];
+        printf("TPM quote error 0x%x: %s\r\n", rc,
+            wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error)));
+    }
+    return rc;
+}
+#endif /* WOLFTPM_MFG_IDENTITY */
 #endif /* WOLFBOOT_TPM */
 
 
@@ -965,6 +1096,11 @@ void main(void)
     printf("Version : 0x%lx\r\n", app_version);
     printf("========================\r\n");
 
+    cmd_info(NULL);
+#ifdef WOLFBOOT_TPM
+    cmd_tpm_info(NULL);
+#endif
+
     console_loop();
 
     while(1)
