From cd713d4de6c3d08478d6f6ca27b0f9e1afd439fe Mon Sep 17 00:00:00 2001 From: Kiran Kamineni Date: Tue, 18 Sep 2018 11:58:58 -0700 Subject: Add support for PRK password in TPM plugin PRK Password needs to be passed to TPM Plugin for load key operations to work. P7: Moved readPassword to calling function P8: Check size of password string before memcpy P9: Updated readme Issue-ID: AAF-484 Change-Id: I213446012005f2919ee0912ccfe99c3a555ccb74 Signed-off-by: Kiran Kamineni --- TPM2-Plugin/README.md | 20 ++++++++++++----- TPM2-Plugin/lib/tpm2_plugin_api.c | 39 +++++++++++++++++++++++++++------ bin/caservicecontainer/import.sh | 20 +++++++++++------ bin/caservicecontainer/softhsmconfig.sh | 1 - 4 files changed, 60 insertions(+), 20 deletions(-) diff --git a/TPM2-Plugin/README.md b/TPM2-Plugin/README.md index 978495c..5d8183f 100644 --- a/TPM2-Plugin/README.md +++ b/TPM2-Plugin/README.md @@ -1,16 +1,26 @@ -## Introduction +# Introduction This is TPM2-Plugin to load asymetric key pairs to TPM2.0 module. The private part of keys can only be used for signing when it is loaded in TPM module. -### Build +Loading Password protected Primary Keys in plugin requires the setting of the +following ENVIRONMENT Variable: +``` +TPM_PRK_PASSWORD +``` +The plugin will read this and setup hmac appropriately for the session. +## Build +``` ./bootstrap ./configure --prefix test +``` -### Installation +## Installation and Uninstallation +``` make install +``` -###Uninstall - +``` make clean make distclean +``` \ No newline at end of file diff --git a/TPM2-Plugin/lib/tpm2_plugin_api.c b/TPM2-Plugin/lib/tpm2_plugin_api.c index c763ef3..c27ec55 100644 --- a/TPM2-Plugin/lib/tpm2_plugin_api.c +++ b/TPM2-Plugin/lib/tpm2_plugin_api.c @@ -277,11 +277,11 @@ int hex2ByteStructure(const char *inStr, UINT16 *byteLength, BYTE *byteBuffer) } return 0; } + int load_key(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT parentHandle, TPM2B_PUBLIC *inPublic, - TPM2B_PRIVATE *inPrivate, - int P_flag) + TPM2B_PRIVATE *inPrivate) { UINT32 rval; TPMS_AUTH_RESPONSE sessionDataOut; @@ -304,9 +304,6 @@ int load_key(TSS2_SYS_CONTEXT *sapi_context, sessionData.sessionHandle = TPM_RS_PW; sessionData.nonce.t.size = 0; - if(P_flag == 0) - sessionData.hmac.t.size = 0; - *((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0; if (sessionData.hmac.t.size > 0 && hexPasswd) { @@ -400,6 +397,29 @@ int read_public(TSS2_SYS_CONTEXT *sapi_context, return 0; } +/* +Reads the PRK_PASSWORD Environment variable +and populates that information into the +sessionData global environment variable +*/ +int readPassword() +{ + char *prk_passwd; + + sessionData.hmac.t.size = 0; + + prk_passwd = getenv("TPM_PRK_PASSWORD"); + if (prk_passwd != NULL) { + sessionData.hmac.t.size = strlen(prk_passwd); + if (sessionData.hmac.t.size > sizeof(sessionData.hmac.t.buffer)) { + return -1; + } + memcpy(sessionData.hmac.t.buffer, prk_passwd, sessionData.hmac.t.size); + return 0; + } + return 0; +} + TPMS_CONTEXT loaded_key_context; int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, @@ -443,11 +463,16 @@ int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, } } + // Read TPM_PRK_PASSWORD and setup sessionsData appropriately + if (readPassword() != 0) { + // Password read failure + return -1; + } + returnVal = load_key (sapi_context, parentHandle, &inPublic, - &inPrivate, - 0); + &inPrivate); returnVal = read_public(sapi_context, handle2048rsa, importkey_info); diff --git a/bin/caservicecontainer/import.sh b/bin/caservicecontainer/import.sh index f7aaca8..0efff37 100755 --- a/bin/caservicecontainer/import.sh +++ b/bin/caservicecontainer/import.sh @@ -1,17 +1,22 @@ #!/bin/bash # NOTE - This scripts expects the Init and the Duplicate tools to be already -# run and the output files(listedb in README) to be present at the +# run and the output files(listed in README) to be present at the # shared volume (input for Import tool) +# It also requires the following ENVIRONMENT variables to be set +# SECRETS_FOLDER - containing the srk_handl and prk_passwd files in base64 +# DATA_FOLDER - containing the files that are produced from the distcenter set -e +#Primary Key Password used by TPM Plugin to load keys +TPM_PRK_PASSWORD="$(cat ${SECRETS_FOLDER}/prk_passwd | base64 -d)" +#Handle to the aforementioned Primary Key +SRK_HANDLE="$(cat ${SECRETS_FOLDER}/srk_handle | base64 -d)" #Placeholder of Input files to the Import tool which is the output of duplicate tool -sharedvolume="/tmp/files" +sharedvolume="${DATA_FOLDER}" #key_id is the parameter expected by SoftHSM key_id="8738" -#TPM handle -tpm_handle="0x81000011" #Key_label is the parameter expected by SoftHSM key_label="ABC" #UserPin for the SoftHSM operations @@ -40,12 +45,13 @@ if [ -f ${sharedvolume}/out_parent_public ]; then # 2.b Run the Import Utility cd /tpm-util/bin - ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \ --dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv + ./ossl_tpm_import -H $SRK_HANDLE -dupPub dupPub -dupPriv dupPriv \ + -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \ + -password $TPM_PRK_PASSWORD cd / chmod 755 softhsmconfig.sh - ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID + ./softhsmconfig.sh $SRK_HANDLE $key_id $key_label $upin $sopin $SoftHSMv2SlotID else # 3 SoftHSM mode implementation diff --git a/bin/caservicecontainer/softhsmconfig.sh b/bin/caservicecontainer/softhsmconfig.sh index 5464263..316d507 100755 --- a/bin/caservicecontainer/softhsmconfig.sh +++ b/bin/caservicecontainer/softhsmconfig.sh @@ -17,7 +17,6 @@ echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}" # Configuration generation for SoftHSM # 1.a Create the directory as expected by the SoftHSM to read the files -mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01 -- cgit 1.2.3-korg