From cd713d4de6c3d08478d6f6ca27b0f9e1afd439fe Mon Sep 17 00:00:00 2001 From: Kiran Kamineni Date: Tue, 18 Sep 2018 11:58:58 -0700 Subject: Add support for PRK password in TPM plugin PRK Password needs to be passed to TPM Plugin for load key operations to work. P7: Moved readPassword to calling function P8: Check size of password string before memcpy P9: Updated readme Issue-ID: AAF-484 Change-Id: I213446012005f2919ee0912ccfe99c3a555ccb74 Signed-off-by: Kiran Kamineni --- TPM2-Plugin/README.md | 20 +++++++++++++++----- TPM2-Plugin/lib/tpm2_plugin_api.c | 39 ++++++++++++++++++++++++++++++++------- 2 files changed, 47 insertions(+), 12 deletions(-) (limited to 'TPM2-Plugin') diff --git a/TPM2-Plugin/README.md b/TPM2-Plugin/README.md index 978495c..5d8183f 100644 --- a/TPM2-Plugin/README.md +++ b/TPM2-Plugin/README.md @@ -1,16 +1,26 @@ -## Introduction +# Introduction This is TPM2-Plugin to load asymetric key pairs to TPM2.0 module. The private part of keys can only be used for signing when it is loaded in TPM module. -### Build +Loading Password protected Primary Keys in plugin requires the setting of the +following ENVIRONMENT Variable: +``` +TPM_PRK_PASSWORD +``` +The plugin will read this and setup hmac appropriately for the session. +## Build +``` ./bootstrap ./configure --prefix test +``` -### Installation +## Installation and Uninstallation +``` make install +``` -###Uninstall - +``` make clean make distclean +``` \ No newline at end of file diff --git a/TPM2-Plugin/lib/tpm2_plugin_api.c b/TPM2-Plugin/lib/tpm2_plugin_api.c index c763ef3..c27ec55 100644 --- a/TPM2-Plugin/lib/tpm2_plugin_api.c +++ b/TPM2-Plugin/lib/tpm2_plugin_api.c @@ -277,11 +277,11 @@ int hex2ByteStructure(const char *inStr, UINT16 *byteLength, BYTE *byteBuffer) } return 0; } + int load_key(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_OBJECT parentHandle, TPM2B_PUBLIC *inPublic, - TPM2B_PRIVATE *inPrivate, - int P_flag) + TPM2B_PRIVATE *inPrivate) { UINT32 rval; TPMS_AUTH_RESPONSE sessionDataOut; @@ -304,9 +304,6 @@ int load_key(TSS2_SYS_CONTEXT *sapi_context, sessionData.sessionHandle = TPM_RS_PW; sessionData.nonce.t.size = 0; - if(P_flag == 0) - sessionData.hmac.t.size = 0; - *((UINT8 *)((void *)&sessionData.sessionAttributes)) = 0; if (sessionData.hmac.t.size > 0 && hexPasswd) { @@ -400,6 +397,29 @@ int read_public(TSS2_SYS_CONTEXT *sapi_context, return 0; } +/* +Reads the PRK_PASSWORD Environment variable +and populates that information into the +sessionData global environment variable +*/ +int readPassword() +{ + char *prk_passwd; + + sessionData.hmac.t.size = 0; + + prk_passwd = getenv("TPM_PRK_PASSWORD"); + if (prk_passwd != NULL) { + sessionData.hmac.t.size = strlen(prk_passwd); + if (sessionData.hmac.t.size > sizeof(sessionData.hmac.t.buffer)) { + return -1; + } + memcpy(sessionData.hmac.t.buffer, prk_passwd, sessionData.hmac.t.size); + return 0; + } + return 0; +} + TPMS_CONTEXT loaded_key_context; int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, @@ -443,11 +463,16 @@ int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, } } + // Read TPM_PRK_PASSWORD and setup sessionsData appropriately + if (readPassword() != 0) { + // Password read failure + return -1; + } + returnVal = load_key (sapi_context, parentHandle, &inPublic, - &inPrivate, - 0); + &inPrivate); returnVal = read_public(sapi_context, handle2048rsa, importkey_info); -- cgit 1.2.3-korg