From 993da58a612238bf2dd53a015dfdb2a6c0eb00b9 Mon Sep 17 00:00:00 2001 From: jetwhiz Date: Mon, 22 Apr 2019 09:48:56 -0400 Subject: [PATCH 1/6] Wire up support for ak auth password in tpm2_quote tool Add regression test Signed-off-by: jetwhiz --- test/system/test_tpm2_quote.sh | 9 ++++++++- tools/tpm2_quote.c | 11 ++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/test/system/test_tpm2_quote.sh b/test/system/test_tpm2_quote.sh index d845ea1bdb1..231bed326ec 100755 --- a/test/system/test_tpm2_quote.sh +++ b/test/system/test_tpm2_quote.sh @@ -50,6 +50,7 @@ file_quote_key_ctx=ctx_load_out_"$alg_primary_obj"_"$alg_primary_key"-"$alg_crea Handle_ak_quote=0x81010016 Handle_ek_quote=0x81010017 Handle_ak_quote2=0x81010018 +Handle_ak_quote3=0x81010019 maxdigest=$(tpm2_getcap -c properties-fixed | grep TPM_PT_MAX_DIGEST | sed -r -e 's/.*(0x[0-9a-f]+)/\1/g') if ! [[ "$maxdigest" =~ ^(0x)*[0-9]+$ ]] ; then @@ -73,6 +74,7 @@ cleanup() { tpm2_evictcontrol -Q -Ao -H $Handle_ek_quote 2>/dev/null || true tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote 2>/dev/null || true tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote2 2>/dev/null || true + tpm2_evictcontrol -Q -Ao -H $Handle_ak_quote3 2>/dev/null || true } trap cleanup EXIT @@ -104,4 +106,9 @@ tpm2_getpubak -Q -E $Handle_ek_quote -k $Handle_ak_quote2 -f ak.pub2 -n ak.nam tpm2_quote -Q -k $Handle_ak_quote -g $alg_quote -l 16,17,18 -q $nonce -exit 0 +#####AK with password +tpm2_getpubak -Q -E $Handle_ek_quote -k $Handle_ak_quote3 -f ak.pub2 -n ak.name_2 -P abc123 + +tpm2_quote -Q -k $Handle_ak_quote3 -g $alg_quote -l 16,17,18 -q $nonce -P abc123 + +exit 0 \ No newline at end of file diff --git a/tools/tpm2_quote.c b/tools/tpm2_quote.c index 3538947db31..05b6d641656 100644 --- a/tools/tpm2_quote.c +++ b/tools/tpm2_quote.c @@ -50,7 +50,7 @@ typedef struct { UINT32 id[24]; } PCR_LIST; -static TPMS_AUTH_COMMAND sessionData; +static TPMS_AUTH_COMMAND sessionData = TPMS_AUTH_COMMAND_INIT(TPM2_RS_PW); static char *outFilePath; static char *signature_path; static char *message_path; @@ -60,7 +60,7 @@ static TPM2B_DATA qualifyingData = TPM2B_EMPTY_INIT; static TPML_PCR_SELECTION pcrSelections; static bool is_auth_session; static TPMI_SH_AUTH_SESSION auth_session_handle; -static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag, G_flag; +static int k_flag, c_flag, l_flag, g_flag, L_flag, o_flag, G_flag, P_flag; static char *contextFilePath; static TPM2_HANDLE akHandle; @@ -94,7 +94,7 @@ static int quote(TSS2_SYS_CONTEXT *sapi_context, TPM2_HANDLE akHandle, TPML_PCR_ { UINT32 rval; TPMT_SIG_SCHEME inScheme; - TSS2L_SYS_AUTH_COMMAND sessionsData = { 1, {{.sessionHandle=TPM2_RS_PW}}}; + TSS2L_SYS_AUTH_COMMAND sessionsData = { 1, { sessionData }}; TSS2L_SYS_AUTH_RESPONSE sessionsDataOut; TPM2B_ATTEST quoted = TPM2B_TYPE_INIT(TPM2B_ATTEST, attestationData); TPMT_SIGNATURE signature; @@ -152,6 +152,7 @@ static bool on_option(char key, char *value) { LOG_ERR("Invalid AK password, got\"%s\"", value); return false; } + P_flag = 1; } break; case 'l': if(!pcr_parse_list(value, strlen(value), &pcrSelections.pcrSelections[0])) @@ -265,5 +266,9 @@ int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) { } } + if (P_flag == 0) { + sessionData.hmac.size = 0; + } + return quote(sapi_context, akHandle, &pcrSelections); } -- 2.21.0