v/gnome-autounlock-keyring
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: v:1893d4c90b7271173491ca5a3bfcdf5f86cf42ec
Branches Tags
v:main
...
compare: v:f114554dd7800bf0dd88a491b85be5aad6a91ad0
Branches Tags
v:main

2 commits
1893d4c90b ... f114554dd7

Author SHA1 Message Date
Victor
f114554dd7 tpm2 working 2023-12-19 09:00:07 +01:00
Victor
19a7f20162 tpm2 integration 2023-12-18 22:29:36 +01:00
11 changed files with 2022 additions and 53 deletions
Show stats Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
/target
.idea/
.direnv

1108
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

14
Cargo.toml
View file

@ -6,4 +6,16 @@ edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
color-eyre = "0.6.2"
color-eyre = "0.6.2"
serde_json = "1"
serde = { version = "1", features = ["derive"] }
clap = { version = "4", features = ["derive"] }
rpassword = "7.3.1"
tss-esapi = { version = "7.2", features = ["generate-bindings"] }
josekit = "0.8.4"
base64 = { version = "0.21.5", features = [] }
tpm2-policy = "0.6.0"
dirs = "5"
[profile.release]
lto = "thin"

60
flake.lock generated Normal file
View file

@ -0,0 +1,60 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702933230,
"narHash": "sha256-xi8AZ3noIXrgmKLR+ij+CeYFoUTKiQuTLL+aA7FRdRQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4e2c5373180ecd17e41e879420be69dc642a6349",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

61
flake.nix Normal file
View file

@ -0,0 +1,61 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachDefaultSystem (system:
let
cargoToml = (builtins.fromTOML (builtins.readFile ./Cargo.toml));
pkgs = nixpkgs.legacyPackages.${system};
inherit (pkgs) stdenv lib;
in rec {
packages.default = pkgs.rustPlatform.buildRustPackage {
pname = cargoToml.package.name;
version = cargoToml.package.version;
src = self;
cargoLock.lockFile = ./Cargo.lock;
doCheck = false;
nativeBuildInputs = with pkgs; [
llvmPackages.libclang
llvmPackages.libcxxClang
clang
pkg-config
];
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib";
buildInputs = with pkgs; [ openssl tpm2-tss ];
preBuild = ''
export BINDGEN_EXTRA_CLANG_ARGS="$(< ${stdenv.cc}/nix-support/libc-crt1-cflags) \
$(< ${stdenv.cc}/nix-support/libc-cflags) \
$(< ${stdenv.cc}/nix-support/cc-cflags) \
$(< ${stdenv.cc}/nix-support/libcxx-cxxflags) \
${
lib.optionalString stdenv.cc.isClang
"-idirafter ${stdenv.cc.cc}/lib/clang/${
lib.getVersion stdenv.cc.cc
}/include"
} \
${
lib.optionalString stdenv.cc.isGNU
"-isystem ${stdenv.cc.cc}/include/c++/${
lib.getVersion stdenv.cc.cc
} -isystem ${stdenv.cc.cc}/include/c++/${
lib.getVersion stdenv.cc.cc
}/${stdenv.hostPlatform.config} -idirafter ${stdenv.cc.cc}/lib/gcc/${stdenv.hostPlatform.config}/${
lib.getVersion stdenv.cc.cc
}/include"
} \
"
'';
};
devShell = pkgs.mkShell {
shellHook = "${packages.default.preBuild}";
inherit (packages.default) nativeBuildInputs buildInputs LIBCLANG_PATH;
};
});
}

1
result Symbolic link
View file

@ -0,0 +1 @@
/nix/store/bwvjqn0n9xljxk646l0rqj6m0ym221m7-gnome-autounlock-keyring-0.1.0

137
src/main.rs
View file

@ -1,8 +1,14 @@
mod tpm;
use clap::{Parser, Subcommand};
use color_eyre::eyre::{bail, eyre, WrapErr};
use std::env;
use std::fs::{read_to_string, File};
use std::io::{Read, Write};
use std::os::unix::net::UnixStream;
use std::path::{Path, PathBuf};
use std::path::PathBuf;
use std::process::exit;
use tpm::tpm_objects::TPM2Config;
fn get_control_socket() -> Option<PathBuf> {
let gnome_var = env::var("GNOME_KEYRING_CONTROL")
@ -18,6 +24,7 @@ fn get_control_socket() -> Option<PathBuf> {
gnome_var.or(xdg_var)
}
#[derive(Debug, Clone, Copy)]
enum ControlOp {
Initialize = 0,
Unlock = 1,
@ -31,7 +38,7 @@ impl ControlOp {
}
}
#[derive(Debug)]
#[derive(Debug, PartialEq, Eq)]
enum ControlResult {
Ok = 0,
Denied = 1,
@ -40,100 +47,126 @@ enum ControlResult {
}
impl ControlResult {
fn from_u32(n: u32) -> Option<ControlResult> {
match n {
0 => Some(ControlResult::Ok),
1 => Some(ControlResult::Denied),
2 => Some(ControlResult::Failed),
3 => Some(ControlResult::NoDaemon),
fn from_bytes(bytes: [u8; 4]) -> Option<Self> {
let num = u32::from_be_bytes(bytes);
match num {
0 => Some(Self::Ok),
1 => Some(Self::Denied),
3 => Some(Self::NoDaemon),
_ => None,
}
}
}
fn unlock_keyring(password: &str) -> color_eyre::Result<ControlResult> {
fn unlock_keyring(password: &[u8]) -> color_eyre::Result<ControlResult> {
let socket = get_control_socket()
.ok_or_else(|| eyre!("Could not find gnome keyring control socket path"))?;
let mut stream = UnixStream::connect(socket)
.wrap_err("Could not connect to the gnome keyring unix socket")?;
let ret = stream
.write(&[0])
stream
.write_all(&[0])
.wrap_err("could not write credential byte")?;
if ret != 1 {
bail!("writing cred byte failed")
}
// oplen is
// 8 = packet size + op code
// 4 size of length of pw byte
let oplen: u32 = 8 + 4 + password.len() as u32;
// write length
let ret = stream
.write(&oplen.to_be_bytes())
stream
.write_all(&oplen.to_be_bytes())
.wrap_err("could not write oplen")?;
if ret != 4 {
bail!("writing oplen failed")
}
// write unlock
let ret = stream
.write(&ControlOp::Unlock.to_bytes())
stream
.write_all(&ControlOp::Unlock.to_bytes())
.wrap_err("could not write unlock")?;
if ret != 4 {
bail!("writing unlock failed")
}
// write pw len
let ret = stream
.write(&(password.len() as u32).to_be_bytes())
stream
.write_all(&(password.len() as u32).to_be_bytes())
.wrap_err("could not write password length")?;
if ret != 4 {
bail!("writing pwlen failed")
}
let mut pw_buf = password.as_bytes();
while !pw_buf.is_empty() {
let ret = stream.write(pw_buf).wrap_err("writing password failed")?;
pw_buf = &pw_buf[ret..]
}
stream.write_all(password).wrap_err("writing pass failed")?;
let mut buf = [0; 4];
let val = stream
.read(&mut buf)
stream
.read_exact(&mut buf)
.wrap_err("could not read response length")?;
if val != 4 {
bail!("invalid response length length")
}
let len = u32::from_be_bytes(buf);
if len != 8 {
bail!("invalid response length");
}
let val = stream.read(&mut buf).wrap_err("could not read response")?;
if val != 4 {
bail!("invalid response length (2)")
}
stream
.read_exact(&mut buf)
.wrap_err("could not read response")?;
let resp = u32::from_be_bytes(buf);
let code = ControlResult::from_u32(resp).ok_or_else(|| eyre!("invalid resp"))?;
let code = ControlResult::from_bytes(buf).ok_or_else(|| eyre!("invalid control result"))?;
Ok(code)
}
#[derive(Parser)]
struct Cli {
/// Defaults to CONFIG_DIR/gnome-keyring.tpm2
#[arg(short, long)]
token_path: Option<PathBuf>,
#[command(subcommand)]
command: Commands,
}
#[derive(Subcommand)]
enum Commands {
/// Unlock gnome keyring using encrypted password stored in tpm
Unlock,
/// Enroll a password into the tpm to use when unlocking
Enroll,
}
fn main() -> color_eyre::Result<()> {
color_eyre::install().unwrap();
let cli = Cli::parse();
let res = unlock_keyring("example")?;
let token_path = cli
.token_path
.or(dirs::config_dir().map(|el| el.join("gnome-keyring.tpm2")))
.ok_or_else(|| eyre!("Token path not found"))?;
dbg!(res);
match cli.command {
Commands::Unlock => {
if token_path.exists() {
let token = read_to_string(token_path)?;
let password =
tpm::perform_decrypt(token.as_bytes()).map_err(|err| eyre!("{err:?}"))?;
let res = unlock_keyring(password.as_slice())?;
if res != ControlResult::Ok {
eprintln!("Failed to unlock keyring: {res:?}");
exit(2);
}
} else {
bail!("password token file not found")
}
println!("Unlocked keyring successfully")
}
Commands::Enroll => {
let password = rpassword::prompt_password("Password: ")?;
if unlock_keyring(password.as_bytes())? != ControlResult::Ok {
eprintln!("invalid password");
exit(3);
}
let token = tpm::perform_encrypt(TPM2Config::default(), password.as_bytes())
.map_err(|err| eyre!("{err:?}"))?;
let mut file = File::create(token_path)?;
file.write_all(token.as_bytes())?;
println!("Password enrolled successfully")
}
}
Ok(())
}

216
src/tpm/mod.rs Normal file
View file

@ -0,0 +1,216 @@
// Copyright 2020 Patrick Uiterwijk
//
// Licensed under the MIT license
use std::convert::{TryFrom, TryInto};
use color_eyre::{
eyre::{bail, Context, ContextCompat, Error},
Result,
};
use josekit::jwe::{alg::direct::DirectJweAlgorithm::Dir, enc::A256GCM};
use serde::{Deserialize, Serialize};
use tpm2_policy::TPMPolicyStep;
use tpm_objects::TPM2Config;
use tss_esapi::structures::SensitiveData;
pub mod tpm_objects;
pub mod utils;
pub fn perform_encrypt(cfg: TPM2Config, input: &[u8]) -> Result<String> {
let key_type = match &cfg.key {
None => "ecc",
Some(key_type) => key_type,
};
let key_public = tpm_objects::get_key_public(key_type, cfg.get_name_hash_alg())?;
let mut ctx = utils::get_tpm2_ctx()?;
let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;
let policy_runner: TPMPolicyStep = TPMPolicyStep::try_from(&cfg)?;
let pin_type = match policy_runner {
TPMPolicyStep::NoStep => "tpm2",
TPMPolicyStep::PCRs(_, _, _) => "tpm2",
_ => "tpm2plus",
};
let (_, policy_digest) = policy_runner.send_policy(&mut ctx, true)?;
let mut jwk = josekit::jwk::Jwk::generate_oct_key(32).context("Error generating random JWK")?;
jwk.set_key_operations(vec!["encrypt", "decrypt"]);
let jwk_str = serde_json::to_string(&jwk.as_ref())?;
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?.try_into()?;
let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
ctx.create(key_handle, public, None, Some(jwk_str), None, None)
})?;
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?;
let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public.try_into()?)?;
let private_hdr = ClevisInner {
pin: pin_type.to_string(),
tpm2: Tpm2Inner {
hash: cfg.hash.as_ref().unwrap_or(&"sha256".to_string()).clone(),
key: key_type.to_string(),
jwk_pub,
jwk_priv,
pcr_bank: cfg.pcr_bank.clone(),
pcr_ids: cfg.get_pcr_ids_str(),
policy_pubkey_path: cfg.policy_pubkey_path,
policy_ref: cfg.policy_ref,
policy_path: cfg.policy_path,
},
};
let mut hdr = josekit::jwe::JweHeader::new();
hdr.set_algorithm(Dir.name());
hdr.set_content_encryption(A256GCM.name());
hdr.set_claim(
"clevis",
Some(serde_json::value::to_value(private_hdr).context("Error serializing private header")?),
)
.context("Error adding clevis claim")?;
let encrypter = Dir
.encrypter_from_jwk(&jwk)
.context("Error creating direct encrypter")?;
let jwe_token = josekit::jwe::serialize_compact(input, &hdr, &encrypter)
.context("Error serializing JWE token")?;
Ok(jwe_token)
}
#[derive(Debug, Serialize, Deserialize, Clone)]
struct Tpm2Inner {
hash: String,
#[serde(
deserialize_with = "utils::deserialize_as_base64_url_no_pad",
serialize_with = "utils::serialize_as_base64_url_no_pad"
)]
jwk_priv: Vec<u8>,
#[serde(
deserialize_with = "utils::deserialize_as_base64_url_no_pad",
serialize_with = "utils::serialize_as_base64_url_no_pad"
)]
jwk_pub: Vec<u8>,
key: String,
// PCR Binding may be specified, may not
#[serde(skip_serializing_if = "Option::is_none")]
pcr_bank: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pcr_ids: Option<String>,
// Public key (in PEM format) for a wildcard policy that's OR'd with the PCR one
#[serde(skip_serializing_if = "Option::is_none")]
policy_pubkey_path: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
policy_ref: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
policy_path: Option<String>,
}
impl Tpm2Inner {
fn get_pcr_ids(&self) -> Option<Vec<u64>> {
Some(
self.pcr_ids
.as_ref()?
.split(',')
.map(|x| x.parse::<u64>().unwrap())
.collect(),
)
}
}
impl TryFrom<&Tpm2Inner> for TPMPolicyStep {
type Error = Error;
fn try_from(cfg: &Tpm2Inner) -> Result<Self> {
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
Ok(TPMPolicyStep::Or([
Box::new(TPMPolicyStep::PCRs(
utils::get_hash_alg_from_name(cfg.pcr_bank.as_ref()),
cfg.get_pcr_ids().unwrap(),
Box::new(TPMPolicyStep::NoStep),
)),
Box::new(utils::get_authorized_policy_step(
cfg.policy_pubkey_path.as_ref().unwrap(),
&cfg.policy_path,
&cfg.policy_ref,
)?),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
]))
} else if cfg.pcr_ids.is_some() {
Ok(TPMPolicyStep::PCRs(
utils::get_hash_alg_from_name(cfg.pcr_bank.as_ref()),
cfg.get_pcr_ids().unwrap(),
Box::new(TPMPolicyStep::NoStep),
))
} else if cfg.policy_pubkey_path.is_some() {
utils::get_authorized_policy_step(
cfg.policy_pubkey_path.as_ref().unwrap(),
&cfg.policy_path,
&cfg.policy_ref,
)
} else {
Ok(TPMPolicyStep::NoStep)
}
}
}
#[derive(Debug, Serialize, Deserialize, Clone)]
struct ClevisInner {
pin: String,
tpm2: Tpm2Inner,
}
pub fn perform_decrypt(input: &[u8]) -> Result<Vec<u8>> {
let input = String::from_utf8(input.to_vec()).context("Error reading input")?;
let hdr = josekit::jwt::decode_header(&input).context("Error decoding header")?;
let hdr_clevis = hdr.claim("clevis").context("Error getting clevis claim")?;
let hdr_clevis: ClevisInner =
serde_json::from_value(hdr_clevis.clone()).context("Error deserializing clevis header")?;
if hdr_clevis.pin != "tpm2" && hdr_clevis.pin != "tpm2plus" {
bail!("JWE pin mismatch");
}
let jwkpub = tpm_objects::build_tpm2b_public(&hdr_clevis.tpm2.jwk_pub)?.try_into()?;
let jwkpriv = tpm_objects::build_tpm2b_private(&hdr_clevis.tpm2.jwk_priv)?;
let policy = TPMPolicyStep::try_from(&hdr_clevis.tpm2)?;
let name_alg = utils::get_hash_alg_from_name(Some(&hdr_clevis.tpm2.hash));
let key_public = tpm_objects::get_key_public(hdr_clevis.tpm2.key.as_str(), name_alg)?;
let mut ctx = utils::get_tpm2_ctx()?;
let key_handle = utils::get_tpm2_primary_key(&mut ctx, key_public)?;
let key =
ctx.execute_with_nullauth_session(|ctx| ctx.load(key_handle, jwkpriv.try_into()?, jwkpub))?;
let (policy_session, _) = policy.send_policy(&mut ctx, false)?;
let unsealed = ctx.execute_with_session(policy_session, |ctx| ctx.unseal(key.into()))?;
let unsealed = &unsealed.value();
let mut jwk = josekit::jwk::Jwk::from_bytes(unsealed).context("Error unmarshaling JWK")?;
jwk.set_parameter("alg", None)
.context("Error removing the alg parameter")?;
let decrypter = Dir
.decrypter_from_jwk(&jwk)
.context("Error creating decrypter")?;
let (payload, _) =
josekit::jwe::deserialize_compact(&input, &decrypter).context("Error decrypting JWE")?;
Ok(payload)
}

366
src/tpm/tpm_objects.rs Normal file
View file

@ -0,0 +1,366 @@
use color_eyre::eyre::{bail, eyre, Context, Error};
use std::convert::TryFrom;
use super::utils::get_authorized_policy_step;
use color_eyre::Result;
use serde::{Deserialize, Serialize};
use tpm2_policy::TPMPolicyStep;
use tss_esapi::{
attributes::object::ObjectAttributesBuilder,
constants::tss as tss_constants,
interface_types::{
algorithm::{HashingAlgorithm, PublicAlgorithm},
ecc::EccCurve,
},
structures::{Digest, Public, SymmetricDefinitionObject},
};
#[derive(Serialize, Deserialize, Default, std::fmt::Debug)]
pub struct TPM2Config {
pub hash: Option<String>,
pub key: Option<String>,
pub pcr_bank: Option<String>,
// PCR IDs can be passed in as comma-separated string or json array
pub pcr_ids: Option<serde_json::Value>,
pub pcr_digest: Option<String>,
// Whether to use a policy. If this is specified without pubkey path or policy path, they get set to defaults
pub use_policy: Option<bool>,
// Public key (in JSON format) for a wildcard policy that's possibly OR'd with the PCR one
pub policy_pubkey_path: Option<String>,
pub policy_ref: Option<String>,
pub policy_path: Option<String>,
}
impl TryFrom<&TPM2Config> for TPMPolicyStep {
type Error = Error;
fn try_from(cfg: &TPM2Config) -> Result<Self> {
if cfg.pcr_ids.is_some() && cfg.policy_pubkey_path.is_some() {
Ok(TPMPolicyStep::Or([
Box::new(TPMPolicyStep::PCRs(
cfg.get_pcr_hash_alg(),
cfg.get_pcr_ids().unwrap(),
Box::new(TPMPolicyStep::NoStep),
)),
Box::new(get_authorized_policy_step(
cfg.policy_pubkey_path.as_ref().unwrap(),
&None,
&cfg.policy_ref,
)?),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
Box::new(TPMPolicyStep::NoStep),
]))
} else if cfg.pcr_ids.is_some() {
Ok(TPMPolicyStep::PCRs(
cfg.get_pcr_hash_alg(),
cfg.get_pcr_ids().unwrap(),
Box::new(TPMPolicyStep::NoStep),
))
} else if cfg.policy_pubkey_path.is_some() {
get_authorized_policy_step(
cfg.policy_pubkey_path.as_ref().unwrap(),
&None,
&cfg.policy_ref,
)
} else {
Ok(TPMPolicyStep::NoStep)
}
}
}
const DEFAULT_POLICY_PATH: &str = "/boot/clevis_policy.json";
const DEFAULT_PUBKEY_PATH: &str = "/boot/clevis_pubkey.json";
const DEFAULT_POLICY_REF: &str = "";
impl TPM2Config {
pub(super) fn get_pcr_hash_alg(
&self,
) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
super::utils::get_hash_alg_from_name(self.pcr_bank.as_ref())
}
pub(super) fn get_name_hash_alg(
&self,
) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
super::utils::get_hash_alg_from_name(self.hash.as_ref())
}
pub(super) fn get_pcr_ids(&self) -> Option<Vec<u64>> {
match &self.pcr_ids {
None => None,
Some(serde_json::Value::Array(vals)) => {
Some(vals.iter().map(|x| x.as_u64().unwrap()).collect())
}
_ => panic!("Unexpected type found for pcr_ids"),
}
}
pub(super) fn get_pcr_ids_str(&self) -> Option<String> {
match &self.pcr_ids {
None => None,
Some(serde_json::Value::Array(vals)) => Some(
vals.iter()
.map(|x| x.as_u64().unwrap().to_string())
.collect::<Vec<String>>()
.join(","),
),
_ => panic!("Unexpected type found for pcr_ids"),
}
}
pub fn normalize(mut self) -> Result<TPM2Config> {
self.normalize_pcr_ids()?;
if self.pcr_ids.is_some() && self.pcr_bank.is_none() {
self.pcr_bank = Some("sha256".to_string());
}
// Make use of the defaults if not specified
if self.use_policy.is_some() && self.use_policy.unwrap() {
if self.policy_path.is_none() {
self.policy_path = Some(DEFAULT_POLICY_PATH.to_string());
}
if self.policy_pubkey_path.is_none() {
self.policy_pubkey_path = Some(DEFAULT_PUBKEY_PATH.to_string());
}
if self.policy_ref.is_none() {
self.policy_ref = Some(DEFAULT_POLICY_REF.to_string());
}
} else if self.policy_pubkey_path.is_some()
|| self.policy_path.is_some()
|| self.policy_ref.is_some()
{
eprintln!("To use a policy, please specifiy use_policy: true. Not specifying this will be a fatal error in a next release");
}
if (self.policy_pubkey_path.is_some()
|| self.policy_path.is_some()
|| self.policy_ref.is_some())
&& (self.policy_pubkey_path.is_none()
|| self.policy_path.is_none()
|| self.policy_ref.is_none())
{
bail!("Not all of policy pubkey, path and ref are specified",);
}
Ok(self)
}
fn normalize_pcr_ids(&mut self) -> Result<()> {
// Normalize from array with one string to just string
if let Some(serde_json::Value::Array(vals)) = &self.pcr_ids {
if vals.len() == 1 {
if let serde_json::Value::String(val) = &vals[0] {
self.pcr_ids = Some(serde_json::Value::String(val.to_string()));
}
}
}
// Normalize pcr_ids from comma-separated string to array
if let Some(serde_json::Value::String(val)) = &self.pcr_ids {
// Was a string, do a split
let newval: Vec<serde_json::Value> = val
.split(',')
.map(|x| serde_json::Value::String(x.trim().to_string()))
.collect();
self.pcr_ids = Some(serde_json::Value::Array(newval));
}
// Normalize pcr_ids from array of Strings to array of Numbers
if let Some(serde_json::Value::Array(vals)) = &self.pcr_ids {
let newvals: Result<Vec<serde_json::Value>, _> = vals
.iter()
.map(|x| match x {
serde_json::Value::String(val) => {
match val.trim().parse::<serde_json::Number>() {
Ok(res) => {
let new = serde_json::Value::Number(res);
if !new.is_u64() {
bail!("Non-positive string int");
}
Ok(new)
}
Err(_) => Err(eyre!("Unparseable string int")),
}
}
serde_json::Value::Number(n) => {
let new = serde_json::Value::Number(n.clone());
if !new.is_u64() {
return Err(eyre!("Non-positive int"));
}
Ok(new)
}
_ => Err(eyre!("Invalid value in pcr_ids")),
})
.collect();
self.pcr_ids = Some(serde_json::Value::Array(newvals?));
}
match &self.pcr_ids {
None => Ok(()),
// The normalization above would've caught any non-ints
Some(serde_json::Value::Array(_)) => Ok(()),
_ => Err(eyre!("Invalid type")),
}
}
}
#[cfg(target_pointer_width = "64")]
type Sizedu = u64;
#[cfg(target_pointer_width = "32")]
type Sizedu = u32;
pub(super) fn get_key_public(
key_type: &str,
name_alg: HashingAlgorithm,
) -> color_eyre::Result<Public> {
let object_attributes = ObjectAttributesBuilder::new()
.with_fixed_tpm(true)
.with_fixed_parent(true)
.with_sensitive_data_origin(true)
.with_user_with_auth(true)
.with_decrypt(true)
.with_sign_encrypt(false)
.with_restricted(true)
.build()?;
let builder = tss_esapi::structures::PublicBuilder::new()
.with_object_attributes(object_attributes)
.with_name_hashing_algorithm(name_alg);
match key_type {
"ecc" => builder
.with_public_algorithm(PublicAlgorithm::Ecc)
.with_ecc_parameters(
tss_esapi::structures::PublicEccParametersBuilder::new_restricted_decryption_key(
SymmetricDefinitionObject::AES_128_CFB,
EccCurve::NistP256,
)
.build()?,
)
.with_ecc_unique_identifier(Default::default()),
"rsa" => builder
.with_public_algorithm(PublicAlgorithm::Rsa)
.with_rsa_parameters(
tss_esapi::structures::PublicRsaParametersBuilder::new_restricted_decryption_key(
SymmetricDefinitionObject::AES_128_CFB,
tss_esapi::interface_types::key_bits::RsaKeyBits::Rsa2048,
tss_esapi::structures::RsaExponent::ZERO_EXPONENT,
)
.build()?,
)
.with_rsa_unique_identifier(Default::default()),
_ => return Err(eyre!("Unsupported key type used")),
}
.build()
.context("Error building public key")
}
pub(super) fn create_tpm2b_public_sealed_object(
policy: Option<Digest>,
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC> {
let mut object_attributes = ObjectAttributesBuilder::new()
.with_fixed_tpm(true)
.with_fixed_parent(true)
.with_no_da(true)
.with_admin_with_policy(true);
if policy.is_none() {
object_attributes = object_attributes.with_user_with_auth(true);
}
let policy = match policy {
Some(p) => p,
None => Digest::try_from(vec![])?,
};
let mut params: tss_esapi::tss2_esys::TPMU_PUBLIC_PARMS = Default::default();
params.keyedHashDetail.scheme.scheme = tss_constants::TPM2_ALG_NULL;
Ok(tss_esapi::tss2_esys::TPM2B_PUBLIC {
size: std::mem::size_of::<tss_esapi::tss2_esys::TPMT_PUBLIC>() as u16,
publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC {
type_: tss_constants::TPM2_ALG_KEYEDHASH,
nameAlg: tss_constants::TPM2_ALG_SHA256,
objectAttributes: object_attributes.build()?.0,
authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::from(policy),
parameters: params,
unique: Default::default(),
},
})
}
pub(super) fn get_tpm2b_public(val: tss_esapi::tss2_esys::TPM2B_PUBLIC) -> Result<Vec<u8>> {
let mut offset = 0 as Sizedu;
let mut resp = Vec::with_capacity((val.size + 4) as usize);
unsafe {
let res = tss_esapi::tss2_esys::Tss2_MU_TPM2B_PUBLIC_Marshal(
&val,
resp.as_mut_ptr(),
resp.capacity() as Sizedu,
&mut offset,
);
if res != 0 {
bail!("Marshalling tpm2b_public failed");
}
resp.set_len(offset as usize);
}
Ok(resp)
}
pub(super) fn get_tpm2b_private(val: tss_esapi::tss2_esys::TPM2B_PRIVATE) -> Result<Vec<u8>> {
let mut offset = 0 as Sizedu;
let mut resp = Vec::with_capacity((val.size + 4) as usize);
unsafe {
let res = tss_esapi::tss2_esys::Tss2_MU_TPM2B_PRIVATE_Marshal(
&val,
resp.as_mut_ptr(),
resp.capacity() as Sizedu,
&mut offset,
);
if res != 0 {
bail!("Marshalling tpm2b_private failed");
}
resp.set_len(offset as usize);
}
Ok(resp)
}
pub(super) fn build_tpm2b_private(val: &[u8]) -> Result<tss_esapi::tss2_esys::TPM2B_PRIVATE> {
let mut resp = tss_esapi::tss2_esys::TPM2B_PRIVATE::default();
let mut offset = 0 as Sizedu;
unsafe {
let res = tss_esapi::tss2_esys::Tss2_MU_TPM2B_PRIVATE_Unmarshal(
val[..].as_ptr(),
val.len() as Sizedu,
&mut offset,
&mut resp,
);
if res != 0 {
bail!("Unmarshalling tpm2b_private failed");
}
}
Ok(resp)
}
pub(super) fn build_tpm2b_public(val: &[u8]) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC> {
let mut resp = tss_esapi::tss2_esys::TPM2B_PUBLIC::default();
let mut offset = 0 as Sizedu;
unsafe {
let res = tss_esapi::tss2_esys::Tss2_MU_TPM2B_PUBLIC_Unmarshal(
val[..].as_ptr(),
val.len() as Sizedu,
&mut offset,
&mut resp,
);
if res != 0 {
bail!("Unmarshalling tpm2b_public failed");
}
}
Ok(resp)
}

110
src/tpm/utils.rs Normal file
View file

@ -0,0 +1,110 @@
use std::env;
use std::fs;
use std::str::FromStr;
use base64::engine::general_purpose::URL_SAFE_NO_PAD;
use base64::Engine;
use color_eyre::eyre::WrapErr;
use color_eyre::Result;
use serde::Deserialize;
use tpm2_policy::{PublicKey, SignedPolicyList, TPMPolicyStep};
use tss_esapi::{
handles::KeyHandle,
interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy},
structures::Public,
Context, Tcti,
};
pub(crate) fn get_authorized_policy_step(
policy_pubkey_path: &str,
policy_path: &Option<String>,
policy_ref: &Option<String>,
) -> Result<TPMPolicyStep> {
let policy_ref = match policy_ref {
Some(policy_ref) => policy_ref.as_bytes().to_vec(),
None => vec![],
};
let signkey = {
let contents =
fs::read_to_string(policy_pubkey_path).context("Error reading policy signkey")?;
serde_json::from_str::<PublicKey>(&contents)
.context("Error deserializing signing public key")?
};
let policies = match policy_path {
None => None,
Some(policy_path) => {
let contents = fs::read_to_string(policy_path).context("Error reading policy")?;
Some(
serde_json::from_str::<SignedPolicyList>(&contents)
.context("Error deserializing policy")?,
)
}
};
Ok(TPMPolicyStep::Authorized {
signkey,
policy_ref,
policies,
next: Box::new(TPMPolicyStep::NoStep),
})
}
pub(crate) fn get_hash_alg_from_name(name: Option<&String>) -> HashingAlgorithm {
match name {
None => HashingAlgorithm::Sha256,
Some(val) => match val.to_lowercase().as_str() {
"sha1" => HashingAlgorithm::Sha1,
"sha256" => HashingAlgorithm::Sha256,
"sha384" => HashingAlgorithm::Sha384,
"sha512" => HashingAlgorithm::Sha512,
_ => panic!("Unsupported hash algo: {:?}", name),
},
}
}
pub(crate) fn serialize_as_base64_url_no_pad<S>(
bytes: &[u8],
serializer: S,
) -> Result<S::Ok, S::Error>
where
S: serde::Serializer,
{
serializer.serialize_str(&URL_SAFE_NO_PAD.encode(bytes))
}
pub(crate) fn deserialize_as_base64_url_no_pad<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>
where
D: serde::Deserializer<'de>,
{
String::deserialize(deserializer).and_then(|string| {
URL_SAFE_NO_PAD
.decode(string)
.map_err(serde::de::Error::custom)
})
}
pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context> {
let tcti_path = match env::var("TCTI") {
Ok(val) => val,
Err(_) => {
if std::path::Path::new("/dev/tpmrm0").exists() {
"device:/dev/tpmrm0".to_string()
} else {
"device:/dev/tpm0".to_string()
}
}
};
let tcti = Tcti::from_str(&tcti_path).context("Error parsing TCTI specification")?;
Context::new(tcti).context("Error initializing TPM2 context")
}
pub(crate) fn get_tpm2_primary_key(ctx: &mut Context, pub_template: Public) -> Result<KeyHandle> {
ctx.execute_with_nullauth_session(|ctx| {
ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None)
.map(|r| r.key_handle)
})
.map_err(|e| e.into())
}