2020-08-03 17:07:04 +02:00
|
|
|
use std::fs;
|
|
|
|
use std::str::FromStr;
|
|
|
|
|
2020-08-13 10:42:18 +02:00
|
|
|
use tss_esapi::constants::algorithm::HashingAlgorithm;
|
|
|
|
use tss_esapi::constants::tss as tss_constants;
|
2020-08-03 17:07:04 +02:00
|
|
|
use tss_esapi::tss2_esys::{ESYS_TR, ESYS_TR_NONE, ESYS_TR_RH_OWNER};
|
|
|
|
use tss_esapi::Context;
|
2020-08-13 10:42:18 +02:00
|
|
|
use tss_esapi::Tcti;
|
2020-08-03 17:07:04 +02:00
|
|
|
|
|
|
|
use serde::Deserialize;
|
|
|
|
|
|
|
|
use super::PinError;
|
|
|
|
|
|
|
|
use tpm2_policy::{PublicKey, SignedPolicyList, TPMPolicyStep};
|
|
|
|
|
|
|
|
pub(crate) fn get_authorized_policy_step(
|
|
|
|
policy_pubkey_path: &str,
|
|
|
|
policy_path: &Option<String>,
|
|
|
|
policy_ref: &Option<String>,
|
|
|
|
) -> Result<TPMPolicyStep, PinError> {
|
|
|
|
let policy_ref = match policy_ref {
|
|
|
|
Some(policy_ref) => policy_ref.as_bytes().to_vec(),
|
|
|
|
None => vec![],
|
|
|
|
};
|
|
|
|
|
|
|
|
let signkey = {
|
|
|
|
let contents = fs::read_to_string(policy_pubkey_path)?;
|
|
|
|
serde_json::from_str::<PublicKey>(&contents)?
|
|
|
|
};
|
|
|
|
|
|
|
|
let policies = match policy_path {
|
|
|
|
None => None,
|
|
|
|
Some(policy_path) => {
|
|
|
|
let contents = fs::read_to_string(policy_path)?;
|
|
|
|
Some(serde_json::from_str::<SignedPolicyList>(&contents)?)
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
Ok(TPMPolicyStep::Authorized {
|
|
|
|
signkey,
|
|
|
|
policy_ref,
|
|
|
|
policies,
|
|
|
|
next: Box::new(TPMPolicyStep::NoStep),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2020-08-13 10:42:18 +02:00
|
|
|
pub(crate) fn get_pcr_hash_alg_from_name(name: Option<&String>) -> HashingAlgorithm {
|
2020-08-03 17:07:04 +02:00
|
|
|
match name {
|
2020-08-13 10:42:18 +02:00
|
|
|
None => HashingAlgorithm::Sha256,
|
2020-08-03 17:07:04 +02:00
|
|
|
Some(val) => match val.to_lowercase().as_str() {
|
2020-08-13 10:42:18 +02:00
|
|
|
"sha1" => HashingAlgorithm::Sha1,
|
|
|
|
"sha256" => HashingAlgorithm::Sha256,
|
|
|
|
"sha384" => HashingAlgorithm::Sha384,
|
|
|
|
"sha512" => HashingAlgorithm::Sha512,
|
2020-08-03 17:07:04 +02:00
|
|
|
_ => panic!(format!("Unsupported hash algo: {:?}", name)),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
pub(crate) fn serialize_as_base64_url_no_pad<S>(
|
|
|
|
bytes: &[u8],
|
|
|
|
serializer: S,
|
|
|
|
) -> Result<S::Ok, S::Error>
|
|
|
|
where
|
|
|
|
S: serde::Serializer,
|
|
|
|
{
|
|
|
|
serializer.serialize_str(&base64::encode_config(bytes, base64::URL_SAFE_NO_PAD))
|
|
|
|
}
|
|
|
|
|
|
|
|
pub(crate) fn deserialize_as_base64_url_no_pad<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>
|
|
|
|
where
|
|
|
|
D: serde::Deserializer<'de>,
|
|
|
|
{
|
|
|
|
String::deserialize(deserializer).and_then(|string| {
|
|
|
|
base64::decode_config(&string, base64::URL_SAFE_NO_PAD).map_err(serde::de::Error::custom)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2020-08-13 10:42:18 +02:00
|
|
|
pub(crate) fn get_tpm2_ctx() -> Result<tss_esapi::Context, tss_esapi::Error> {
|
|
|
|
let tcti_path = if std::path::Path::new("/dev/tpmrm0").exists() {
|
|
|
|
"device:/dev/tpmrm0"
|
|
|
|
} else {
|
|
|
|
"device:/dev/tpm0"
|
|
|
|
};
|
|
|
|
|
|
|
|
let tcti = Tcti::from_str(tcti_path)?;
|
|
|
|
unsafe { Context::new(tcti) }
|
2020-08-03 17:07:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
pub(crate) fn perform_with_other_sessions<T, E, F>(
|
|
|
|
ctx: &mut Context,
|
|
|
|
sestype: tss_esapi::tss2_esys::TPM2_SE,
|
|
|
|
f: F,
|
|
|
|
) -> Result<T, E>
|
|
|
|
where
|
|
|
|
F: Fn(&mut Context) -> Result<T, E>,
|
2020-08-13 10:42:18 +02:00
|
|
|
E: From<tss_esapi::Error> + From<PinError>,
|
2020-08-03 17:07:04 +02:00
|
|
|
{
|
|
|
|
let oldses = ctx.sessions();
|
|
|
|
|
|
|
|
let res = create_and_set_tpm2_session(ctx, sestype);
|
|
|
|
if res.is_err() {
|
|
|
|
ctx.set_sessions(oldses);
|
|
|
|
ctx.flush_context(ctx.sessions().0)?;
|
|
|
|
res?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let res = f(ctx);
|
|
|
|
|
|
|
|
ctx.flush_context(ctx.sessions().0)?;
|
|
|
|
|
|
|
|
ctx.set_sessions(oldses);
|
|
|
|
|
|
|
|
res
|
|
|
|
}
|
|
|
|
|
|
|
|
pub(crate) fn get_tpm2_primary_key(
|
|
|
|
ctx: &mut Context,
|
|
|
|
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
|
|
|
) -> Result<ESYS_TR, PinError> {
|
2020-08-13 10:42:18 +02:00
|
|
|
perform_with_other_sessions(ctx, tss_constants::TPM2_SE_HMAC, |ctx| {
|
|
|
|
ctx.create_primary_key(ESYS_TR_RH_OWNER, pub_template, None, None, None, &[])
|
2020-08-03 17:07:04 +02:00
|
|
|
.map_err(|e| e.into())
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
pub(crate) fn create_and_set_tpm2_session(
|
|
|
|
ctx: &mut tss_esapi::Context,
|
|
|
|
session_type: tss_esapi::tss2_esys::TPM2_SE,
|
|
|
|
) -> Result<ESYS_TR, PinError> {
|
|
|
|
let symdef = tpm_sym_def(ctx)?;
|
|
|
|
|
|
|
|
let session = ctx.start_auth_session(
|
|
|
|
ESYS_TR_NONE,
|
|
|
|
ESYS_TR_NONE,
|
2020-08-13 10:42:18 +02:00
|
|
|
None,
|
2020-08-03 17:07:04 +02:00
|
|
|
session_type,
|
|
|
|
symdef,
|
2020-08-13 10:42:18 +02:00
|
|
|
tss_constants::TPM2_ALG_SHA256,
|
2020-08-03 17:07:04 +02:00
|
|
|
)?;
|
|
|
|
let session_attr = tss_esapi::utils::TpmaSessionBuilder::new()
|
2020-08-13 10:42:18 +02:00
|
|
|
.with_flag(tss_constants::TPMA_SESSION_DECRYPT)
|
|
|
|
.with_flag(tss_constants::TPMA_SESSION_ENCRYPT)
|
2020-08-03 17:07:04 +02:00
|
|
|
.build();
|
|
|
|
|
|
|
|
ctx.tr_sess_set_attributes(session, session_attr)?;
|
|
|
|
|
|
|
|
ctx.set_sessions((session, ESYS_TR_NONE, ESYS_TR_NONE));
|
|
|
|
|
|
|
|
Ok(session)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn tpm_sym_def(
|
|
|
|
_ctx: &mut tss_esapi::Context,
|
|
|
|
) -> Result<tss_esapi::tss2_esys::TPMT_SYM_DEF, PinError> {
|
|
|
|
Ok(tss_esapi::tss2_esys::TPMT_SYM_DEF {
|
2020-08-13 10:42:18 +02:00
|
|
|
algorithm: tss_constants::TPM2_ALG_AES,
|
2020-08-03 17:07:04 +02:00
|
|
|
keyBits: tss_esapi::tss2_esys::TPMU_SYM_KEY_BITS { aes: 128 },
|
|
|
|
mode: tss_esapi::tss2_esys::TPMU_SYM_MODE {
|
2020-08-13 10:42:18 +02:00
|
|
|
aes: tss_constants::TPM2_ALG_CFB,
|
2020-08-03 17:07:04 +02:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|