Rebase on tss-esapi 5.0 and tpm2-policy 0.4
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
Patrick Uiterwijk
parent
8ac7857957
commit
50babf9b9c
5 changed files with 39 additions and 51 deletions
|
|
@ -1,6 +1,6 @@
|
||||||
[package]
|
[package]
|
||||||
name = "clevis-pin-tpm2"
|
name = "clevis-pin-tpm2"
|
||||||
version = "0.2.0"
|
version = "0.3.0"
|
||||||
description = "Clevis TPM2 PIN with policy support"
|
description = "Clevis TPM2 PIN with policy support"
|
||||||
authors = ["Patrick Uiterwijk <patrick@puiterwijk.org>"]
|
authors = ["Patrick Uiterwijk <patrick@puiterwijk.org>"]
|
||||||
edition = "2018"
|
edition = "2018"
|
||||||
|
|
@ -10,10 +10,10 @@ license = "EUPL-1.2"
|
||||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
tss-esapi = "4.0.10-alpha.1"
|
tss-esapi = "5.0"
|
||||||
serde = "1.0"
|
serde = "1.0"
|
||||||
biscuit = "0.5.0-beta2"
|
biscuit = "0.5.0"
|
||||||
serde_json = "1.0"
|
serde_json = "1.0"
|
||||||
base64 = "0.12.1"
|
base64 = "0.12.1"
|
||||||
atty = "0.2.14"
|
atty = "0.2.14"
|
||||||
tpm2-policy = "0.3.1"
|
tpm2-policy = { version = "0.4.0", path = "../rust-tpm2-policy" }
|
||||||
|
|
|
||||||
|
|
@ -69,7 +69,9 @@ pub(crate) const DEFAULT_PUBKEY_PATH: &str = "/boot/clevis_pubkey.json";
|
||||||
pub(crate) const DEFAULT_POLICY_REF: &str = "";
|
pub(crate) const DEFAULT_POLICY_REF: &str = "";
|
||||||
|
|
||||||
impl TPM2Config {
|
impl TPM2Config {
|
||||||
pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm {
|
pub(super) fn get_pcr_hash_alg(
|
||||||
|
&self,
|
||||||
|
) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
|
||||||
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
13
src/main.rs
13
src/main.rs
|
|
@ -32,7 +32,7 @@ mod utils;
|
||||||
|
|
||||||
use cli::TPM2Config;
|
use cli::TPM2Config;
|
||||||
|
|
||||||
use tss_esapi::structures::{PcrSelectionListBuilder, SensitiveData};
|
use tss_esapi::structures::SensitiveData;
|
||||||
|
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
enum PinError {
|
enum PinError {
|
||||||
|
|
@ -171,17 +171,10 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
||||||
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
|
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
|
||||||
let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
|
let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
|
||||||
let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
|
let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
|
||||||
ctx.create_key(
|
ctx.create(key_handle, &public, None, Some(&jwk_str), None, None)
|
||||||
key_handle,
|
|
||||||
&public,
|
|
||||||
None,
|
|
||||||
Some(&jwk_str),
|
|
||||||
None,
|
|
||||||
PcrSelectionListBuilder::new().build(),
|
|
||||||
)
|
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.try_into()?)?;
|
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?;
|
||||||
|
|
||||||
let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?;
|
let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
use std::convert::TryFrom;
|
use std::convert::TryFrom;
|
||||||
|
|
||||||
use tss_esapi::constants::algorithm;
|
use tss_esapi::abstraction::cipher::Cipher;
|
||||||
|
use tss_esapi::attributes::object::ObjectAttributesBuilder;
|
||||||
use tss_esapi::constants::tss as tss_constants;
|
use tss_esapi::constants::tss as tss_constants;
|
||||||
|
use tss_esapi::interface_types::ecc::EccCurve;
|
||||||
use tss_esapi::structures::Digest;
|
use tss_esapi::structures::Digest;
|
||||||
use tss_esapi::utils::{
|
use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder};
|
||||||
ObjectAttributes, PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder,
|
|
||||||
};
|
|
||||||
|
|
||||||
#[cfg(target_pointer_width = "64")]
|
#[cfg(target_pointer_width = "64")]
|
||||||
type Sizedu = u64;
|
type Sizedu = u64;
|
||||||
|
|
@ -20,7 +20,7 @@ pub(super) fn get_key_public(
|
||||||
match key_type {
|
match key_type {
|
||||||
"ecc" => Ok(create_restricted_ecc_public()),
|
"ecc" => Ok(create_restricted_ecc_public()),
|
||||||
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
||||||
algorithm::Cipher::aes_128_cfb(),
|
Cipher::aes_128_cfb(),
|
||||||
2048,
|
2048,
|
||||||
0,
|
0,
|
||||||
)?),
|
)?),
|
||||||
|
|
@ -31,14 +31,14 @@ pub(super) fn get_key_public(
|
||||||
pub(super) fn create_tpm2b_public_sealed_object(
|
pub(super) fn create_tpm2b_public_sealed_object(
|
||||||
policy: Option<Digest>,
|
policy: Option<Digest>,
|
||||||
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
||||||
let mut object_attributes = ObjectAttributes(0);
|
let mut object_attributes = ObjectAttributesBuilder::new()
|
||||||
object_attributes.set_fixed_tpm(true);
|
.with_fixed_tpm(true)
|
||||||
object_attributes.set_fixed_parent(true);
|
.with_fixed_parent(true)
|
||||||
object_attributes.set_no_da(true);
|
.with_no_da(true)
|
||||||
object_attributes.set_admin_with_policy(true);
|
.with_admin_with_policy(true);
|
||||||
|
|
||||||
if policy.is_none() {
|
if policy.is_none() {
|
||||||
object_attributes.set_user_with_auth(true);
|
object_attributes = object_attributes.with_user_with_auth(true);
|
||||||
}
|
}
|
||||||
let policy = match policy {
|
let policy = match policy {
|
||||||
Some(p) => p,
|
Some(p) => p,
|
||||||
|
|
@ -53,8 +53,8 @@ pub(super) fn create_tpm2b_public_sealed_object(
|
||||||
publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC {
|
publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC {
|
||||||
type_: tss_constants::TPM2_ALG_KEYEDHASH,
|
type_: tss_constants::TPM2_ALG_KEYEDHASH,
|
||||||
nameAlg: tss_constants::TPM2_ALG_SHA256,
|
nameAlg: tss_constants::TPM2_ALG_SHA256,
|
||||||
objectAttributes: object_attributes.0,
|
objectAttributes: object_attributes.build()?.0,
|
||||||
authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::try_from(policy)?,
|
authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::from(policy),
|
||||||
parameters: params,
|
parameters: params,
|
||||||
unique: Default::default(),
|
unique: Default::default(),
|
||||||
},
|
},
|
||||||
|
|
@ -149,24 +149,24 @@ pub(super) fn build_tpm2b_public(
|
||||||
|
|
||||||
pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
||||||
let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
|
let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
|
||||||
algorithm::Cipher::aes_128_cfb(),
|
Cipher::aes_128_cfb(),
|
||||||
algorithm::EllipticCurve::NistP256,
|
EccCurve::NistP256,
|
||||||
)
|
)
|
||||||
.build()
|
.build()
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let mut object_attributes = ObjectAttributes(0);
|
let object_attributes = ObjectAttributesBuilder::new()
|
||||||
object_attributes.set_fixed_tpm(true);
|
.with_fixed_tpm(true)
|
||||||
object_attributes.set_fixed_parent(true);
|
.with_fixed_parent(true)
|
||||||
object_attributes.set_sensitive_data_origin(true);
|
.with_sensitive_data_origin(true)
|
||||||
object_attributes.set_user_with_auth(true);
|
.with_user_with_auth(true)
|
||||||
object_attributes.set_decrypt(true);
|
.with_decrypt(true)
|
||||||
object_attributes.set_sign_encrypt(false);
|
.with_sign_encrypt(false)
|
||||||
object_attributes.set_restricted(true);
|
.with_restricted(true);
|
||||||
|
|
||||||
Tpm2BPublicBuilder::new()
|
Tpm2BPublicBuilder::new()
|
||||||
.with_type(tss_constants::TPM2_ALG_ECC)
|
.with_type(tss_constants::TPM2_ALG_ECC)
|
||||||
.with_name_alg(tss_constants::TPM2_ALG_SHA256)
|
.with_name_alg(tss_constants::TPM2_ALG_SHA256)
|
||||||
.with_object_attributes(object_attributes)
|
.with_object_attributes(object_attributes.build().unwrap())
|
||||||
.with_parms(PublicParmsUnion::EccDetail(ecc_params))
|
.with_parms(PublicParmsUnion::EccDetail(ecc_params))
|
||||||
.build()
|
.build()
|
||||||
.unwrap()
|
.unwrap()
|
||||||
|
|
|
||||||
17
src/utils.rs
17
src/utils.rs
|
|
@ -3,9 +3,9 @@ use std::fs;
|
||||||
use std::str::FromStr;
|
use std::str::FromStr;
|
||||||
|
|
||||||
use tss_esapi::{
|
use tss_esapi::{
|
||||||
constants::algorithm::HashingAlgorithm, handles::KeyHandle,
|
handles::KeyHandle,
|
||||||
interface_types::resource_handles::Hierarchy, structures::PcrSelectionListBuilder, Context,
|
interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy},
|
||||||
Tcti,
|
Context, Tcti,
|
||||||
};
|
};
|
||||||
|
|
||||||
use serde::Deserialize;
|
use serde::Deserialize;
|
||||||
|
|
@ -98,15 +98,8 @@ pub(crate) fn get_tpm2_primary_key(
|
||||||
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
||||||
) -> Result<KeyHandle, PinError> {
|
) -> Result<KeyHandle, PinError> {
|
||||||
ctx.execute_with_nullauth_session(|ctx| {
|
ctx.execute_with_nullauth_session(|ctx| {
|
||||||
ctx.create_primary_key(
|
ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None)
|
||||||
Hierarchy::Owner,
|
.map(|r| r.key_handle)
|
||||||
pub_template,
|
|
||||||
None,
|
|
||||||
None,
|
|
||||||
None,
|
|
||||||
PcrSelectionListBuilder::new().build(),
|
|
||||||
)
|
|
||||||
.map(|r| r.key_handle)
|
|
||||||
})
|
})
|
||||||
.map_err(|e| e.into())
|
.map_err(|e| e.into())
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue