Rebase on tss-esapi 5.0 and tpm2-policy 0.4
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
Patrick Uiterwijk
parent
8ac7857957
commit
50babf9b9c
5 changed files with 39 additions and 51 deletions
|
|
@ -1,6 +1,6 @@
|
|||
[package]
|
||||
name = "clevis-pin-tpm2"
|
||||
version = "0.2.0"
|
||||
version = "0.3.0"
|
||||
description = "Clevis TPM2 PIN with policy support"
|
||||
authors = ["Patrick Uiterwijk <patrick@puiterwijk.org>"]
|
||||
edition = "2018"
|
||||
|
|
@ -10,10 +10,10 @@ license = "EUPL-1.2"
|
|||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||
|
||||
[dependencies]
|
||||
tss-esapi = "4.0.10-alpha.1"
|
||||
tss-esapi = "5.0"
|
||||
serde = "1.0"
|
||||
biscuit = "0.5.0-beta2"
|
||||
biscuit = "0.5.0"
|
||||
serde_json = "1.0"
|
||||
base64 = "0.12.1"
|
||||
atty = "0.2.14"
|
||||
tpm2-policy = "0.3.1"
|
||||
tpm2-policy = { version = "0.4.0", path = "../rust-tpm2-policy" }
|
||||
|
|
|
|||
|
|
@ -69,7 +69,9 @@ pub(crate) const DEFAULT_PUBKEY_PATH: &str = "/boot/clevis_pubkey.json";
|
|||
pub(crate) const DEFAULT_POLICY_REF: &str = "";
|
||||
|
||||
impl TPM2Config {
|
||||
pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm {
|
||||
pub(super) fn get_pcr_hash_alg(
|
||||
&self,
|
||||
) -> tss_esapi::interface_types::algorithm::HashingAlgorithm {
|
||||
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
||||
}
|
||||
|
||||
|
|
|
|||
13
src/main.rs
13
src/main.rs
|
|
@ -32,7 +32,7 @@ mod utils;
|
|||
|
||||
use cli::TPM2Config;
|
||||
|
||||
use tss_esapi::structures::{PcrSelectionListBuilder, SensitiveData};
|
||||
use tss_esapi::structures::SensitiveData;
|
||||
|
||||
#[derive(Debug)]
|
||||
enum PinError {
|
||||
|
|
@ -171,17 +171,10 @@ fn perform_encrypt(cfg: TPM2Config, input: &str) -> Result<(), PinError> {
|
|||
let public = tpm_objects::create_tpm2b_public_sealed_object(policy_digest)?;
|
||||
let jwk_str = SensitiveData::try_from(jwk_str.as_bytes().to_vec())?;
|
||||
let jwk_result = ctx.execute_with_nullauth_session(|ctx| {
|
||||
ctx.create_key(
|
||||
key_handle,
|
||||
&public,
|
||||
None,
|
||||
Some(&jwk_str),
|
||||
None,
|
||||
PcrSelectionListBuilder::new().build(),
|
||||
)
|
||||
ctx.create(key_handle, &public, None, Some(&jwk_str), None, None)
|
||||
})?;
|
||||
|
||||
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.try_into()?)?;
|
||||
let jwk_priv = tpm_objects::get_tpm2b_private(jwk_result.out_private.into())?;
|
||||
|
||||
let jwk_pub = tpm_objects::get_tpm2b_public(jwk_result.out_public)?;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
use std::convert::TryFrom;
|
||||
|
||||
use tss_esapi::constants::algorithm;
|
||||
use tss_esapi::abstraction::cipher::Cipher;
|
||||
use tss_esapi::attributes::object::ObjectAttributesBuilder;
|
||||
use tss_esapi::constants::tss as tss_constants;
|
||||
use tss_esapi::interface_types::ecc::EccCurve;
|
||||
use tss_esapi::structures::Digest;
|
||||
use tss_esapi::utils::{
|
||||
ObjectAttributes, PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder,
|
||||
};
|
||||
use tss_esapi::utils::{PublicParmsUnion, Tpm2BPublicBuilder, TpmsEccParmsBuilder};
|
||||
|
||||
#[cfg(target_pointer_width = "64")]
|
||||
type Sizedu = u64;
|
||||
|
|
@ -20,7 +20,7 @@ pub(super) fn get_key_public(
|
|||
match key_type {
|
||||
"ecc" => Ok(create_restricted_ecc_public()),
|
||||
"rsa" => Ok(tss_esapi::utils::create_restricted_decryption_rsa_public(
|
||||
algorithm::Cipher::aes_128_cfb(),
|
||||
Cipher::aes_128_cfb(),
|
||||
2048,
|
||||
0,
|
||||
)?),
|
||||
|
|
@ -31,14 +31,14 @@ pub(super) fn get_key_public(
|
|||
pub(super) fn create_tpm2b_public_sealed_object(
|
||||
policy: Option<Digest>,
|
||||
) -> Result<tss_esapi::tss2_esys::TPM2B_PUBLIC, PinError> {
|
||||
let mut object_attributes = ObjectAttributes(0);
|
||||
object_attributes.set_fixed_tpm(true);
|
||||
object_attributes.set_fixed_parent(true);
|
||||
object_attributes.set_no_da(true);
|
||||
object_attributes.set_admin_with_policy(true);
|
||||
let mut object_attributes = ObjectAttributesBuilder::new()
|
||||
.with_fixed_tpm(true)
|
||||
.with_fixed_parent(true)
|
||||
.with_no_da(true)
|
||||
.with_admin_with_policy(true);
|
||||
|
||||
if policy.is_none() {
|
||||
object_attributes.set_user_with_auth(true);
|
||||
object_attributes = object_attributes.with_user_with_auth(true);
|
||||
}
|
||||
let policy = match policy {
|
||||
Some(p) => p,
|
||||
|
|
@ -53,8 +53,8 @@ pub(super) fn create_tpm2b_public_sealed_object(
|
|||
publicArea: tss_esapi::tss2_esys::TPMT_PUBLIC {
|
||||
type_: tss_constants::TPM2_ALG_KEYEDHASH,
|
||||
nameAlg: tss_constants::TPM2_ALG_SHA256,
|
||||
objectAttributes: object_attributes.0,
|
||||
authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::try_from(policy)?,
|
||||
objectAttributes: object_attributes.build()?.0,
|
||||
authPolicy: tss_esapi::tss2_esys::TPM2B_DIGEST::from(policy),
|
||||
parameters: params,
|
||||
unique: Default::default(),
|
||||
},
|
||||
|
|
@ -149,24 +149,24 @@ pub(super) fn build_tpm2b_public(
|
|||
|
||||
pub(super) fn create_restricted_ecc_public() -> tss_esapi::tss2_esys::TPM2B_PUBLIC {
|
||||
let ecc_params = TpmsEccParmsBuilder::new_restricted_decryption_key(
|
||||
algorithm::Cipher::aes_128_cfb(),
|
||||
algorithm::EllipticCurve::NistP256,
|
||||
Cipher::aes_128_cfb(),
|
||||
EccCurve::NistP256,
|
||||
)
|
||||
.build()
|
||||
.unwrap();
|
||||
let mut object_attributes = ObjectAttributes(0);
|
||||
object_attributes.set_fixed_tpm(true);
|
||||
object_attributes.set_fixed_parent(true);
|
||||
object_attributes.set_sensitive_data_origin(true);
|
||||
object_attributes.set_user_with_auth(true);
|
||||
object_attributes.set_decrypt(true);
|
||||
object_attributes.set_sign_encrypt(false);
|
||||
object_attributes.set_restricted(true);
|
||||
let object_attributes = ObjectAttributesBuilder::new()
|
||||
.with_fixed_tpm(true)
|
||||
.with_fixed_parent(true)
|
||||
.with_sensitive_data_origin(true)
|
||||
.with_user_with_auth(true)
|
||||
.with_decrypt(true)
|
||||
.with_sign_encrypt(false)
|
||||
.with_restricted(true);
|
||||
|
||||
Tpm2BPublicBuilder::new()
|
||||
.with_type(tss_constants::TPM2_ALG_ECC)
|
||||
.with_name_alg(tss_constants::TPM2_ALG_SHA256)
|
||||
.with_object_attributes(object_attributes)
|
||||
.with_object_attributes(object_attributes.build().unwrap())
|
||||
.with_parms(PublicParmsUnion::EccDetail(ecc_params))
|
||||
.build()
|
||||
.unwrap()
|
||||
|
|
|
|||
17
src/utils.rs
17
src/utils.rs
|
|
@ -3,9 +3,9 @@ use std::fs;
|
|||
use std::str::FromStr;
|
||||
|
||||
use tss_esapi::{
|
||||
constants::algorithm::HashingAlgorithm, handles::KeyHandle,
|
||||
interface_types::resource_handles::Hierarchy, structures::PcrSelectionListBuilder, Context,
|
||||
Tcti,
|
||||
handles::KeyHandle,
|
||||
interface_types::{algorithm::HashingAlgorithm, resource_handles::Hierarchy},
|
||||
Context, Tcti,
|
||||
};
|
||||
|
||||
use serde::Deserialize;
|
||||
|
|
@ -98,15 +98,8 @@ pub(crate) fn get_tpm2_primary_key(
|
|||
pub_template: &tss_esapi::tss2_esys::TPM2B_PUBLIC,
|
||||
) -> Result<KeyHandle, PinError> {
|
||||
ctx.execute_with_nullauth_session(|ctx| {
|
||||
ctx.create_primary_key(
|
||||
Hierarchy::Owner,
|
||||
pub_template,
|
||||
None,
|
||||
None,
|
||||
None,
|
||||
PcrSelectionListBuilder::new().build(),
|
||||
)
|
||||
.map(|r| r.key_handle)
|
||||
ctx.create_primary(Hierarchy::Owner, pub_template, None, None, None, None)
|
||||
.map(|r| r.key_handle)
|
||||
})
|
||||
.map_err(|e| e.into())
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue