Commit 5fa69b3a authored by Cody Cutler's avatar Cody Cutler

Update tools/tspitools

The useful ones now read an SRK and owner password.
parent a1ce1dfd
......@@ -11,3 +11,5 @@ all:
libtpm/hmac.c libtpm/keys.c libtpm/migrate.c libtpm/miscfunc.c \
libtpm/oiaposap.c libtpm/owner.c libtpm/pcrs.c libtpm/seal.c \
libtpm/signature.c libtpm/tpmutil.c -Ilibtpm -lcrypto
clean:
rm -f idkey keygen doquote tpm-signoff getpub loadkey fail pcrcomposite ltpmloadkey
......@@ -87,6 +87,7 @@ main(void)
TSS_HTPM hTPM;
UINT32 srklen, bloblen;
BYTE *srkpub, blob[1024];
BYTE wellknown[20] = TSS_WELL_KNOWN_SECRET;
TSS_HPCRS hpcomp;
TSS_VALIDATION valdata;
TSS_HHASH hHash;
......@@ -121,7 +122,7 @@ main(void)
/* srk password */
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_SHA1, 20, wellknown);
check("policy set secret", ret);
/* owner TPM password */
......
......@@ -58,6 +58,7 @@ main(void)
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_UUID myuuid = {1,1,1,1,1,{1,1,1,1,1,1}};
TSS_HPOLICY srkpol;
BYTE wellknown[20] = TSS_WELL_KNOWN_SECRET;
int ret,i;
int plen = 0;
......@@ -78,7 +79,7 @@ main(void)
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_SHA1, 20, wellknown);
check("policy set secret", ret);
ret = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, myuuid,
......
......@@ -5,6 +5,7 @@
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <err.h>
#include <errno.h>
......@@ -26,6 +27,10 @@
#define FATAL(x) do{printf("**\t");printf(x);printf("\n"); return 1;}while(0);
#define print_error(x,y) do{printf(x);}while(0);
/*
* This code is hideous because it has never been loved properly.
*/
void check(char *msg, int cin){
int in = TSS_ERROR_CODE(cin);
printf("%s: ", msg);
......@@ -187,26 +192,47 @@ make_fake_key(TSS_HCONTEXT hContext, TSS_HKEY *hCAKey, RSA **rsa, int padding)
return TSS_SUCCESS;
}
void usage(char *name)
{
printf("\n");
printf("%s -t <tpmpass> -s <srkpass>\n", name);
printf("\n");
exit(EXIT_FAILURE);
}
int
main(void)
main(int argc, char **argv)
{
TSS_HCONTEXT hContext;
TSS_HKEY hKey, hSRK, hCAKey;
TSS_HPOLICY hPolicy, hTPMPolicy, hidpol;
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_UUID myuuid = {1,1,1,1,1,{1,1,1,1,1,1}};
TSS_HPOLICY srkpol;
TSS_HTPM hTPM;
UINT32 idbloblen;
BYTE *labelString = "My Identity Label";
UINT32 labelLen = strlen(labelString) + 1;
BYTE *rgbIdentityLabelData = NULL, *identityReqBlob;
UINT32 ulIdentityReqBlobLen;
int ret,i, blobos, fd;
RSA *rsa = NULL;
BYTE *blobo, *idblob;
RSA *rsa = NULL;
TSS_HCONTEXT hContext;
TSS_HKEY hKey, hSRK, hCAKey;
TSS_HPOLICY hTPMPolicy, hidpol;
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_HPOLICY srkpol;
TSS_HTPM hTPM;
UINT32 idbloblen, ch;
int ret,i, blobos, fd;
BYTE *srkpass, *tpmpass;
BYTE *blobo, *idblob;
srkpass = tpmpass = NULL;
while ((ch = getopt(argc, argv, "hs:t:")) != -1) {
switch (ch) {
case 's':
srkpass = optarg;
break;
case 't':
tpmpass = optarg;
break;
case 'h':
default:
usage(argv[0]);
break;
}
}
if (!srkpass || !tpmpass)
usage(argv[0]);
/* create context and connect */
ret = Tspi_Context_Create(&hContext);
......@@ -220,7 +246,9 @@ main(void)
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
//ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN,
strlen(srkpass), srkpass);
check("policy set secret", ret);
ret = Tspi_Context_GetTpmObject(hContext, &hTPM);
......@@ -231,7 +259,7 @@ main(void)
check("get tpm policy", ret);
ret = Tspi_Policy_SetSecret(hTPMPolicy, TSS_SECRET_MODE_PLAIN,
3, "123");
strlen(tpmpass), tpmpass);
check("set owner secret", ret);
ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
......@@ -247,7 +275,7 @@ main(void)
check("get id key policy", ret);
ret = Tspi_Policy_SetSecret(hidpol, TSS_SECRET_MODE_PLAIN,
4, "1234");
strlen(srkpass), srkpass);
check("set idkey secret", ret);
/* We must create this fake privacy CA key in software so that
......
......@@ -56,6 +56,7 @@ main(void)
TSS_UUID srkUUID = TSS_UUID_SRK;
TSS_UUID myuuid = {1,1,1,1,1,{1,1,1,1,1,1}};
TSS_HPOLICY srkpol;
BYTE wellknown[20] = TSS_WELL_KNOWN_SECRET;
int ret,i, blobos;
......@@ -72,7 +73,7 @@ main(void)
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_SHA1, 20, wellknown);
check("policy set secret", ret);
ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
......
......@@ -7,6 +7,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <err.h>
#include <fcntl.h>
#include <openssl/ssl.h>
......@@ -121,8 +122,16 @@ void pquote2(TSS_VALIDATION *valdata)
printf("info short %d\n", sizeof(TPM_PCR_INFO_SHORT));
}
void usage(char *name)
{
printf("\n");
printf("%s -t <tpmpass> -s <srkpass> [-f <keyfile>]\n", name);
printf("\n");
exit(EXIT_FAILURE);
}
int
main(void)
main(int argc, char **argv)
{
int ret, i, fd, j;
TSS_HCONTEXT hContext;
......@@ -138,23 +147,48 @@ main(void)
TSS_HHASH hHash;
TPM_QUOTE_INFO *qinfo;
TPM_QUOTE_INFO2 *qinfo2;
UINT32 rub1;
UINT32 rub1, ch;
BYTE *rub2;
BYTE *srkpass, *tpmpass, *keyfile;
RSA *rsa;
fd = open("key.blob", O_RDONLY, 0);
srkpass = tpmpass = keyfile = NULL;
while ((ch = getopt(argc, argv, "f:hs:t:")) != -1) {
switch (ch) {
case 's':
srkpass = optarg;
break;
case 't':
tpmpass = optarg;
break;
case 'f':
keyfile = optarg;
break;
case 'h':
default:
usage(argv[0]);
break;
}
}
if (!srkpass || !tpmpass)
usage(argv[0]);
if (!keyfile)
keyfile = "key.blob";
fd = open(keyfile, O_RDONLY, 0);
if (fd < 0)
errx(1, "Couldn't open key.blob\n");
errx(1, "Couldn't open %s\n", keyfile);
printf("opened; fd %d\n", fd);
bloblen = read(fd, blob, 1024);
if (bloblen == -1) {
perror(NULL);
errx(1, "error reading key.blob\n");
errx(1, "error reading %s\n", keyfile);
}
printf("read %d bytes from key.blob\n", bloblen);
printf("read %d bytes from %s\n", bloblen, keyfile);
/* create context and connect */
ret = Tspi_Context_Create(&hContext);
......@@ -169,7 +203,8 @@ main(void)
/* srk password */
ret = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkpol);
check("get policy object", ret);
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN, 4, "1234");
ret = Tspi_Policy_SetSecret(srkpol, TSS_SECRET_MODE_PLAIN,
strlen(srkpass), srkpass);
check("policy set secret", ret);
/* owner TPM password */
......
......@@ -7,6 +7,7 @@
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <err.h>
#include <fcntl.h>
......@@ -18,12 +19,55 @@
#include "libtpm/tpmkeys.h"
/* pcomp is the buffer that we must fill in with our PCR hash/info.
* The hash of this buffer (pcomp) is called the composite hash. After
* we have the composite hash, we stick the composite hash in the next
* buffer (signedhash), fill in the nonce field, and then hash
* signedhash. This hash is what the TPM gives to us but it is signed
* with the requested identity key.
*
* So if we decrypt the blob that the TPM gives us with the identity
* key's public key and it the resulting hash matches our hash with the
* expected PCR(s) and nonce, then the PCRs are indeed what we think
* they are.
*/
struct {
/* big endian */
unsigned short slen;
/* the length of this field is slen - it is 2 on our tpms.
* This field is a bitmask of which PCRS have been included.
* It is little endian. */
unsigned short s;
/* big endian */
uint32_t plen;
/* p will also be plen bytes long. I only request one PCR so
* it will be 20 bytes. */
unsigned char p[20];
} pcomp;
struct {
unsigned char fixed[8];
/* Hash of pcomp */
unsigned char comphash[20];
unsigned char nonce[20];
} signedhash;
void usage(char *name)
{
printf("\n");
printf("%s -s <srkpass> [-f <keyfile>]\n", name);
printf("\n");
exit(EXIT_FAILURE);
}
int main(int argc, char **argv)
{
int fd, size, i, ret;
uint32_t kh, pcrs;
unsigned char buf[1024], hash[20];
unsigned char buf[1024], hash[20], pass[20];
char *srkpass, *keyfile, ch;
/* SHA1 hash of TPM's SRK password */
char *tpmhash = "\x71\x10\xed\xa4\xd0\x9e\x06\x2a\xa5\xe4\xa3"
"\x90\xb0\xa5\x72\xac\x0d\x2c\x02\x20";
......@@ -32,42 +76,32 @@ int main(int argc, char **argv)
keydata k;
RSA *rpub;
/* pcomp is the buffer that we must fill in with our PCR hash/info.
* The hash of this buffer (pcomp) is called the composite hash. After
* we have the composite hash, we stick the composite hash in the next
* buffer (signedhash), fill in the nonce field, and then hash
* signedhash. This hash is what the TPM gives to us but it is signed
* with the requested identity key.
*
* So if we decrypt the blob that the TPM gives us with the identity
* key's public key and it the resulting hash matches our hash with the
* expected PCR(s) and nonce, then the PCRs are indeed what we think
* they are.
*/
struct {
/* big endian */
unsigned short slen;
/* the length of this field is slen - it is 2 on our tpms.
* This field is a bitmask of which PCRS have been included.
* It is little endian. */
unsigned short s;
/* big endian */
uint32_t plen;
/* p will also be plen bytes long. I only request one PCR so
* it will be 20 bytes. */
unsigned char p[20];
} pcomp;
struct {
unsigned char fixed[8];
/* Hash of pcomp */
unsigned char comphash[20];
unsigned char nonce[20];
} signedhash;
fd = open("key.blob", O_RDONLY);
srkpass = keyfile = NULL;
while ((ch = getopt(argc, argv, "hs:f:")) != -1) {
switch (ch) {
case 's':
srkpass = optarg;
break;
case 'f':
keyfile = optarg;
break;
case 'h':
default:
usage(argv[0]);
break;
}
}
if (!srkpass)
usage(argv[0]);
if (!keyfile)
keyfile = "key.blob";
SHA1(srkpass, strlen(srkpass), pass);
fd = open(keyfile, O_RDONLY);
if (fd == -1)
errx(1, "couldn't open key.blob\n");
errx(1, "couldn't open %s\n", keyfile);
size = read(fd, buf, 1024);
if (size == -1)
......@@ -80,14 +114,14 @@ int main(int argc, char **argv)
printf("loading . . .\n");
/* 0x40000000 is the UID for the SRK */
if (ret = TPM_LoadKey(0x40000000, tpmhash, &k, &kh)) {
if (ret = TPM_LoadKey(0x40000000, pass, &k, &kh)) {
printf("%s\n", TPM_GetErrMsg(ret));
errx(1, "TPM_LoadKey\n");
}
/* Quote PCR 0 */
printf("quoting . . .\n");
if (ret = TPM_Quote(kh, (0x00000001 << 0), tpmhash, nonce, &pcomp, buf,
if (ret = TPM_Quote(kh, (0x00000001 << 0), pass, nonce, &pcomp, buf,
&size)) {
printf("%s\n", TPM_GetErrMsg(ret));
errx(1, "TPM_Quote\n");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment