• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3  * Copyright 2018-2019, Fraunhofer SIT sponsored by Infineon Technologies AG
4  * All rights reserved.
5  ******************************************************************************/
6 #ifndef FAPI_INT_H
7 #define FAPI_INT_H
8 
9 #include "fapi_types.h"
10 #include "ifapi_policy_types.h"
11 #include "ifapi_policy_instantiate.h"
12 #include "ifapi_eventlog.h"
13 #include "ifapi_io.h"
14 #include "ifapi_profiles.h"
15 #include "ifapi_macros.h"
16 #include "ifapi_keystore.h"
17 #include "ifapi_policy_store.h"
18 #include "ifapi_config.h"
19 
20 #include <stdlib.h>
21 #include <stdint.h>
22 #include <unistd.h>
23 #include <string.h>
24 #include <inttypes.h>
25 #include <stdarg.h>
26 #include <stdbool.h>
27 #include <sys/stat.h>
28 #include <stdio.h>
29 #include <errno.h>
30 #include <fcntl.h>
31 #include <json-c/json.h>
32 #include <poll.h>
33 
34 #include "tss2_esys.h"
35 #include "tss2_fapi.h"
36 
37 #define DEFAULT_LOG_DIR "/run/tpm2_tss"
38 #define IFAPI_PCR_LOG_FILE "pcr.log"
39 #define IFAPI_OBJECT_TYPE ".json"
40 #define IFAPI_OBJECT_FILE "object.json"
41 #define IFAPI_SRK_KEY_PATH "HS/SRK"
42 
43 typedef UINT32 TSS2_KEY_TYPE;
44 #define TSS2_SRK 2
45 #define TSS2_EK 3
46 #define MIN_EK_CERT_HANDLE 0x1c00000
47 #define MIN_PLATFORM_CERT_HANDLE 0x01C08000
48 #define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF
49 
50 typedef UINT8 IFAPI_SESSION_TYPE;
51 #define IFAPI_SESSION_GENEK 0x01
52 #define IFAPI_SESSION1      0x02
53 #define IFAPI_SESSION2      0x04
54 
55 #define IFAPI_POLICY_PATH "policy"
56 #define IFAPI_NV_PATH "nv"
57 #define IFAPI_EXT_PATH "ext"
58 #define IFAPI_FILE_DELIM "/"
59 #define IFAPI_LIST_DELIM ":"
60 #define IFAPI_FILE_DELIM_CHAR '/'
61 #define IFAPI_PUB_KEY_DIR "ext"
62 #define IFAPI_POLICY_DIR "policy"
63 #define IFAPI_PEM_PUBLIC_STRING "-----BEGIN PUBLIC KEY-----"
64 #define IFAPI_PEM_PRIVATE_KEY "-----PRIVATE KEY-----"
65 #define IFAPI_JSON_TAG_POLICY "policy"
66 #define IFAPI_JSON_TAG_DUPLICATE "public_parent"
67 
68 
69 #if TPM2_MAX_NV_BUFFER_SIZE > TPM2_MAX_DIGEST_BUFFER
70 #define IFAPI_MAX_BUFFER_SIZE TPM2_MAX_NV_BUFFER_SIZE
71 #else
72 #define IFAPI_MAX_BUFFER_SIZE TPM2_MAX_DIGEST_BUFFER
73 #endif
74 
75 #define IFAPI_FLUSH_PARENT true
76 #define IFAPI_NOT_FLUSH_PARENT false
77 
78 /* Definition of FAPI buffer for TPM2B transmission */
79 typedef struct {
80     UINT16 size;
81     BYTE buffer[IFAPI_MAX_BUFFER_SIZE];
82 } IFAPI_MAX_BUFFER;
83 
84 #define OSSL_FREE(S,TYPE) if((S) != NULL) {TYPE##_free((void*) (S)); (S)=NULL;}
85 
86 
87 #define FAPI_COPY_DIGEST(dest_buffer, dest_size, src, src_size) \
88     if (src_size > sizeof(TPMU_HA)) { \
89         return_error(TSS2_FAPI_RC_BAD_VALUE, "Digest size too large."); \
90     } \
91     memcpy(dest_buffer, (src), (src_size));  \
92     dest_size = src_size
93 
94 #define HASH_UPDATE(CONTEXT, TYPE, OBJECT, R, LABEL)    \
95     { \
96         uint8_t buffer[sizeof(TYPE)]; \
97         size_t offset = 0; \
98         R = Tss2_MU_ ## TYPE ## _Marshal(OBJECT, \
99                                          &buffer[0], sizeof(TYPE), &offset); \
100         goto_if_error(R, "Marshal for hash update", LABEL); \
101         R = ifapi_crypto_hash_update(CONTEXT, \
102                                      (const uint8_t *) &buffer[0], \
103                                      offset);                     \
104         goto_if_error(R, "crypto hash update", LABEL); }
105 
106 #define HASH_UPDATE_BUFFER(CONTEXT, BUFFER, SIZE, R, LABEL) \
107     R = ifapi_crypto_hash_update(CONTEXT, \
108                                  (const uint8_t *) BUFFER, SIZE) ; \
109     goto_if_error(R, "crypto hash update", LABEL);
110 
111 #define FAPI_SYNC(r,msg,label, ...)             \
112     if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) \
113         return TSS2_FAPI_RC_TRY_AGAIN; \
114     if (r != TSS2_RC_SUCCESS) { \
115         LOG_ERROR(TPM2_ERROR_FORMAT " " msg, TPM2_ERROR_TEXT(r), ## __VA_ARGS__); \
116         goto label;  \
117     }
118 
119 /** The states for the FAPI's object authorization state*/
120 enum IFAPI_GET_CERT_STATE {
121     GET_CERT_INIT = 0,
122     GET_CERT_WAIT_FOR_GET_CAP,
123     GET_CERT_GET_CERT_NV,
124     GET_CERT_GET_CERT_NV_FINISH,
125     GET_CERT_GET_CERT_READ_PUBLIC,
126     GET_CERT_READ_CERT
127 };
128 
129 /** The states for the FAPI's cleanup after successful command execution*/
130 enum IFAPI_CLEANUP_STATE {
131     CLEANUP_INIT = 0,
132     CLEANUP_SESSION1,
133     CLEANUP_SESSION2,
134     CLEANUP_SRK
135 };
136 
137 #define IFAPI_MAX_CAP_INFO 17
138 
139 typedef struct {
140     char                                  *description;
141     TPMS_CAPABILITY_DATA                   *capability;
142 } IFAPI_CAP_INFO;
143 
144 typedef struct {
145     char                                 *fapi_version;    /**< The version string of FAPI */
146     char                                  *fapi_config;    /**< The configuration information */
147     IFAPI_CAP_INFO             cap[IFAPI_MAX_CAP_INFO];
148 } IFAPI_INFO;
149 
150 /** Type for representing FAPI template for keys
151  */
152 typedef struct {
153     TPMI_YES_NO                                  system;    /**< Store the object in the system wide
154                                                                  directory */
155     TPMI_YES_NO                              persistent;    /**< Store key persistent in NV ram. */
156     UINT32                            persistent_handle;    /**< < Persistent handle which should be used */
157     TPM2B_PUBLIC                                 public;    /**< Template for public data */
158 } IFAPI_KEY_TEMPLATE;
159 
160 /** Type for representing template for NV objects
161  */
162 typedef struct {
163     TPMI_YES_NO                                  system;    /**< Store the object in the system wide
164                                                                  directory */
165     TPMI_RH_HIERARCHY                         hierarchy;    /**< Hierarchy for NV object. */
166     char                                   *description;    /**< Description of template. */
167     TPMS_NV_PUBLIC                               public;    /**< Template for public data */
168 } IFAPI_NV_TEMPLATE;
169 
170 /** Type for representing a external public key
171  */
172 typedef struct {
173     TPMT_SIG_SCHEME                          sig_scheme;    /**< Signature scheme used for quote. */
174     TPMS_ATTEST                                  attest;    /**< Attestation data from Quote */
175 } FAPI_QUOTE_INFO;
176 
177 
178 /** The states for the FAPI's NV read state */
179 enum _FAPI_STATE_NV_READ {
180     NV_READ_INIT = 0,
181     NV_READ_AUTHORIZE,
182     NV_READ_AUTHORIZE2,
183     NV_READ_AUTH_SENT
184 };
185 
186 /** The states for the FAPI's NV write state */
187 enum _FAPI_STATE_NV_WRITE {
188     NV2_WRITE_INIT = 0,
189     NV2_WRITE_READ,
190     NV2_WRITE_WAIT_FOR_SESSSION,
191     NV2_WRITE_NULL_AUTH_SENT,
192     NV2_WRITE_AUTH_SENT,
193     NV2_WRITE_WRITE_PREPARE,
194     NV2_WRITE_WRITE,
195     NV2_WRITE_AUTHORIZE,
196     NV2_WRITE_AUTHORIZE2
197 };
198 
199 /** The data structure holding internal state of Fapi NV commands.
200  */
201 typedef struct {
202     char *nvPath ;              /**< The name of the file for object serialization */
203     char *policyPath;           /**< The name of the policy file */
204     TPM2B_NV_PUBLIC public;     /**< The public info of the NV object. */
205     ESYS_TR esys_auth_handle;   /**< The ESAPI handle for the NV auth object */
206     ESYS_TR esys_handle;        /**< The ESAPI handle for the NV object */
207     size_t numBytes;            /**< The number of bytes of a ESYS request */
208     UINT16 bytesRequested;      /**< Bytes currently requested from TPM */
209     UINT16 offset;              /**< Offset in TPM memory TPM */
210     size_t data_idx;            /**< Offset in the read buffer */
211     const uint8_t *data;        /**< Buffer for data to be written */
212     uint8_t *rdata;             /**< Buffer for data to be read */
213     IFAPI_OBJECT auth_object;   /**< Object used for authentication */
214     IFAPI_OBJECT nv_object;     /**< Deserialized NV object */
215     TPM2B_AUTH auth;            /**< The Password */
216     IFAPI_NV nv_obj;            /**< The NV Object */
217     ESYS_TR auth_index;         /**< The ESAPI handle of the authorization object */
218     uint64_t bitmap;            /**< The bitmask for the SetBits command */
219     IFAPI_NV_TEMPLATE public_templ; /**< The template for nv creation, adjusted
220                                          appropriate by the passed flags */
221     enum _FAPI_STATE_NV_READ nv_read_state; /**< The current state of NV read */
222     enum _FAPI_STATE_NV_WRITE nv_write_state; /**< The current state of NV write*/
223     uint8_t *write_data;
224     char const *logData;         /**< The event log for NV objects of type pcr */
225     json_object *jso_event_log;  /**< logData in JSON format */
226     TPMI_RH_NV_INDEX maxNvIndex; /**< Max index for search for free index  */
227     IFAPI_EVENT pcr_event;       /**< Event to be added to log */
228     TPML_DIGEST_VALUES digests;  /**< Digest for the event data of an extend */
229     bool skip_policy_computation; /**< switch whether policy needs to be computed */
230 } IFAPI_NV_Cmds;
231 
232 /** The data structure holding internal state of Fapi_Initialize command.
233  */
234 typedef struct {
235     TPMS_CAPABILITY_DATA *capability; /* TPM capability data to check available algs */
236 } IFAPI_INITIALIZE;
237 
238 /** The data structure holding internal state of Fapi_PCR commands.
239  */
240 typedef struct {
241     TPML_DIGEST_VALUES digest_list;    /**< The digest list computed for the event  */
242     TPML_DIGEST_VALUES *event_digests; /**< The digest list computed by TPM2_Event  */
243     ESYS_TR PCR;                       /**< The handle of the PCR register to be extended */
244     TPML_PCR_SELECTION pcr_selection;  /**< Selection used for Read and Quote */
245     TPML_PCR_SELECTION *pcr_selection_out; /**< Selection returned by PCR_Read  */
246     UINT32 update_count;
247     TPML_DIGEST *pcrValues;            /* The values returned by PCR_Read */
248     TPM2_HANDLE pcrIndex;
249     TPMI_ALG_HASH hashAlg;
250     const char *keyPath;              /**< The implicit key path for PCR_Quote */
251     ESYS_TR handle;                   /**< The ESYS handle of the signing key */
252     IFAPI_OBJECT *key_object;         /**< The IPAPI object of the signing key */
253     TPMS_CAPABILITY_DATA *capabilityData; /* TPM capability data to check available algs */
254     uint32_t *pcrList;                 /**< Array of PCR numbers */
255     size_t pcrListSize;                /**< Size of PCR array */
256     TPM2B_DATA qualifyingData;         /**< Nonce for quote command */
257     uint8_t  const *eventData;
258     TPM2B_EVENT event;
259     size_t eventDataSize;
260     uint32_t const *hashAlgs;
261     uint32_t *hashAlgs2;
262     size_t numHashAlgs;
263     char    const *quoteInfo;
264     TPM2B_ATTEST *tpm_quoted;
265     TPMT_SIGNATURE *tpm_signature;
266     uint8_t const *signature;
267     size_t signatureSize;
268     char const *logData;
269     char *pcrLog;
270     IFAPI_EVENT pcr_event;
271     json_object *event_list;
272     FAPI_QUOTE_INFO fapi_quote_info;
273 } IFAPI_PCR;
274 
275 /** The data structure holding internal state of Fapi_SetDescription.
276  */
277 typedef struct {
278     char *description;             /**< The description of the object */
279     UINT8_ARY appData;             /**< Application data to be stored in object store. */
280     IFAPI_OBJECT object;           /**< The IPAPI object to store the info*/
281     char *object_path;             /**< The realative path to the object */
282     json_object *jso;              /**< JSON object for storing the AppData */
283     char *jso_string;              /**< JSON deserialized buffer */
284 } IFAPI_Path_SetDescription;
285 
286 /** The data structure holding internal state of Fapi_GetRandom.
287  */
288 typedef struct {
289     size_t numBytes;              /**< The number of random bytes to be generated */
290     size_t idx;                   /**< Current position in output buffer.  */
291     UINT16 bytesRequested;        /**< Byted currently requested from TPM */
292     uint8_t *data;                /**< The buffer for the random data */
293 } IFAPI_GetRandom;
294 
295 /** The data structure holding internal state of Fapi_Key_Setcertificate.
296  */
297 typedef struct {
298     const char *pem_cert;        /**< The certifificate in pem or format */
299     char *pem_cert_dup;          /**< The allocate certifificate */
300     const char *key_path;        /**< The absolute key path */
301     NODE_STR_T *path_list;       /**< The computed explicit path */
302     IFAPI_OBJECT key_object;     /**< The IPAPI object for the certified key */
303 } IFAPI_Key_SetCertificate;
304 
305 /** The states for the FAPI's key creation */
306 enum IFAPI_KEY_CREATE_STATE {
307     KEY_CREATE_INIT = 0,
308     KEY_CREATE_WAIT_FOR_SESSION,
309     KEY_CREATE_WAIT_FOR_PARENT,
310     KEY_CREATE_AUTH_SENT,
311     KEY_CREATE_WRITE_PREPARE,
312     KEY_CREATE_WRITE,
313     KEY_CREATE_FLUSH,
314     KEY_CREATE_CALCULATE_POLICY,
315     KEY_CREATE_WAIT_FOR_AUTHORIZATION,
316     KEY_CREATE_CLEANUP
317 };
318 
319 /** The data structure holding internal state of Fapi_CreateKey.
320  */
321 typedef struct {
322     enum IFAPI_KEY_CREATE_STATE state;
323     const char *keyPath;         /**< The pathname from the application */
324     NODE_STR_T *path_list;       /**< The computed explicit path */
325     IFAPI_OBJECT parent;         /**< The parent of the key for used for creation. */
326     IFAPI_OBJECT object;          /**< The current object. */
327     IFAPI_KEY_TEMPLATE public_templ;  /**< The template for the keys public data */
328     TPM2B_PUBLIC public;         /**< The public data of the key */
329     TPM2B_SENSITIVE_CREATE inSensitive;
330     TPM2B_DATA outsideInfo;
331     TPML_PCR_SELECTION creationPCR;
332     ESYS_TR handle;
333     const char *authValue;
334     const char *policyPath;
335     const IFAPI_PROFILE *profile;
336 } IFAPI_Key_Create;
337 
338 /** The data structure holding internal state of Fapi_EncryptDecrypt.
339  */
340 typedef struct {
341     char const *keyPath;            /**< The implicit key path */
342     uint8_t const *in_data;
343     size_t in_dataSize;
344     IFAPI_OBJECT *key_object;       /**< The IPAPI object for the encryption key */
345     uint8_t *out_data;               /**< The output of symmetric encrypt/decryption */
346     ESYS_TR key_handle;                 /**< The ESYS handle of the encryption key */
347     size_t numBytes;                /**< The number of bytes of a ESYS request */
348     size_t decrypt;                 /**< Switch whether to encrypt or decrypt */
349     UINT16 bytesRequested;          /**< Bytes currently requested from TPM */
350     TPMT_RSA_DECRYPT rsa_scheme;
351     ESYS_TR object_handle;
352     char *policy_path;
353     ESYS_TR auth_session;
354     const IFAPI_PROFILE *profile;
355 } IFAPI_Data_EncryptDecrypt;
356 
357 /** The states for signing  */
358 enum FAPI_SIGN_STATE {
359     SIGN_INIT = 0,
360     SIGN_WAIT_FOR_SESSION,
361     SIGN_WAIT_FOR_KEY,
362     SIGN_AUTH_SENT,
363     SIGN_WAIT_FOR_FLUSH
364 };
365 
366 /** The data structure holding internal state of Fapi_Sign.
367  */
368 typedef struct {
369     enum FAPI_SIGN_STATE state;          /**< The state of the signing operation */
370     const char *keyPath;            /**< The implicit key path */
371     ESYS_TR handle;                 /**< The ESYS handle of the signing key */
372     TPM2B_DIGEST digest;            /**< The digest to be signed */
373     TPMT_SIG_SCHEME scheme;         /**< The signature scheme from profile */
374     IFAPI_OBJECT *key_object;       /**< The IPAPI object of the signing key */
375     TPMT_SIGNATURE *tpm_signature;  /**< The signature in TPM format */
376     TPMI_YES_NO decrypt;            /**< Switch for symmetric algs */
377     TPMT_SIGNATURE *signature;      /**< Produced TPM singature */
378     char const *padding;            /**< Optional padding parameter for key sign. */
379 } IFAPI_Key_Sign;
380 
381 /** The data structure holding internal state of Fapi_Unseal.
382  */
383 typedef struct {
384     const char *keyPath;            /**< The implicit key path */
385     IFAPI_OBJECT *object;           /**< The IPAPI object storing the data to be unsealed */
386     TPM2B_SENSITIVE_DATA *unseal_data; /** The result of the esys unseal operation */
387 } IFAPI_Unseal;
388 
389 
390 /** The data structure holding internal state of Fapi_GetInfo.
391  */
392 typedef struct {
393     TPMS_CAPABILITY_DATA *capability_data;   /**< The TPM capability for one property */
394     TPMS_CAPABILITY_DATA *fetched_data;       /**< The data fetched in one TPM command */
395     size_t idx_info_cap;
396     IFAPI_INFO  info_obj;
397     UINT32 property_count;
398     UINT32 property;
399 } IFAPI_GetInfo;
400 
401 /** The states for the FAPI's hierarchy authorization state*/
402 enum IFAPI_HIERACHY_AUTHORIZATION_STATE {
403     HIERARCHY_CHANGE_AUTH_INIT = 0,
404     HIERARCHY_CHANGE_AUTH_NULL_AUTH_SENT,
405     HIERARCHY_CHANGE_AUTH_AUTH_SENT
406 };
407 
408 /** The states for the FAPI's change policy authorization state*/
409 enum IFAPI_HIERACHY_POLICY_AUTHORIZATION_STATE {
410     HIERARCHY_CHANGE_POLICY_INIT = 0,
411     HIERARCHY_CHANGE_POLICY_NULL_AUTH_SENT,
412     HIERARCHY_CHANGE_POLICY_AUTH_SENT
413 };
414 
415 /** The data structure holding internal state of Fapi_ChangeAuth.
416  */
417 typedef struct {
418     const char *entityPath;         /**< The implicit key path */
419     ESYS_TR handle;                 /**< The ESYS handle of the key */
420     IFAPI_OBJECT *key_object;       /**< The IPAPI object of the key */
421     const char  *authValue;         /**< The new auth value */
422     TPM2B_AUTH newAuthValue;        /**< The new auth value */
423     TPM2B_PRIVATE *newPrivate;      /**< New private data created by parend */
424     IFAPI_OBJECT object;            /**< Deserialized NV object or hierarchy */
425     ESYS_TR nv_index;               /**< NV handle of the object to be changed */
426     ESYS_TR hierarchy_handle;       /**< NV handle of the hierarchy to be changed */
427 } IFAPI_Entity_ChangeAuth;
428 
429 /** The data structure holding internal state of Fapi_AuthorizePolicy.
430  */
431 typedef struct {
432     const char *policyPath;           /**< Policy with Policy to be authorized */
433     const char *signingKeyPath;       /**< Key for policy signing */
434     TPM2B_DIGEST policyRef;
435     TPMS_POLICYAUTHORIZATION  authorization;
436 } IFAPI_Fapi_AuthorizePolicy;
437 
438 /** The data structure holding internal state of Fapi_WriteAuthorizeNv.
439  */
440 typedef struct {
441     const char *policyPath;            /**< Policy with Policy to be authorized */
442     TPMI_ALG_HASH *hash_alg;           /**< The hash alg used for digest computation */
443     size_t hash_size;                  /**< The digest size */
444     size_t digest_idx;                 /**< The index of the digest in the policy */
445 } IFAPI_api_WriteAuthorizeNv;
446 
447 /** The data structure holding internal state of Provisioning.
448  */
449 typedef struct {
450     IFAPI_OBJECT hierarchy;     /**< The current used hierarchy for CreatePrimary */
451     IFAPI_KEY_TEMPLATE public_templ;  /**< The basic template for the keys public data */
452     TPM2B_PUBLIC public;       /**< The public info of the created primary */
453     TPM2B_SENSITIVE_CREATE inSensitive;
454     TPM2B_DATA outsideInfo;
455     TPML_PCR_SELECTION creationPCR;
456     ESYS_TR handle;
457     const char *authValueLockout;
458     const char *authValueEh;
459     const char *policyPathEh;
460     const char *authValueSh;
461     const char *policyPathSh;
462     size_t digest_idx;
463     size_t hash_size;
464     TPM2_HANDLE cert_nv_idx;
465     ESYS_TR esys_nv_cert_handle;
466     char *pem_cert;
467     TPM2_ALG_ID cert_key_type;
468     size_t cert_count;
469     size_t cert_idx;
470     TPMS_CAPABILITY_DATA *capabilityData;
471     IFAPI_OBJECT hierarchy_object;
472     TPM2B_AUTH hierarchy_auth;
473     TPM2B_DIGEST policy_digest;
474     char *intermed_crt;
475     char *root_crt;
476 } IFAPI_Provision;
477 
478 /** The data structure holding internal state of regenerate primary key.
479  */
480 typedef struct {
481     char *path;                   /**< Path of the primary (starting with hierarchy)  */
482     IFAPI_OBJECT hierarchy;     /**< The current used hierarchy for CreatePrimary */
483     IFAPI_OBJECT pkey_object;
484     TPM2B_SENSITIVE_CREATE inSensitive;
485     TPM2B_DATA outsideInfo;
486     TPML_PCR_SELECTION creationPCR;
487     ESYS_TR handle;
488     TPMI_DH_PERSISTENT persistent_handle;
489 } IFAPI_CreatePrimary;
490 
491 /** The data structure holding internal state of key verify signature.
492  */
493 typedef struct {
494     const char    *keyPath;
495     uint8_t const *signature;
496     size_t         signatureSize;
497     uint8_t const *digest;
498     size_t         digestSize;
499     IFAPI_OBJECT   key_object;
500 } IFAPI_Key_VerifySignature;
501 
502 /** The states for the FAPI's policy loading */
503 enum IFAPI_STATE_POLICY {
504     POLICY_INIT = 0,
505     POLICY_READ,
506     POLICY_READ_FINISH,
507     POLICY_INSTANTIATE_PREPARE,
508     POLICY_INSTANTIATE,
509     POLICY_EXECUTE,
510     POLICY_FLUSH
511 };
512 
513 typedef struct IFAPI_POLICY_EXEC_CTX IFAPI_POLICY_EXEC_CTX;
514 typedef struct IFAPI_POLICYUTIL_STACK IFAPI_POLICYUTIL_STACK;
515 
516 /** The states for session creation */
517 enum FAPI_CREATE_SESSION_STATE {
518     CREATE_SESSION_INIT = 0,
519     CREATE_SESSION,
520     WAIT_FOR_CREATE_SESSION
521 };
522 
523 /** The data structure holding internal policy state.
524  */
525 typedef struct {
526     enum IFAPI_STATE_POLICY state;
527     struct TPMS_POLICY policy;
528     size_t digest_idx;
529     size_t hash_size;
530     char **pathlist;                  /**< The array of all objects  in the search path */
531     TPMI_ALG_HASH hash_alg;
532     IFAPI_POLICY_EXEC_CTX *policy_stack; /**< The stack used for storing current policy information.
533                                            e.g. for retry the current index of policy elements hash
534                                            to be stored. */
535     IFAPI_POLICYUTIL_STACK *util_current_policy;
536     IFAPI_POLICYUTIL_STACK *policyutil_stack;
537                                       /**< The stack used for storing current policy information.
538                                             e.g. for retry the current index of policy elements hash
539                                            to be stored. */
540     ESYS_TR session;                  /**< Auxiliary variable to store created policy session.
541                                            The value will also be stored in the policy stack */
542     enum FAPI_CREATE_SESSION_STATE create_session_state;
543     char *path;
544     IFAPI_POLICY_EVAL_INST_CTX eval_ctx;
545 } IFAPI_POLICY_CTX;
546 
547 /** The states for the IFAPI's policy loading */
548 enum IFAPI_STATE_FILE_SEARCH {
549     FSEARCH_INIT = 0,
550     FSEARCH_READ,
551     FSEARCH_OBJECT
552 };
553 
554 /** The data structure holding internal policy state.
555  */
556 typedef struct {
557     enum IFAPI_STATE_FILE_SEARCH state;
558     char **pathlist;                /**< The array of all objects  in the search path */
559     size_t path_idx;                /**< Index of array of objects to be searched */
560     size_t numPaths;                /**< Number of all objects in data store */
561     char *current_path;
562 } IFAPI_FILE_SEARCH_CTX;
563 
564 /** The states for the FAPI's key loading */
565 enum _FAPI_STATE_LOAD_KEY {
566     LOAD_KEY_GET_PATH = 0,
567     LOAD_KEY_READ_KEY,
568     LOAD_KEY_WAIT_FOR_PRIMARY,
569     LOAD_KEY_LOAD_KEY,
570     LOAD_KEY_AUTH,
571     LOAD_KEY_AUTHORIZE
572 };
573 
574 /** The data structure holding internal state of export key.
575  */
576 typedef struct {
577     char   const *pathOfKeyToDuplicate;          /**< The relative path of the key to be exported */
578     char   const *pathToPublicKeyOfNewParent;    /**<  The relative path of the new parent */
579     TPM2B_PUBLIC public_parent;                  /**< The public key of the new parent */
580     IFAPI_OBJECT *key_object;                    /**< The IPAPI object of the key to be duplicated */
581     IFAPI_OBJECT export_tree;                    /**< The complete tree to be exported */
582     IFAPI_OBJECT pub_key;                        /**< The public part of the new parent */
583     IFAPI_OBJECT dup_key;                        /**< The key to be duplicated or exported  */
584     struct TPMS_POLICY policy;
585     ESYS_TR handle_ext_key;
586 } IFAPI_ExportKey;
587 
588 /** The data structure holding internal state of export policy.
589  */
590 typedef struct {
591     char   const *path;                          /**<  Path of the object with the policy to be
592                                                        exported */
593     IFAPI_OBJECT object;                         /**<  Object corresponding to path */
594 } IFAPI_ExportPolicy;
595 
596 /** The data structure holding internal state of import key.
597  */
598 typedef struct {
599     IFAPI_OBJECT object;
600     TPM2B_NAME parent_name;
601     IFAPI_OBJECT *parent_object;
602     IFAPI_OBJECT new_object;
603     char *parent_path;
604     char *out_path;
605     TPM2B_PRIVATE *private;
606     char *jso_string;
607 } IFAPI_ImportKey;
608 
609 
610 /** The data structure holding internal state of loading keys.
611  */
612 typedef struct {
613     enum _FAPI_STATE_LOAD_KEY state;   /**< The current state of key  loading */
614     NODE_STR_T *path_list;        /**< The current used hierarchy for CreatePrimary */
615     NODE_OBJECT_T *key_list;
616     IFAPI_OBJECT auth_object;
617     size_t position;
618     ESYS_TR handle;
619     ESYS_TR parent_handle;
620     bool parent_handle_persistent;
621     IFAPI_OBJECT *key_object;
622     char *key_path;
623 } IFAPI_LoadKey;
624 
625 /** The data structure holding internal state of entity delete.
626  */
627 typedef struct {
628     bool is_key;                    /**< Entity to be deleted is a key */
629     bool is_persistent_key;         /**< Entity to be deleted is a key */
630     ESYS_TR new_object_handle;
631     TPM2_HANDLE permanentHandle;    /**< The TPM permanent handle */
632     IFAPI_OBJECT auth_object;       /**< Object used for authentication */
633     ESYS_TR auth_index;             /**< The ESAPI handle of the nv authorization object */
634     char *path;                     /**< The name of the file to be deleted */
635     IFAPI_OBJECT object;            /**< Deserialized object */
636     char **pathlist;                /**< The array with the object files to be deleted */
637     size_t numPaths;                /**< Size of array with the object files to be deleted */
638     size_t path_idx;                /**< Index of array with the object files to be deleted */
639 } IFAPI_Entity_Delete;
640 
641 /** The data structure holding internal state of list entities.
642  */
643 typedef struct {
644     const char *searchPath;               /**< The path to searched for objectws */
645 } IFAPI_Entities_List;
646 
647 /** Union for all input parameters.
648  *
649  * The input parameters of a command need to be stored in order to enable
650  * resubmission. This type provides the corresponding facilities.
651  */
652 typedef union {
653     IFAPI_Provision Provision;
654     IFAPI_Key_Create Key_Create;
655     IFAPI_Key_SetCertificate Key_SetCertificate;
656     IFAPI_Entity_ChangeAuth Entity_ChangeAuth;
657     IFAPI_Entity_Delete Entity_Delete;
658     IFAPI_Entities_List Entities_List;
659     IFAPI_Key_VerifySignature Key_VerifySignature;
660     IFAPI_Data_EncryptDecrypt Data_EncryptDecrypt;
661     IFAPI_PCR pcr;
662     IFAPI_INITIALIZE Initialize;
663     IFAPI_Path_SetDescription path_set_info;
664     IFAPI_Fapi_AuthorizePolicy Policy_AuthorizeNewPolicy;
665     IFAPI_api_WriteAuthorizeNv WriteAuthorizeNV;
666     IFAPI_ExportKey ExportKey;
667     IFAPI_ImportKey ImportKey;
668     IFAPI_Unseal Unseal;
669     IFAPI_GetInfo GetInfo;
670     IFAPI_ExportPolicy ExportPolicy;
671 } IFAPI_CMD_STATE;
672 
673 /** The states for the FAPI's primary key regeneration */
674 enum _FAPI_STATE_PRIMARY {
675     PRIMARY_INIT = 0,
676     PRIMARY_READ_KEY,
677     PRIMARY_READ_HIERARCHY,
678     PRIMARY_READ_HIERARCHY_FINISH,
679     PRIMARY_AUTHORIZE_HIERARCHY,
680     PRIMARY_HAUTH_SENT,
681     PRIMARY_CREATED
682 };
683 
684 /** The states for the FAPI's primary key regeneration */
685 enum _FAPI_STATE_SESSION {
686     SESSION_INIT = 0,
687     SESSION_WAIT_FOR_PRIMARY,
688     SESSION_CREATE_SESSION,
689     SESSION_WAIT_FOR_SESSION1,
690     SESSION_WAIT_FOR_SESSION2
691 };
692 
693 /** The states for the FAPI's get random  state */
694 enum _FAPI_STATE_GET_RANDOM {
695     GET_RANDOM_INIT = 0,
696     GET_RANDOM_SENT
697 };
698 
699 /** The states for flushing objects */
700 enum _FAPI_FLUSH_STATE {
701     FLUSH_INIT = 0,
702     WAIT_FOR_FLUSH
703 };
704 
705 /** The states for the FAPI's internal state machine */
706 enum _FAPI_STATE {
707     _FAPI_STATE_INIT = 0,         /**< The initial state after creation or after
708                                      finishing a command. A new command can only
709                                      be issued in this state. */
710     _FAPI_STATE_INTERNALERROR,     /**< A non-recoverable error occurred within the
711                                       ESAPI code. */
712     INITIALIZE_READ,
713     INITIALIZE_INIT_TCTI,
714     INITIALIZE_GET_CAP,
715     INITIALIZE_WAIT_FOR_CAP,
716     INITIALIZE_READ_PROFILE,
717     INITIALIZE_READ_PROFILE_INIT,
718 
719     PROVISION_WAIT_FOR_GET_CAP1,
720     PROVISION_INIT_GET_CAP2,
721     PROVISION_WAIT_FOR_GET_CAP2,
722     PROVISION_GET_CERT_NV,
723     PROVISION_GET_CERT_NV_FINISH,
724     PROVISION_GET_CERT_READ_PUBLIC,
725     PROVISION_READ_CERT,
726     PROVISION_PREPARE_READ_ROOT_CERT,
727     PROVISION_READ_ROOT_CERT,
728     PROVISION_READ_PROFILE,
729     PROVISION_INIT_SRK,
730     PROVISION_AUTH_EK_NO_AUTH_SENT,
731     PROVISION_AUTH_EK_AUTH_SENT,
732     PROVISION_AUTH_SRK_NO_AUTH_SENT,
733     PROVISION_AUTH_SRK_AUTH_SENT,
734     PROVISION_EK_WRITE_PREPARE,
735     PROVISION_EK_WRITE,
736     PROVISION_EK_CHECK_CERT,
737     PROVISION_SRK_WRITE_PREPARE,
738     PROVISION_SRK_WRITE,
739     PROVISION_WAIT_FOR_EK_PERSISTENT,
740     PROVISION_WAIT_FOR_SRK_PERSISTENT,
741     PROVISION_CHANGE_LOCKOUT_AUTH,
742     PROVISION_CHANGE_EH_CHECK,
743     PROVISION_CHANGE_EH_AUTH,
744     PROVISION_CHANGE_SH_CHECK,
745     PROVISION_CHANGE_SH_AUTH,
746     PROVISION_EH_CHANGE_POLICY,
747     PROVISION_SH_CHANGE_POLICY,
748     PROVISION_LOCKOUT_CHANGE_POLICY,
749     PROVISION_FINISHED,
750     PROVISION_WRITE_SH,
751     PROVISION_WRITE_EH,
752     PROVISION_WRITE_LOCKOUT,
753     PROVISION_WRITE_LOCKOUT_PARAM,
754     PROVISION_FLUSH_SRK,
755     PROVISION_FLUSH_EK,
756     PROVISION_CHECK_FOR_VENDOR_CERT,
757     PROVISION_GET_VENDOR,
758 
759     KEY_CREATE,
760 
761     CREATE_SEAL,
762 
763     KEY_SET_CERTIFICATE_READ,
764     KEY_SET_CERTIFICATE_WRITE,
765 
766     KEY_GET_CERTIFICATE_READ,
767 
768     GET_RANDOM_WAIT_FOR_SESSION,
769     GET_RANDOM_WAIT_FOR_RANDOM,
770     GET_RANDOM_CLEANUP,
771 
772     NV_CREATE_READ_PROFILE,
773     NV_CREATE_READ_HIERARCHY,
774     NV_CREATE_AUTHORIZE_HIERARCHY,
775     NV_CREATE_GET_INDEX,
776     NV_CREATE_FIND_INDEX,
777     NV_CREATE_WAIT_FOR_SESSION,
778 
779     NV_CREATE_AUTH_SENT,
780     NV_CREATE_WRITE,
781     NV_CREATE_CALCULATE_POLICY,
782 
783     NV_WRITE_READ,
784     NV_WRITE_WRITE,
785     NV_WRITE_CLEANUP,
786 
787     NV_EXTEND_READ,
788     NV_EXTEND_WAIT_FOR_SESSION,
789     NV_EXTEND_AUTHORIZE,
790     NV_EXTEND_AUTH_SENT,
791     NV_EXTEND_WRITE,
792     NV_EXTEND_CLEANUP,
793 
794     NV_INCREMENT_READ,
795     NV_INCREMENT_WAIT_FOR_SESSION,
796     NV_INCREMENT_AUTHORIZE,
797     NV_INCREMENT_AUTH_SENT,
798     NV_INCREMENT_WRITE,
799     NV_INCREMENT_CLEANUP,
800 
801     NV_SET_BITS_READ,
802     NV_SET_BITS_WAIT_FOR_SESSION,
803     NV_SET_BITS_AUTHORIZE,
804     NV_SET_BITS_AUTH_SENT,
805     NV_SET_BITS_WRITE,
806     NV_SET_BITS_CLEANUP,
807 
808     NV_READ_READ,
809     NV_READ_WAIT,
810     NV_READ_WAIT_FOR_SESSION,
811     NV_READ_CLEANUP,
812 
813     ENTITY_DELETE_GET_FILE,
814     ENTITY_DELETE_READ,
815     ENTITY_DELETE_WAIT_FOR_SESSION,
816     ENTITY_DELETE_NULL_AUTH_SENT_FOR_KEY,
817     ENTITY_DELETE_AUTH_SENT_FOR_KEY,
818     ENTITY_DELETE_NULL_AUTH_SENT_FOR_NV,
819     ENTITY_DELETE_AUTH_SENT_FOR_NV,
820     ENTITY_DELETE_KEY,
821     ENTITY_DELETE_AUTHORIZE_NV,
822     ENTITY_DELETE_FILE,
823     ENTITY_DELETE_POLICY,
824     ENTITY_DELETE_REMOVE_DIRS,
825 
826     ENTITY_GET_TPM_BLOBS_READ,
827 
828     KEY_SIGN_WAIT_FOR_KEY,
829     KEY_SIGN_WAIT_FOR_SIGN,
830     KEY_SIGN_CLEANUP,
831 
832     ENTITY_CHANGE_AUTH_WAIT_FOR_SESSION,
833     ENTITY_CHANGE_AUTH_WAIT_FOR_KEY,
834     ENTITY_CHANGE_AUTH_AUTH_SENT,
835     ENTITY_CHANGE_AUTH_WAIT_FOR_FLUSH,
836     ENTITY_CHANGE_AUTH_WRITE_PREPARE,
837     ENTITY_CHANGE_AUTH_WRITE,
838     ENTITY_CHANGE_AUTH_WAIT_FOR_KEY_AUTH,
839     ENTITY_CHANGE_AUTH_WAIT_FOR_NV_READ,
840     ENTITY_CHANGE_AUTH_WAIT_FOR_NV_AUTH,
841     ENTITY_CHANGE_AUTH_WAIT_FOR_NV_CHANGE_AUTH,
842     ENTITY_CHANGE_AUTH_HIERARCHY_CHANGE_AUTH,
843     ENTITY_CHANGE_AUTH_HIERARCHY_READ,
844     ENTITY_CHANGE_AUTH_HIERARCHY_AUTHORIZE,
845     ENTITY_CHANGE_AUTH_CLEANUP,
846 
847     DATA_ENCRYPT_WAIT_FOR_PROFILE,
848     DATA_ENCRYPT_WAIT_FOR_SESSION,
849     DATA_ENCRYPT_WAIT_FOR_KEY,
850     DATA_ENCRYPT_WAIT_FOR_FLUSH,
851     DATA_ENCRYPT_WAIT_FOR_RSA_ENCRYPTION,
852     DATA_ENCRYPT_CLEAN,
853 
854     DATA_DECRYPT_WAIT_FOR_PROFILE,
855     DATA_DECRYPT_WAIT_FOR_SESSION,
856     DATA_DECRYPT_WAIT_FOR_KEY,
857     DATA_DECRYPT_WAIT_FOR_FLUSH,
858     DATA_DECRYPT_WAIT_FOR_RSA_DECRYPTION,
859     DATA_DECRYPT_AUTHORIZE_KEY,
860     DATA_DECRYPT_CLEANUP,
861 
862     PCR_EXTEND_WAIT_FOR_SESSION,
863     PCR_EXTEND_WAIT_FOR_GET_CAP,
864     PCR_EXTEND_APPEND_EVENT_LOG,
865     PCR_EXTEND_FINISH,
866     PCR_EXTEND_CLEANUP,
867 
868     PCR_READ_READ_PCR,
869     PCR_READ_READ_EVENT_LIST,
870 
871     PCR_QUOTE_WAIT_FOR_GET_CAP,
872     PCR_QUOTE_WAIT_FOR_SESSION,
873     PCR_QUOTE_WAIT_FOR_KEY,
874     PCR_QUOTE_AUTH_SENT,
875     PCR_QUOTE_AUTHORIZE,
876     PCR_QUOTE_WAIT_FOR_FLUSH,
877     PCR_QUOTE_READ_EVENT_LIST,
878     PCR_QUOTE_CLEANUP,
879 
880     PATH_SET_DESCRIPTION_READ,
881     PATH_SET_DESCRIPTION_WRITE,
882 
883     PATH_GET_DESCRIPTION_READ,
884 
885     APP_DATA_SET_READ,
886     APP_DATA_SET_WRITE,
887 
888     AUTHORIZE_NEW_CALCULATE_POLICY,
889     AUTHORIZE_NEW_LOAD_KEY,
890     AUTHORIZE_NEW_KEY_SIGN_POLICY,
891     AUTHORIZE_NEW_WRITE_POLICY_PREPARE,
892     AUTHORIZE_NEW_WRITE_POLICY,
893     AUTHORIZE_NEW_CLEANUP,
894 
895     WRITE_AUTHORIZE_NV_READ_NV,
896     WRITE_AUTHORIZE_NV_CALCULATE_POLICY,
897     WRITE_AUTHORIZE_NV_WRITE_NV_RAM_PREPARE,
898     WRITE_AUTHORIZE_NV_WRITE_NV_RAM,
899     WRITE_AUTHORIZE_NV_WRITE_OBJCECT,
900     WRITE_AUTHORIZE_NV_WRITE_POLICY_PREPARE,
901     WRITE_AUTHORIZE_NV_WRITE_POLICY,
902     WRITE_AUTHORIZE_NV_CLEANUP,
903 
904     EXPORT_KEY_READ_PUB_KEY,
905     EXPORT_KEY_READ_PUB_KEY_PARENT,
906     EXPORT_KEY_WAIT_FOR_KEY,
907     EXPORT_KEY_WAIT_FOR_DUPLICATE,
908     EXPORT_KEY_WAIT_FOR_EXT_KEY,
909     EXPORT_KEY_WAIT_FOR_AUTHORIZATON,
910     EXPORT_KEY_WAIT_FOR_FLUSH1,
911     EXPORT_KEY_WAIT_FOR_FLUSH2,
912     EXPORT_KEY_CLEANUP,
913 
914     IMPORT_KEY_WRITE_POLICY,
915     IMPORT_KEY_WRITE,
916     IMPORT_KEY_SEARCH,
917     IMPORT_KEY_LOAD_PARENT,
918     IMPORT_KEY_AUTHORIZE_PARENT,
919     IMPORT_KEY_IMPORT,
920     IMPORT_KEY_WAIT_FOR_FLUSH,
921     IMPORT_KEY_WRITE_OBJECT_PREPARE,
922     IMPORT_KEY_WRITE_OBJECT,
923     IMPORT_KEY_CLEANUP,
924 
925     UNSEAL_WAIT_FOR_KEY,
926     UNSEAL_AUTHORIZE_OBJECT,
927     UNSEAL_WAIT_FOR_UNSEAL,
928     UNSEAL_WAIT_FOR_FLUSH,
929     UNSEAL_CLEANUP,
930 
931     GET_PLATFORM_CERTIFICATE,
932 
933     POLICY_EXPORT_READ_OBJECT,
934     POLICY_EXPORT_READ_OBJECT_FINISH,
935     POLICY_EXPORT_READ_POLICY,
936     POLICY_EXPORT_READ_POLICY_FINISH,
937 
938     VERIFY_QUOTE_READ,
939 
940     GET_INFO_GET_CAP,
941     GET_INFO_GET_CAP_MORE,
942     GET_INFO_WAIT_FOR_CAP
943 };
944 
945 /** Structure holding FAPI callbacks and userData
946  *
947  * This structure holds the callback pointers and corresponding userData pointers for each of the
948  * three callback types of FAPI. They are set using Fapi_SetAuthCB, Fapi_SetBranchCB and
949  * Fapi_SetSignCB.
950  */
951 struct IFAPI_CALLBACKS {
952     Fapi_CB_Auth auth;
953     void *authData;
954     Fapi_CB_Branch branch;
955     void *branchData;
956     Fapi_CB_Sign sign;
957     void *signData;
958     Fapi_CB_PolicyAction action;
959     void *actionData;
960 };
961 
962 /** The data structure holding internal state information.
963  *
964  * Each FAPI_CONTEXT respresents a logically independent connection to the TPM.
965  * It stores meta data information about object in order to calculate session
966  * auths and similar things.
967  */
968 struct FAPI_CONTEXT {
969     ESYS_CONTEXT *esys;              /**< The ESYS context used internally to talk to
970                                           the TPM. */
971     struct IFAPI_CALLBACKS callbacks;       /**< Callbacks for user interaction from FAPI */
972     struct IFAPI_IO io;
973     struct IFAPI_EVENTLOG eventlog;
974     struct IFAPI_KEYSTORE keystore;
975     struct IFAPI_POLICY_STORE pstore;
976     struct IFAPI_PROFILES profiles;
977 
978     enum _FAPI_STATE state;          /**< The current state of the command execution */
979     enum _FAPI_STATE_PRIMARY primary_state; /**< The current state of the primary regeneration */
980     enum _FAPI_STATE_SESSION session_state; /**< The current state of the session creation */
981     enum _FAPI_STATE_GET_RANDOM get_random_state; /**< The current state of get random */
982     enum IFAPI_HIERACHY_AUTHORIZATION_STATE hierarchy_state;
983     enum IFAPI_HIERACHY_POLICY_AUTHORIZATION_STATE hierarchy_policy_state;
984     enum IFAPI_GET_CERT_STATE get_cert_state;
985     enum _FAPI_FLUSH_STATE flush_object_state;  /**< The current state of a flush operation */
986     enum IFAPI_CLEANUP_STATE cleanup_state;     /**< The state of cleanup after command execution */
987     IFAPI_CONFIG config;             /**< The profile independet configuration data */
988     UINT32 nv_buffer_max;            /**< The maximal size for transfer of nv buffer content */
989     IFAPI_CMD_STATE cmd;             /**< The state information of the currently executed
990                                           command */
991     IFAPI_NV_Cmds nv_cmd;
992     IFAPI_GetRandom get_random;
993     IFAPI_CreatePrimary createPrimary;
994     IFAPI_LoadKey loadKey;
995     ESYS_TR session1;                /**< The first session used by FAPI  */
996     ESYS_TR session2;                /**< The second session used by FAPI  */
997     ESYS_TR policy_session;          /**< The policy session used by FAPI  */
998     ESYS_TR ek_handle;
999     ESYS_TR srk_handle;
1000     bool ek_persistent;
1001     bool srk_persistent;
1002     IFAPI_SESSION_TYPE session_flags;
1003     TPMA_SESSION session1_attribute_flags;
1004     TPMA_SESSION session2_attribute_flags;
1005     IFAPI_MAX_BUFFER aux_data; /**< tpm2b data to be transferred */
1006     IFAPI_POLICY_CTX policy;  /**< The context of current policy. */
1007     IFAPI_FILE_SEARCH_CTX fsearch;  /**< The context for object search in key/policy store */
1008     IFAPI_Key_Sign Key_Sign; /**< State information for key signing */
1009     enum IFAPI_IO_STATE io_state;
1010     NODE_OBJECT_T *object_list;
1011     IFAPI_OBJECT *duplicate_key; /**< Will be needed for policy execution */
1012 };
1013 
1014 #define VENDOR_IFX  0x49465800
1015 #define VENDOR_INTC 0x494E5443
1016 #define VEDNOR_IBM  0x49424D20
1017 
1018 #endif /* FAPI_INT_H */
1019