1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 ******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include "tss2_mu.h"
12 #include "tss2_sys.h"
13 #include "tss2_esys.h"
14
15 #include "esys_types.h"
16 #include "esys_iutil.h"
17 #include "esys_mu.h"
18 #define LOGMODULE esys
19 #include "util/log.h"
20 #include "util/aux_util.h"
21
22 /** One-Call function for TPM2_NV_Certify
23 *
24 * This function invokes the TPM2_NV_Certify command in a one-call
25 * variant. This means the function will block until the TPM response is
26 * available. All input parameters are const. The memory for non-simple output
27 * parameters is allocated by the function implementation.
28 *
29 * @param[in,out] esysContext The ESYS_CONTEXT.
30 * @param[in] signHandle Handle of the key used to sign the attestation
31 * structure.
32 * @param[in] authHandle Handle indicating the source of the authorization
33 * value for the NV Index.
34 * @param[in] nvIndex Index for the area to be certified.
35 * @param[in] shandle1 Session handle for authorization of signHandle
36 * @param[in] shandle2 Session handle for authorization of authHandle
37 * @param[in] shandle3 Third session handle.
38 * @param[in] qualifyingData User-provided qualifying data.
39 * @param[in] inScheme TPM2_Signing scheme to use if the scheme for signHandle is
40 * TPM2_ALG_NULL.
41 * @param[in] size Number of octets to certify.
42 * @param[in] offset Octet offset into the area.
43 * @param[out] certifyInfo The structure that was signed.
44 * (callee-allocated)
45 * @param[out] signature The asymmetric signature over certifyInfo using the
46 * key referenced by signHandle.
47 * (callee-allocated)
48 * @retval TSS2_RC_SUCCESS if the function call was a success.
49 * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input
50 * pointers or required output handle references are NULL.
51 * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected.
52 * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for
53 * internal operations or return parameters.
54 * @retval TSS2_ESYS_RC_BAD_SEQUENCE: if the context has an asynchronous
55 * operation already pending.
56 * @retval TSS2_ESYS_RC_INSUFFICIENT_RESPONSE: if the TPM's response does not
57 * at least contain the tag, response length, and response code.
58 * @retval TSS2_ESYS_RC_MALFORMED_RESPONSE: if the TPM's response is corrupted.
59 * @retval TSS2_ESYS_RC_RSP_AUTH_FAILED: if the response HMAC from the TPM
60 did not verify.
61 * @retval TSS2_ESYS_RC_MULTIPLE_DECRYPT_SESSIONS: if more than one session has
62 * the 'decrypt' attribute bit set.
63 * @retval TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS: if more than one session has
64 * the 'encrypt' attribute bit set.
65 * @retval TSS2_ESYS_RC_BAD_TR: if any of the ESYS_TR objects are unknown
66 * to the ESYS_CONTEXT or are of the wrong type or if required
67 * ESYS_TR objects are ESYS_TR_NONE.
68 * @retval TSS2_RCs produced by lower layers of the software stack may be
69 * returned to the caller unaltered unless handled internally.
70 */
71 TSS2_RC
Esys_NV_Certify(ESYS_CONTEXT * esysContext,ESYS_TR signHandle,ESYS_TR authHandle,ESYS_TR nvIndex,ESYS_TR shandle1,ESYS_TR shandle2,ESYS_TR shandle3,const TPM2B_DATA * qualifyingData,const TPMT_SIG_SCHEME * inScheme,UINT16 size,UINT16 offset,TPM2B_ATTEST ** certifyInfo,TPMT_SIGNATURE ** signature)72 Esys_NV_Certify(
73 ESYS_CONTEXT *esysContext,
74 ESYS_TR signHandle,
75 ESYS_TR authHandle,
76 ESYS_TR nvIndex,
77 ESYS_TR shandle1,
78 ESYS_TR shandle2,
79 ESYS_TR shandle3,
80 const TPM2B_DATA *qualifyingData,
81 const TPMT_SIG_SCHEME *inScheme,
82 UINT16 size,
83 UINT16 offset,
84 TPM2B_ATTEST **certifyInfo,
85 TPMT_SIGNATURE **signature)
86 {
87 TSS2_RC r;
88
89 r = Esys_NV_Certify_Async(esysContext, signHandle, authHandle, nvIndex,
90 shandle1, shandle2, shandle3, qualifyingData,
91 inScheme, size, offset);
92 return_if_error(r, "Error in async function");
93
94 /* Set the timeout to indefinite for now, since we want _Finish to block */
95 int32_t timeouttmp = esysContext->timeout;
96 esysContext->timeout = -1;
97 /*
98 * Now we call the finish function, until return code is not equal to
99 * from TSS2_BASE_RC_TRY_AGAIN.
100 * Note that the finish function may return TSS2_RC_TRY_AGAIN, even if we
101 * have set the timeout to -1. This occurs for example if the TPM requests
102 * a retransmission of the command via TPM2_RC_YIELDED.
103 */
104 do {
105 r = Esys_NV_Certify_Finish(esysContext, certifyInfo, signature);
106 /* This is just debug information about the reattempt to finish the
107 command */
108 if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN)
109 LOG_DEBUG("A layer below returned TRY_AGAIN: %" PRIx32
110 " => resubmitting command", r);
111 } while ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN);
112
113 /* Restore the timeout value to the original value */
114 esysContext->timeout = timeouttmp;
115 return_if_error(r, "Esys Finish");
116
117 return TSS2_RC_SUCCESS;
118 }
119
120 /** Asynchronous function for TPM2_NV_Certify
121 *
122 * This function invokes the TPM2_NV_Certify command in a asynchronous
123 * variant. This means the function will return as soon as the command has been
124 * sent downwards the stack to the TPM. All input parameters are const.
125 * In order to retrieve the TPM's response call Esys_NV_Certify_Finish.
126 *
127 * @param[in,out] esysContext The ESYS_CONTEXT.
128 * @param[in] signHandle Handle of the key used to sign the attestation
129 * structure.
130 * @param[in] authHandle Handle indicating the source of the authorization
131 * value for the NV Index.
132 * @param[in] nvIndex Index for the area to be certified.
133 * @param[in] shandle1 Session handle for authorization of signHandle
134 * @param[in] shandle2 Session handle for authorization of authHandle
135 * @param[in] shandle3 Third session handle.
136 * @param[in] qualifyingData User-provided qualifying data.
137 * @param[in] inScheme TPM2_Signing scheme to use if the scheme for signHandle is
138 * TPM2_ALG_NULL.
139 * @param[in] size Number of octets to certify.
140 * @param[in] offset Octet offset into the area.
141 * @retval ESYS_RC_SUCCESS if the function call was a success.
142 * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input
143 * pointers or required output handle references are NULL.
144 * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected.
145 * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for
146 * internal operations or return parameters.
147 * @retval TSS2_RCs produced by lower layers of the software stack may be
148 returned to the caller unaltered unless handled internally.
149 * @retval TSS2_ESYS_RC_MULTIPLE_DECRYPT_SESSIONS: if more than one session has
150 * the 'decrypt' attribute bit set.
151 * @retval TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS: if more than one session has
152 * the 'encrypt' attribute bit set.
153 * @retval TSS2_ESYS_RC_BAD_TR: if any of the ESYS_TR objects are unknown
154 * to the ESYS_CONTEXT or are of the wrong type or if required
155 * ESYS_TR objects are ESYS_TR_NONE.
156 */
157 TSS2_RC
Esys_NV_Certify_Async(ESYS_CONTEXT * esysContext,ESYS_TR signHandle,ESYS_TR authHandle,ESYS_TR nvIndex,ESYS_TR shandle1,ESYS_TR shandle2,ESYS_TR shandle3,const TPM2B_DATA * qualifyingData,const TPMT_SIG_SCHEME * inScheme,UINT16 size,UINT16 offset)158 Esys_NV_Certify_Async(
159 ESYS_CONTEXT *esysContext,
160 ESYS_TR signHandle,
161 ESYS_TR authHandle,
162 ESYS_TR nvIndex,
163 ESYS_TR shandle1,
164 ESYS_TR shandle2,
165 ESYS_TR shandle3,
166 const TPM2B_DATA *qualifyingData,
167 const TPMT_SIG_SCHEME *inScheme,
168 UINT16 size,
169 UINT16 offset)
170 {
171 TSS2_RC r;
172 LOG_TRACE("context=%p, signHandle=%"PRIx32 ", authHandle=%"PRIx32 ","
173 "nvIndex=%"PRIx32 ", qualifyingData=%p, inScheme=%p,"
174 "size=%04"PRIx16", offset=%04"PRIx16"",
175 esysContext, signHandle, authHandle, nvIndex, qualifyingData,
176 inScheme, size, offset);
177 TSS2L_SYS_AUTH_COMMAND auths;
178 RSRC_NODE_T *signHandleNode;
179 RSRC_NODE_T *authHandleNode;
180 RSRC_NODE_T *nvIndexNode;
181
182 /* Check context, sequence correctness and set state to error for now */
183 if (esysContext == NULL) {
184 LOG_ERROR("esyscontext is NULL.");
185 return TSS2_ESYS_RC_BAD_REFERENCE;
186 }
187 r = iesys_check_sequence_async(esysContext);
188 if (r != TSS2_RC_SUCCESS)
189 return r;
190 esysContext->state = _ESYS_STATE_INTERNALERROR;
191
192 /* Check input parameters */
193 r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
194 return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
195
196 /* Retrieve the metadata objects for provided handles */
197 r = esys_GetResourceObject(esysContext, signHandle, &signHandleNode);
198 return_state_if_error(r, _ESYS_STATE_INIT, "signHandle unknown.");
199 r = esys_GetResourceObject(esysContext, authHandle, &authHandleNode);
200 return_state_if_error(r, _ESYS_STATE_INIT, "authHandle unknown.");
201 r = esys_GetResourceObject(esysContext, nvIndex, &nvIndexNode);
202 return_state_if_error(r, _ESYS_STATE_INIT, "nvIndex unknown.");
203
204 /* Initial invocation of SAPI to prepare the command buffer with parameters */
205 r = Tss2_Sys_NV_Certify_Prepare(esysContext->sys,
206 (signHandleNode == NULL) ? TPM2_RH_NULL
207 : signHandleNode->rsrc.handle,
208 (authHandleNode == NULL) ? TPM2_RH_NULL
209 : authHandleNode->rsrc.handle,
210 (nvIndexNode == NULL) ? TPM2_RH_NULL
211 : nvIndexNode->rsrc.handle, qualifyingData,
212 inScheme, size, offset);
213 return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error.");
214
215 /* Calculate the cpHash Values */
216 r = init_session_tab(esysContext, shandle1, shandle2, shandle3);
217 return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources");
218 if (signHandleNode != NULL)
219 iesys_compute_session_value(esysContext->session_tab[0],
220 &signHandleNode->rsrc.name, &signHandleNode->auth);
221 else
222 iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
223
224 if (authHandleNode != NULL)
225 iesys_compute_session_value(esysContext->session_tab[1],
226 &authHandleNode->rsrc.name, &authHandleNode->auth);
227 else
228 iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL);
229
230 iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL);
231
232 /* Generate the auth values and set them in the SAPI command buffer */
233 r = iesys_gen_auths(esysContext, signHandleNode, authHandleNode, nvIndexNode, &auths);
234 return_state_if_error(r, _ESYS_STATE_INIT,
235 "Error in computation of auth values");
236
237 esysContext->authsCount = auths.count;
238 if (auths.count > 0) {
239 r = Tss2_Sys_SetCmdAuths(esysContext->sys, &auths);
240 return_state_if_error(r, _ESYS_STATE_INIT, "SAPI error on SetCmdAuths");
241 }
242
243 /* Trigger execution and finish the async invocation */
244 r = Tss2_Sys_ExecuteAsync(esysContext->sys);
245 return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
246 "Finish (Execute Async)");
247
248 esysContext->state = _ESYS_STATE_SENT;
249
250 return r;
251 }
252
253 /** Asynchronous finish function for TPM2_NV_Certify
254 *
255 * This function returns the results of a TPM2_NV_Certify command
256 * invoked via Esys_NV_Certify_Finish. All non-simple output parameters
257 * are allocated by the function's implementation. NULL can be passed for every
258 * output parameter if the value is not required.
259 *
260 * @param[in,out] esysContext The ESYS_CONTEXT.
261 * @param[out] certifyInfo The structure that was signed.
262 * (callee-allocated)
263 * @param[out] signature The asymmetric signature over certifyInfo using the
264 * key referenced by signHandle.
265 * (callee-allocated)
266 * @retval TSS2_RC_SUCCESS on success
267 * @retval ESYS_RC_SUCCESS if the function call was a success.
268 * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input
269 * pointers or required output handle references are NULL.
270 * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected.
271 * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for
272 * internal operations or return parameters.
273 * @retval TSS2_ESYS_RC_BAD_SEQUENCE: if the context has an asynchronous
274 * operation already pending.
275 * @retval TSS2_ESYS_RC_TRY_AGAIN: if the timeout counter expires before the
276 * TPM response is received.
277 * @retval TSS2_ESYS_RC_INSUFFICIENT_RESPONSE: if the TPM's response does not
278 * at least contain the tag, response length, and response code.
279 * @retval TSS2_ESYS_RC_RSP_AUTH_FAILED: if the response HMAC from the TPM did
280 * not verify.
281 * @retval TSS2_ESYS_RC_MALFORMED_RESPONSE: if the TPM's response is corrupted.
282 * @retval TSS2_RCs produced by lower layers of the software stack may be
283 * returned to the caller unaltered unless handled internally.
284 */
285 TSS2_RC
Esys_NV_Certify_Finish(ESYS_CONTEXT * esysContext,TPM2B_ATTEST ** certifyInfo,TPMT_SIGNATURE ** signature)286 Esys_NV_Certify_Finish(
287 ESYS_CONTEXT *esysContext,
288 TPM2B_ATTEST **certifyInfo,
289 TPMT_SIGNATURE **signature)
290 {
291 TSS2_RC r;
292 LOG_TRACE("context=%p, certifyInfo=%p, signature=%p",
293 esysContext, certifyInfo, signature);
294
295 if (esysContext == NULL) {
296 LOG_ERROR("esyscontext is NULL.");
297 return TSS2_ESYS_RC_BAD_REFERENCE;
298 }
299
300 /* Check for correct sequence and set sequence to irregular for now */
301 if (esysContext->state != _ESYS_STATE_SENT &&
302 esysContext->state != _ESYS_STATE_RESUBMISSION) {
303 LOG_ERROR("Esys called in bad sequence.");
304 return TSS2_ESYS_RC_BAD_SEQUENCE;
305 }
306 esysContext->state = _ESYS_STATE_INTERNALERROR;
307
308 /* Allocate memory for response parameters */
309 if (certifyInfo != NULL) {
310 *certifyInfo = calloc(sizeof(TPM2B_ATTEST), 1);
311 if (*certifyInfo == NULL) {
312 return_error(TSS2_ESYS_RC_MEMORY, "Out of memory");
313 }
314 }
315 if (signature != NULL) {
316 *signature = calloc(sizeof(TPMT_SIGNATURE), 1);
317 if (*signature == NULL) {
318 goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup);
319 }
320 }
321
322 /*Receive the TPM response and handle resubmissions if necessary. */
323 r = Tss2_Sys_ExecuteFinish(esysContext->sys, esysContext->timeout);
324 if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) {
325 LOG_DEBUG("A layer below returned TRY_AGAIN: %" PRIx32, r);
326 esysContext->state = _ESYS_STATE_SENT;
327 goto error_cleanup;
328 }
329 /* This block handle the resubmission of TPM commands given a certain set of
330 * TPM response codes. */
331 if (r == TPM2_RC_RETRY || r == TPM2_RC_TESTING || r == TPM2_RC_YIELDED) {
332 LOG_DEBUG("TPM returned RETRY, TESTING or YIELDED, which triggers a "
333 "resubmission: %" PRIx32, r);
334 if (esysContext->submissionCount++ >= _ESYS_MAX_SUBMISSIONS) {
335 LOG_WARNING("Maximum number of (re)submissions has been reached.");
336 esysContext->state = _ESYS_STATE_INIT;
337 goto error_cleanup;
338 }
339 esysContext->state = _ESYS_STATE_RESUBMISSION;
340 r = Tss2_Sys_ExecuteAsync(esysContext->sys);
341 if (r != TSS2_RC_SUCCESS) {
342 LOG_WARNING("Error attempting to resubmit");
343 /* We do not set esysContext->state here but inherit the most recent
344 * state of the _async function. */
345 goto error_cleanup;
346 }
347 r = TSS2_ESYS_RC_TRY_AGAIN;
348 LOG_DEBUG("Resubmission initiated and returning RC_TRY_AGAIN.");
349 goto error_cleanup;
350 }
351 /* The following is the "regular error" handling. */
352 if (iesys_tpm_error(r)) {
353 LOG_WARNING("Received TPM Error");
354 esysContext->state = _ESYS_STATE_INIT;
355 goto error_cleanup;
356 } else if (r != TSS2_RC_SUCCESS) {
357 LOG_ERROR("Received a non-TPM Error");
358 esysContext->state = _ESYS_STATE_INTERNALERROR;
359 goto error_cleanup;
360 }
361
362 /*
363 * Now the verification of the response (hmac check) and if necessary the
364 * parameter decryption have to be done.
365 */
366 r = iesys_check_response(esysContext);
367 goto_state_if_error(r, _ESYS_STATE_INTERNALERROR, "Error: check response",
368 error_cleanup);
369
370 /*
371 * After the verification of the response we call the complete function
372 * to deliver the result.
373 */
374 r = Tss2_Sys_NV_Certify_Complete(esysContext->sys,
375 (certifyInfo != NULL) ? *certifyInfo : NULL,
376 (signature != NULL) ? *signature : NULL);
377 goto_state_if_error(r, _ESYS_STATE_INTERNALERROR,
378 "Received error from SAPI unmarshaling" ,
379 error_cleanup);
380
381 esysContext->state = _ESYS_STATE_INIT;
382
383 return TSS2_RC_SUCCESS;
384
385 error_cleanup:
386 if (certifyInfo != NULL)
387 SAFE_FREE(*certifyInfo);
388 if (signature != NULL)
389 SAFE_FREE(*signature);
390
391 return r;
392 }
393