1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright (c) 2020, Intel Corporation
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14
15 #include "esys_iutil.h"
16 #include "test-esapi.h"
17 #define LOGDEFAULT LOGLEVEL_INFO
18 #define LOGMODULE test
19 #include "util/log.h"
20 #include "util/aux_util.h"
21
22 /** Test auth verification in clear command
23 *
24 * After TPM2_Clear command is executed all auth values for
25 * owner, platofrm and lockout are set to empty buffers and
26 * the empty auth values should be used fot HMAC verification
27 * in the response.
28 *
29 * @param[in,out] esys_context The ESYS_CONTEXT.
30 * @retval EXIT_SUCCESS
31 * @retval EXIT_SKIP
32 * @retval EXIT_FAILURE
33 */
34 int
test_esys_clear_auth(ESYS_CONTEXT * esys_context)35 test_esys_clear_auth(ESYS_CONTEXT * esys_context)
36 {
37 TSS2_RC r;
38 ESYS_TR session = ESYS_TR_NONE;
39 int failure_return = EXIT_FAILURE;
40
41 TPMT_SYM_DEF symmetric = {.algorithm = TPM2_ALG_XOR,
42 .keyBits = { .exclusiveOr = TPM2_ALG_SHA1 },
43 .mode = {.aes = TPM2_ALG_CFB}};
44
45 /* Test lockout authorization */
46 LOG_DEBUG("Test LOCKOUT authorization");
47 LOG_DEBUG("Start Auth Session");
48 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
49 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
50 NULL,
51 TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1,
52 &session);
53 goto_if_error(r, "Error: During initialization of session", error);
54
55 TPM2B_AUTH auth = {
56 .size = 16,
57 .buffer = "deadbeefdeadbeef",
58 };
59
60 LOG_DEBUG("Set Auth");
61 r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_LOCKOUT,
62 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
63 &auth);
64
65 goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error);
66 Esys_TR_SetAuth(esys_context, ESYS_TR_RH_LOCKOUT, &auth);
67
68 LOG_DEBUG("Clear");
69 r = Esys_Clear(esys_context, ESYS_TR_RH_LOCKOUT, session,
70 ESYS_TR_NONE, ESYS_TR_NONE);
71 goto_if_error(r, "Error: During Esys_Clear", error);
72
73 r = Esys_FlushContext(esys_context, session);
74 goto_if_error(r, "Error: During Esys_FlushContext", error);
75
76 /* Test platform authorization */
77 LOG_DEBUG("Test PLATFORM authorization");
78 LOG_DEBUG("Start Auth Session");
79 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
80 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
81 NULL,
82 TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1,
83 &session);
84 goto_if_error(r, "Error: During initialization of session", error);
85
86 LOG_DEBUG("Set Auth");
87 r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_PLATFORM,
88 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
89 &auth);
90
91 if ((r & ~TPM2_RC_N_MASK) == TPM2_RC_BAD_AUTH ||
92 (r & ~TPM2_RC_N_MASK) == TPM2_RC_HIERARCHY) {
93 /* Platform authorization not possible test will be skipped */
94 LOG_WARNING("Platform authorization not possible.");
95 failure_return = EXIT_SKIP;
96 goto error;
97 }
98 goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error);
99
100 Esys_TR_SetAuth(esys_context, ESYS_TR_RH_PLATFORM, &auth);
101
102 LOG_DEBUG("Clear");
103 r = Esys_Clear(esys_context, ESYS_TR_RH_PLATFORM, session,
104 ESYS_TR_NONE, ESYS_TR_NONE);
105 goto_if_error(r, "Error: During Esys_Clear", error);
106
107 r = Esys_FlushContext(esys_context, session);
108 goto_if_error(r, "Error: During Esys_FlushContext", error);
109
110 Esys_TR_SetAuth(esys_context, ESYS_TR_RH_PLATFORM, &auth);
111
112 LOG_DEBUG("Set Auth");
113 r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_PLATFORM,
114 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
115 NULL);
116
117 goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error);
118
119 return EXIT_SUCCESS;
120
121 error:
122 LOG_ERROR("\nError Code: %x\n", r);
123
124 if (session != ESYS_TR_NONE) {
125 if (Esys_FlushContext(esys_context, session) != TSS2_RC_SUCCESS) {
126 LOG_ERROR("Cleanup session failed.");
127 }
128 }
129 return failure_return;
130 }
131
132 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)133 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
134 return test_esys_clear_auth(esys_context);
135 }
136