1 // Copyright 2024 The ChromiumOS Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef TPM_GENERATED_FFI_H_ 6 #define TPM_GENERATED_FFI_H_ 7 8 // The cxx Rust library cannot invoke all C++ methods -- for example, it cannot 9 // invoke static methods, and there are many types it cannot pass by value. 10 // These functions provide cxx-compatible access to the functionality of other 11 // code in this directory. 12 // 13 // Because this entire library (libtpmgenerated) is a temporary measure 14 // (long-term, we want to replace it with tpm-rs), these bindings are added 15 // as-needed and do not always expose all the functionality that they could. 16 17 #include <memory> 18 #include <string> 19 20 #include "authorization_delegate.h" 21 #include "tpm_generated.h" 22 23 namespace trunks { 24 25 // Organization: each subsection is a type, ordered alphabetically. 26 27 // ----------------------------------------------------------------------------- 28 // EncryptedData (referring to the CA protobuf's EncryptedData message type) 29 // ----------------------------------------------------------------------------- 30 31 // Encrypts data for an attestation CA. The CA's public key is passed in as an 32 // input. The output values correspond to the EncryptedData protobuf in 33 // attestation_ca.proto. Returns true on success and false on failure. 34 bool EncryptDataForCa(const std::string& data, 35 const std::string& public_key_hex, 36 const std::string& key_id, std::string& wrapped_key, 37 std::string& iv, std::string& mac, 38 std::string& encrypted_data, 39 std::string& wrapping_key_id); 40 41 // ----------------------------------------------------------------------------- 42 // PasswordAuthorizationDelegate 43 // ----------------------------------------------------------------------------- 44 45 // Wraps the PasswordAuthorizationDelegate constructor. Returns an 46 // AuthorizationDelegate pointer rather than a PasswordAuthorizationDelegate 47 // pointer because Rust code doesn't know how to convert a 48 // PasswordAuthorizationDelegate pointer into an AuthorizationDelegate pointer. 49 std::unique_ptr<AuthorizationDelegate> PasswordAuthorizationDelegate_New( 50 const std::string& password); 51 52 // ----------------------------------------------------------------------------- 53 // Tpm 54 // ----------------------------------------------------------------------------- 55 56 // Wraps Tpm::SerializeCommand_Create. Serializes the TPM2_Create command. 57 // authorization_delegate is nullable. 58 TPM_RC SerializeCommand_Create( 59 const TPMI_DH_OBJECT& parent_handle, const std::string& parent_handle_name, 60 const TPM2B_SENSITIVE_CREATE& in_sensitive, const TPM2B_PUBLIC& in_public, 61 const TPM2B_DATA& outside_info, const TPML_PCR_SELECTION& creation_pcr, 62 std::string& serialized_command, 63 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 64 65 // Wraps Tpm::ParseResponse_Create. Parses the response from a TPM2_Create 66 // command. 67 // out_public is in serialized form (because there is no 68 // StringFrom_TPM2B_PUBLIC in tpm_generated). 69 // authorization_delegate is nullable. 70 TPM_RC ParseResponse_Create( 71 const std::string& response, std::string& out_private, 72 std::string& out_public, TPM2B_CREATION_DATA& creation_data, 73 TPM2B_DIGEST& creation_hash, TPMT_TK_CREATION& creation_ticket, 74 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 75 76 // Wraps Tpm::SerializeCommand_CreatePrimary. Serializes the TPM2_CreatePrimary 77 // command. 78 // authorization_delegate is nullable. 79 TPM_RC SerializeCommand_CreatePrimary( 80 const TPMI_RH_HIERARCHY& primary_handle, 81 const std::string& primary_handle_name, 82 const TPM2B_SENSITIVE_CREATE& in_sensitive, const TPM2B_PUBLIC& in_public, 83 const TPM2B_DATA& outside_info, const TPML_PCR_SELECTION& creation_pcr, 84 std::string& serialized_command, 85 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 86 87 // Wraps Tpm::ParseResponse_CreatePrimary. Parses the response from a 88 // TPM2_CreatePrimary command. 89 // authorization_delegate is nullable. 90 TPM_RC ParseResponse_CreatePrimary( 91 const std::string& response, TPM_HANDLE& object_handle, 92 TPM2B_PUBLIC& out_public, TPM2B_CREATION_DATA& creation_data, 93 TPM2B_DIGEST& creation_hash, TPMT_TK_CREATION& creation_ticket, 94 std::string& name, 95 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 96 97 // Wraps Tpm::SerializeCommand_Load. Serializes the TPM2_Load command. 98 // in_public should be in serialized form (as there is no direct string -> 99 // TPM2B_PUBLIC conversion in tpm_generated other than parsing). 100 // authorization_delegate is nullable. 101 TPM_RC SerializeCommand_Load( 102 const TPMI_DH_OBJECT& parent_handle, const std::string& parent_handle_name, 103 const std::string& in_private, const std::string& in_public, 104 std::string& serialized_command, 105 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 106 107 // Wraps Tpm::ParseResponse_Load. Parses the response from a TPM2_Load command. 108 // authorization_delegate is nullable. 109 TPM_RC ParseResponse_Load( 110 const std::string& response, TPM_HANDLE& object_handle, std::string& name, 111 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 112 113 // Wraps Tpm::SerializeCommand_NV_Certify. Serializes the TPM2_NV_Certify 114 // command. 115 // The authorization_delegate argument was removed because NV_Certify requires 116 // two authorizations, and adding MultipleAuthorizations to the CXX bridge would 117 // require putting a lifetime argument on AuthorizationDelegate, which would 118 // propagate everywhere. Instead, this is hardcoded to use empty password 119 // authorization. 120 TPM_RC SerializeCommand_NV_Certify( 121 const TPMI_DH_OBJECT& sign_handle, const std::string& sign_handle_name, 122 const TPMI_RH_NV_AUTH& auth_handle, const std::string& auth_handle_name, 123 const TPMI_RH_NV_INDEX& nv_index, const std::string& nv_index_name, 124 const TPM2B_DATA& qualifying_data, const TPMT_SIG_SCHEME& in_scheme, 125 const UINT16& size, const UINT16& offset, std::string& serialized_command); 126 127 // Wraps Tpm::ParseResponse_NV_Certify. Parses the response from a 128 // TPM2_NV_Certify command. 129 // authorization_delegate was omitted for the same reason as 130 // SerializeCommand_NV_Certify. 131 TPM_RC ParseResponse_NV_Certify(const std::string& response, 132 std::string& certify_info, 133 std::string& signature); 134 135 // Wraps Tpm::SerializeCommand_NV_Read. Serializes the TPM2_NV_Read command. 136 // authorization_delegate is nullable. 137 TPM_RC SerializeCommand_NV_Read( 138 const TPMI_RH_NV_AUTH& auth_handle, const std::string& auth_handle_name, 139 const TPMI_RH_NV_INDEX& nv_index, const std::string& nv_index_name, 140 const UINT16& size, const UINT16& offset, std::string& serialized_command, 141 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 142 143 // Wraps Tpm::ParseResponse_NV_Read. Parses the response of a TPM2_NV_Read 144 // command. 145 // authorization_delegate is nullable. 146 TPM_RC ParseResponse_NV_Read( 147 const std::string& response, std::string& data, 148 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 149 150 // Wraps Tpm::SerializeCommand_NV_ReadPublic. Serializes the TPM2_NV_ReadPublic 151 // command. 152 // authorization_delegate is nullable. 153 TPM_RC SerializeCommand_NV_ReadPublic( 154 const TPMI_RH_NV_INDEX& nv_index, const std::string& nv_index_name, 155 std::string& serialized_command, 156 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 157 158 // Wraps Tpm::ParseResponse_NV_ReadPublic. Parses the response from a 159 // TPM2_NV_ReadPublic command. 160 // authorization_delegate is nullable. 161 TPM_RC ParseResponse_NV_ReadPublic( 162 const std::string& response, uint16_t& nv_public_data_size, 163 std::string& nv_name, 164 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 165 166 // Wraps Tpm::SerializeCommand_Quote. Serializes the TPM2_Quote command. 167 // authorization_delegate is nullable. 168 TPM_RC SerializeCommand_Quote( 169 const TPMI_DH_OBJECT& sign_handle, const std::string& sign_handle_name, 170 const TPM2B_DATA& qualifying_data, const TPMT_SIG_SCHEME& in_scheme, 171 const TPML_PCR_SELECTION& pcrselect, std::string& serialized_command, 172 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 173 174 // Wraps Tpm::ParseResponse_Quote. Parses the response from a TPM2_Quote 175 // command. 176 // authorization_delegate is nullable. 177 TPM_RC ParseResponse_Quote( 178 const std::string& response, std::string& quoted, std::string& signature, 179 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 180 181 // Wraps Tpm::SerializeCommand_PCR_Read. Serializes the TPM2_PCR_Read command. 182 // authorization_delegate is nullable. 183 TPM_RC SerializeCommand_PCR_Read( 184 const TPML_PCR_SELECTION& pcr_selection_in, std::string& serialized_command, 185 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 186 187 // Wraps Tpm::ParseResponse_PCR_Read. Parses the response from a TPM2_PCR_Read 188 // command. 189 // authorization_delegate is nullable. 190 TPM_RC ParseResponse_PCR_Read( 191 const std::string& response, UINT32& pcr_update_counter, 192 TPML_PCR_SELECTION& pcr_selection_out, std::string& pcr_values, 193 const std::unique_ptr<AuthorizationDelegate>& authorization_delegate); 194 195 // ----------------------------------------------------------------------------- 196 // TPM_HANDLE 197 // ----------------------------------------------------------------------------- 198 199 // Returns a serialized representation of the unmodified handle. This is useful 200 // for predefined handle values, like TPM_RH_OWNER. For details on what types of 201 // handles use this name formula see Table 3 in the TPM 2.0 Library Spec Part 1 202 // (Section 16 - Names). 203 std::unique_ptr<std::string> NameFromHandle(const TPM_HANDLE& handle); 204 205 // ----------------------------------------------------------------------------- 206 // TPM2B_CREATION_DATA 207 // ----------------------------------------------------------------------------- 208 209 // Creates a new empty TPM2B_CREATION_DATA. 210 std::unique_ptr<TPM2B_CREATION_DATA> TPM2B_CREATION_DATA_New(); 211 212 // ----------------------------------------------------------------------------- 213 // TPM2B_DATA 214 // ----------------------------------------------------------------------------- 215 216 // Creates a TPM2B_DATA with the given data. 217 std::unique_ptr<TPM2B_DATA> TPM2B_DATA_New(const std::string& bytes); 218 219 // ----------------------------------------------------------------------------- 220 // TPM2B_DIGEST 221 // ----------------------------------------------------------------------------- 222 223 // Creates a new empty TPM2B_DIGEST. 224 std::unique_ptr<TPM2B_DIGEST> TPM2B_DIGEST_New(); 225 226 // ----------------------------------------------------------------------------- 227 // TPM2B_PUBLIC 228 // ----------------------------------------------------------------------------- 229 230 // Returns the public area template for the Attestation Identity Key. 231 std::unique_ptr<TPM2B_PUBLIC> AttestationIdentityKeyTemplate(); 232 233 // Returns the public area template for the Storage Root Key. 234 std::unique_ptr<TPM2B_PUBLIC> StorageRootKeyTemplate(); 235 236 // Converts a serialized TPM2B_PUBLIC (as returned by ParseResponse_Create) into 237 // a serialized TPMT_PUBLIC (as required by the attestation CA). 238 TPM_RC Tpm2bPublicToTpmtPublic(const std::string& tpm2b_public, 239 std::string& tpmt_public); 240 241 // ----------------------------------------------------------------------------- 242 // TPM2B_SENSITIVE_CREATE 243 // ----------------------------------------------------------------------------- 244 245 // Creates a TPM2B_SENSITIVE_CREATE with the given auth and data values. 246 std::unique_ptr<TPM2B_SENSITIVE_CREATE> TPM2B_SENSITIVE_CREATE_New( 247 const std::string& user_auth, const std::string& data); 248 249 // ----------------------------------------------------------------------------- 250 // TPML_PCR_SELECTION 251 // ----------------------------------------------------------------------------- 252 253 // Returns an empty PCR selection list. 254 std::unique_ptr<TPML_PCR_SELECTION> EmptyPcrSelection(); 255 256 // Returns a PCR selection list that selects a single PCR, or nullptr if the pcr 257 // number is too large. 258 std::unique_ptr<TPML_PCR_SELECTION> SinglePcrSelection(uint8_t pcr); 259 260 // ----------------------------------------------------------------------------- 261 // TPMT_SIG_SCHEME 262 // ----------------------------------------------------------------------------- 263 264 // Creates a TPMT_SIGN_SCHEME with hash algorithm SHA-256 and signature 265 // algorithm ECDSA. 266 std::unique_ptr<TPMT_SIG_SCHEME> Sha256EcdsaSigScheme(); 267 268 // ----------------------------------------------------------------------------- 269 // TPMT_TK_CREATION 270 // ----------------------------------------------------------------------------- 271 272 // Creates a new, empty TPMT_TK_CREATION. 273 std::unique_ptr<TPMT_TK_CREATION> TPMT_TK_CREATION_New(); 274 275 } // namespace trunks 276 277 #endif // TPM_GENERATED_FFI_H_ 278