Skip to content

Commit

Permalink
Merge pull request wolfSSL#306 from dgarske/rel_v3.0_prep
Browse files Browse the repository at this point in the history
Prep for release v3.0
  • Loading branch information
JacobBarthelmeh authored Oct 30, 2023
2 parents 45847e3 + a10a10d commit 5b288d4
Show file tree
Hide file tree
Showing 16 changed files with 169 additions and 75 deletions.
2 changes: 1 addition & 1 deletion CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@

cmake_minimum_required(VERSION 3.16)

project(wolfTPM VERSION 2.7.0 LANGUAGES C)
project(wolfTPM VERSION 3.0.0 LANGUAGES C)

set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
set(WOLFTPM_DEFINITIONS)
Expand Down
46 changes: 46 additions & 0 deletions ChangeLog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,51 @@
# Release Notes

## wolfTPM Release 3.0.0 (Oct 31, 2023)

**Summary**

Refactor of command authentication. Support for ECC sessions and secrets. Support for policy sealing/unsealing. Examples for secure boot.

**Detail**
* Refactor of the command authentication. If command does not require auth do not supply it (PR #305)
* Refactor HAL and added Microchip Harmony SPI HAL support (PR #251)
* Relocate crypto callback code to its own code file (PR #304)
* Fixed using a custom wolfTPM CSR sigType (PR #307)
* Fixed support for ECC 384-bit only support (PR #307)
* Fixed issue with using struct assignment (switched to memcpy) (PR #303)
* Fixed various issues building with C++ compiler (PR #303)
* Fixed issues with STM32 I2C build and improved performance (PR #302)
* Fixed seal with RSA and PCR extend auth. (PR #296)
* Fixed issue including user_settings.h when `--disable-wolfcrypt` set (PR #285)
* Fixed TPM private key import with custom seed (PR #281)
* Fixed autogen.sh (autoconf) to generate without warnings (PR #279)
* Fixed TPM2 create with decrypt or restricted flag set (PR #275)
* Fixed and improved low resource build options (PR #269)
* Fixed the TPM_E_COMMAND_BLOCKED macro to have the correct value (PR #257)
* Fixed casting and unused variable problems on windows (PR #255)
* Fixed Linux usage of `cs_change` and added config overrides (PR #268)
* Fixed and improved the NV auth and session auth set/unset (PR #299)
* Fixed capability to handle unknown `TPM2_GetCapability` type and fix bad printf (PR #293)
* Fixed macros for file IO XFEOF and XREWIND to make sure they are available (PR #277)
* Fixed seal/unseal example (PR #306)
* Fixed TLS examples with param enc enabled (PR #306)
* Fixed signed_timestamp with ECC (PR #306)
* Added CI tests for CSharp wrappers (PR #307)
* Added support for sealing/unsealing based on a PCR that is signed externally (PR #294)
* Added examples for Secure Boot solution to store root of trust in NV (PR's #276, #289, #291 and #292)
* Added support for importing and loading public ECC/RSA keys formatted as PEM or DER (PR #290)
* Added new policy_nv example (PR #298)
* Added `-nvhandle` argument to nvram examples (PR #296)
* Added code to test external import between two TPM's (PR #288)
* Added support for STM32 Cube Expansion Pack (PR #287)
* Added support memory mapped (MMIO) TPM's (PR #271)
* Added `wc_SetSeed_Cb` call for FIPS ecc (PR #270)
* Added wrapper support for setting key usage (not just extended key usage) (PR #307)
* Added RSA key import methods to handle PEM and DER encoding directly (PR #252)
* Added thread local storage macro and make gActiveTPM local to the thread (PR #253)
* Added Microchip macro names and Support for bench with MPLABX Harmony (PR #256)
* Improvements to cmake build (PR's #280, #283 and #284)

## wolfTPM Release 2.7.0 (Dec 27, 2022)

**Summary**
Expand Down
8 changes: 3 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -791,11 +791,9 @@ Connection: close

## Todo

* Update to v1.59 of specification.
* Add HMAC support for "authValue".
* Add ECC encrypted salt.
* Add bound auth session support.
* Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support.
* Key Generation and Attestation examples using endorsement hierarchy "-eh" are broken.
* Update to v1.59 of specification (adding CertifyX509)
* Inner wrap support for SensitiveToPrivate.

## Support

Expand Down
10 changes: 7 additions & 3 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# All right reserved.

AC_COPYRIGHT([Copyright (C) 2014-2021 wolfSSL Inc.])
AC_INIT([wolftpm],[2.7.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])
AC_INIT([wolftpm],[3.0.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])

AC_PREREQ([2.63])
AC_CONFIG_AUX_DIR([build-aux])
Expand All @@ -28,7 +28,7 @@ AC_ARG_PROGRAM

AC_CONFIG_HEADERS([src/config.h])

WOLFTPM_LIBRARY_VERSION=15:0:0
WOLFTPM_LIBRARY_VERSION=16:0:0
# | | |
# +------+ | +---+
# | | |
Expand Down Expand Up @@ -241,13 +241,17 @@ then
fi

# Windows TBS device Support
AC_ARG_ENABLE([wintbs],,
[ ENABLED_WINTBS=$enableval ],
[ ENABLED_WINTBS=no ]
)
AC_ARG_ENABLE([winapi],
[AS_HELP_STRING([--enable-winapi],[Enable use of TPM through Windows driver (default: disabled)])],
[ ENABLED_WINAPI=$enableval ],
[ ENABLED_WINAPI=no ]
)

if test "x$ENABLED_WINAPI" = "xyes"
if test "x$ENABLED_WINAPI" = "xyes" || test "x$ENABLED_WINTBS" = "xyes"
then
if test "x$ENABLED_DEVTPM" = "xyes" -o "x$ENABLED_SWTPM" = "xyes"
then
Expand Down
2 changes: 0 additions & 2 deletions examples/keygen/external_import.c
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
TPMT_PUBLIC publicTemplate3;
TPMA_OBJECT attributes;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA;
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
const char* keyblobFile = "keyblob.bin";
#endif
int loadKeyBlob = 0;

if (argc >= 2) {
Expand Down
1 change: 1 addition & 0 deletions examples/pcr/policy_sign.c
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
wc_FreeRsaKey(&key.rsa);
}
#else
(void)hashAlg;
rc = NOT_COMPILED_IN;
#endif
}
Expand Down
50 changes: 28 additions & 22 deletions examples/run_examples.sh
Original file line number Diff line number Diff line change
Expand Up @@ -77,12 +77,9 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/keygen/keyload ecckeyblob.bin -aes >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1

./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
# TODO: TPM2_Load (TPM_RC_INTEGRITY)
#./examples/keygen/keyload ecckeyblob.bin >> run.out
fi
rm -f ecckeyblob.bin

Expand Down Expand Up @@ -201,7 +198,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
popd >> run.out
sleep 0.2
sleep 0.4
./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
Expand All @@ -214,7 +211,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
pushd $WOLFSSL_PATH >> run.out
sleep 0.2
sleep 0.4
./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
Expand All @@ -223,24 +220,20 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]

if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
run_tpm_tls_client "rsa" ""
# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
#run_tpm_tls_client "rsa" "-aes"
run_tpm_tls_client "rsa" "-aes"
run_tpm_tls_client "ecc" ""
# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
#run_tpm_tls_client "ecc" "-aes"
run_tpm_tls_client "ecc" "-aes"

run_tpm_tls_server "rsa" ""
# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
#run_tpm_tls_server "rsa" "-aes"
run_tpm_tls_server "rsa" "-aes"
run_tpm_tls_server "ecc" ""
# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
#run_tpm_tls_server "ecc" "-aes"
run_tpm_tls_server "ecc" "-aes"
fi


# Clock Tests
echo -e "Clock tests"
./examples/timestamp/clock_set
./examples/timestamp/clock_set >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "clock set failed! $RESULT" && exit 1

Expand All @@ -255,11 +248,14 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "signed_timestamp param enc failed! $RESULT" && exit 1
fi
# TODO: Test broken (wolfTPM2_GetTime TPM_RC_SCHEME)
#./examples/timestamp/signed_timestamp -ecc >> run.out
#if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
#./examples/timestamp/signed_timestamp -ecc -aes >> run.out
#fi
./examples/timestamp/signed_timestamp -ecc >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/timestamp/signed_timestamp -ecc -aes >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1
fi

./examples/attestation/make_credential >> run.out
RESULT=$?
Expand Down Expand Up @@ -350,11 +346,21 @@ fi
echo -e "Seal/Unseal (PCR policy)"
./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "seal pcr failed! $RESULT" && exit 1
# TODO (TPM2_Load TPM_RC_BAD_AUTH)
#./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
[ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1
rm -f sealedkeyblob.bin

if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
rm -f sealedkeyblob.bin
fi

# Seal/Unseal (Policy auth)
echo -e "Seal/Unseal (Policy auth)"
Expand Down
10 changes: 7 additions & 3 deletions examples/seal/seal.c
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,9 @@ static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/seal/seal [filename] [userdata]\n");
printf("* filename: Name of the file where the TPM key will be stored\n");
printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces)\n");
printf("Demo usage, without parameters, uses keyblob.bin as a filename\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("* filename: Name of the file where the TPM key will be stored (default: keyblob.bin)\n");
printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces) (default: My1Pass2Phrase3)\n");
}

int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
Expand Down Expand Up @@ -95,6 +95,7 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])

printf("TPM2.0 Simple Seal example\n");
printf("\tKey Blob: %s\n", outputFile);
printf("\tUser Data: %s\n", userData);
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));

rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
Expand Down Expand Up @@ -159,6 +160,9 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc));
}

/* Remove the auth for loaded TPM seal object */
wolfTPM2_UnsetAuth(&dev, 0);

/* Close handles */
wolfTPM2_UnloadHandle(&dev, &storage.handle);
wolfTPM2_UnloadHandle(&dev, &newKey.handle);
Expand Down
62 changes: 48 additions & 14 deletions examples/seal/unseal.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,20 @@ static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/seal/unseal [filename] [inkey_filename]\n");
printf("* filename - File contaning a TPM seal key\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("* filename: Output for unsealed data (default: unseal.bin)\n");
printf("* inkey_filename: File with sealed keyed hashed object (keyblob.bin)\n");
printf("Demo usage, without arguments, uses keyblob.bin file input.\n");
}

int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
{
int rc;
WOLFTPM2_DEV dev;
WOLFTPM2_KEY key;
TPM2B_AUTH auth;
WOLFTPM2_KEYBLOB newKey;
WOLFTPM2_KEY storage; /* SRK */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
const char *filename = "unseal.bin";
const char *inkeyfilename = "keyblob.bin";
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
Expand All @@ -60,14 +64,11 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
Unseal_In cmdIn_unseal;
Unseal_Out cmdOut_unseal;

WOLFTPM2_KEYBLOB newKey;
WOLFTPM2_KEY storage; /* SRK */


XMEMSET(&storage, 0, sizeof(storage));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
XMEMSET(&cmdIn_unseal, 0, sizeof(cmdIn_unseal));
XMEMSET(&cmdOut_unseal, 0, sizeof(cmdOut_unseal));
XMEMSET(&key, 0, sizeof(key));
XMEMSET(&auth, 0, sizeof(auth));
XMEMSET(&newKey, 0, sizeof(newKey));

if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
Expand All @@ -85,6 +86,23 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
inkeyfilename = argv[2];
}
}
while (argc > 1) {
if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
paramEncAlg = TPM_ALG_XOR;
}
else if (argv[argc-1][0] == '-') {
printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
}
argc--;
}

printf("TPM2.0 Simple Unseal example\n");
printf("\tKey Blob: %s\n", inkeyfilename);
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));


printf("Example how to unseal data using TPM2.0\n");
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
Expand All @@ -97,6 +115,21 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
if (rc != 0) goto exit;

if (paramEncAlg != TPM_ALG_NULL) {
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);

/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
if (rc != 0) goto exit;

}

rc = readKeyBlob(inkeyfilename, &newKey);
if (rc != 0) goto exit;

Expand All @@ -109,9 +142,9 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
(word32)newKey.handle.hndl);

/* Set authorization for using the seal key */
auth.size = (int)sizeof(gKeyAuth) - 1;
XMEMCPY(auth.buffer, gKeyAuth, auth.size);
wolfTPM2_SetAuthPassword(&dev, 0, &auth);
newKey.handle.auth.size = (int)sizeof(gKeyAuth) - 1;
XMEMCPY(newKey.handle.auth.buffer, gKeyAuth, newKey.handle.auth.size);
wolfTPM2_SetAuthHandle(&dev, 0, &newKey.handle);

cmdIn_unseal.itemHandle = newKey.handle.hndl;

Expand Down Expand Up @@ -146,12 +179,13 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
(void)filename;
#endif

/* Remove the loaded TPM seal object */
wolfTPM2_SetAuthPassword(&dev, 0, NULL);
/* Remove the auth for loaded TPM seal object */
wolfTPM2_UnsetAuth(&dev, 0);

exit:
wolfTPM2_UnloadHandle(&dev, &storage.handle);
wolfTPM2_UnloadHandle(&dev, &newKey.handle);
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);

wolfTPM2_Cleanup(&dev);
return rc;
Expand Down
5 changes: 0 additions & 5 deletions examples/timestamp/signed_timestamp.c
Original file line number Diff line number Diff line change
Expand Up @@ -180,13 +180,8 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
if (paramEncAlg != TPM_ALG_NULL) {
sessionAttributes |= (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt);
}
#if 0
/* TODO: Investigate param enc with signed timestamp */
rc = wolfTPM2_SetAuthSession(&dev, 2, &tpmSession, sessionAttributes);
if (rc != 0) goto exit;
#else
(void)sessionAttributes;
#endif

/* At this stage: The SRK is created, AIK is created and loaded,
* Endorsement Hierarchy is enabled through policySecret,
Expand Down
Loading

0 comments on commit 5b288d4

Please sign in to comment.