From 862617c07b9b56fa08013ae81dde9745627a27c3 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 12 Oct 2023 14:33:36 -0700 Subject: [PATCH 1/6] Update the TODO list in the README. --- README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 72d55f73..b9f9fdf3 100644 --- a/README.md +++ b/README.md @@ -791,11 +791,8 @@ Connection: close ## Todo -* Update to v1.59 of specification. -* Add HMAC support for "authValue". -* Add ECC encrypted salt. -* Add bound auth session support. -* Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support. +* Update to v1.59 of specification (adding CertifyX509) +* Inner wrap support for SensitiveToPrivate. ## Support From 1041898120f3fe4bbade9c7567ffc9de0f799685 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 13 Oct 2023 15:19:23 -0700 Subject: [PATCH 2/6] Compiler warning files with `NO_FILESYSTEM`. --- examples/keygen/external_import.c | 2 -- examples/tpm_test_keys.c | 7 +++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/examples/keygen/external_import.c b/examples/keygen/external_import.c index faeefd08..48344c10 100644 --- a/examples/keygen/external_import.c +++ b/examples/keygen/external_import.c @@ -89,9 +89,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[]) TPMT_PUBLIC publicTemplate3; TPMA_OBJECT attributes; TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) const char* keyblobFile = "keyblob.bin"; -#endif int loadKeyBlob = 0; if (argc >= 2) { diff --git a/examples/tpm_test_keys.c b/examples/tpm_test_keys.c index 134806c4..fe8afa7e 100644 --- a/examples/tpm_test_keys.c +++ b/examples/tpm_test_keys.c @@ -69,6 +69,10 @@ int writeBin(const char* filename, const byte *buf, word32 bufSz) int readBin(const char* filename, byte *buf, word32* bufSz) { int rc = TPM_RC_FAILURE; + + if (filename == NULL || buf == NULL) + return BAD_FUNC_ARG; + #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) XFILE fp = NULL; size_t fileSz = 0; @@ -100,8 +104,7 @@ int readBin(const char* filename, byte *buf, word32* bufSz) printf("File %s not found!\n", filename); } #else - (void)filename; - (void)key; + (void)bufSz; #endif /* !NO_FILESYSTEM && !NO_WRITE_TEMP_FILES */ return rc; } From 2d14cd2297e2719069a84f6cc32d0ecda3fac56b Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 20 Oct 2023 16:01:37 -0700 Subject: [PATCH 3/6] Fixes for building wolfCrypt with no RSA (--disable-rsa / NO_RSA). --- examples/pcr/policy_sign.c | 1 + wolftpm/tpm2_wrap.h | 13 ++++++------- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/pcr/policy_sign.c b/examples/pcr/policy_sign.c index d00d96d8..41a1515f 100644 --- a/examples/pcr/policy_sign.c +++ b/examples/pcr/policy_sign.c @@ -165,6 +165,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, wc_FreeRsaKey(&key.rsa); } #else + (void)hashAlg; rc = NOT_COMPILED_IN; #endif } diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index 049fcd8d..a43274f6 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -1326,10 +1326,9 @@ WOLFTPM_API int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM_API int wolfTPM2_RsaKey_PubPemToTpm(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, const byte* pem, word32 pemSz); - /*! \ingroup wolfTPM2_Wrappers - \brief Import DER ECC private or public key into TPM public and sensitive structures. This does not make any calls to TPM hardware. + \brief Import DER RSA private or public key into TPM public and sensitive structures. This does not make any calls to TPM hardware. \return TPM_RC_SUCCESS: successful \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) @@ -1343,9 +1342,9 @@ WOLFTPM_API int wolfTPM2_RsaKey_PubPemToTpm(WOLFTPM2_DEV* dev, \sa wolfTPM2_ImportPublicKeyBuffer \sa wolfTPM2_ImportPrivateKeyBuffer - \sa wolfTPM2_DecodeRsaDer + \sa wolfTPM2_DecodeEccDer */ -WOLFTPM_API int wolfTPM2_DecodeEccDer(const byte* der, word32 derSz, +WOLFTPM_API int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz, TPM2B_PUBLIC* pub, TPM2B_SENSITIVE* sens, TPMA_OBJECT attributes); #endif /* !NO_RSA */ @@ -1426,7 +1425,7 @@ WOLFTPM_API int wolfTPM2_EccKey_WolfToPubPoint(WOLFTPM2_DEV* dev, ecc_key* wolfK /*! \ingroup wolfTPM2_Wrappers - \brief Import DER RSA private or public key into TPM public and sensitive structures. This does not make any calls to TPM hardware. + \brief Import DER ECC private or public key into TPM public and sensitive structures. This does not make any calls to TPM hardware. \return TPM_RC_SUCCESS: successful \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) @@ -1440,9 +1439,9 @@ WOLFTPM_API int wolfTPM2_EccKey_WolfToPubPoint(WOLFTPM2_DEV* dev, ecc_key* wolfK \sa wolfTPM2_ImportPublicKeyBuffer \sa wolfTPM2_ImportPrivateKeyBuffer - \sa wolfTPM2_DecodeEccDer + \sa wolfTPM2_DecodeRsaDer */ -WOLFTPM_API int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz, +WOLFTPM_API int wolfTPM2_DecodeEccDer(const byte* der, word32 derSz, TPM2B_PUBLIC* pub, TPM2B_SENSITIVE* sens, TPMA_OBJECT attributes); #endif /* HAVE_ECC */ #endif /* !WOLFTPM2_NO_WOLFCRYPT */ From f35dbbbb3057a4fe9fa6cda499f7317a4ab9c333 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 30 Oct 2023 10:05:47 -0700 Subject: [PATCH 4/6] Fixes for using Windows TBS API. The `wolfTPM2_NVStoreKey` should return `TPM_RC_COMMAND_CODE` or `TPM_E_COMMAND_BLOCKED` for the `WOLFTPM_IS_COMMAND_UNAVAILABLE` macro. Add better enable option name `--enable-wintbs` (currently is `--enable-winapi`. --- configure.ac | 6 +++++- src/tpm2_wrap.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 659ae81c..d4ffa9e3 100644 --- a/configure.ac +++ b/configure.ac @@ -241,13 +241,17 @@ then fi # Windows TBS device Support +AC_ARG_ENABLE([wintbs],, + [ ENABLED_WINTBS=$enableval ], + [ ENABLED_WINTBS=no ] + ) AC_ARG_ENABLE([winapi], [AS_HELP_STRING([--enable-winapi],[Enable use of TPM through Windows driver (default: disabled)])], [ ENABLED_WINAPI=$enableval ], [ ENABLED_WINAPI=no ] ) -if test "x$ENABLED_WINAPI" = "xyes" +if test "x$ENABLED_WINAPI" = "xyes" || test "x$ENABLED_WINTBS" = "xyes" then if test "x$ENABLED_DEVTPM" = "xyes" -o "x$ENABLED_SWTPM" = "xyes" then diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 6efff100..de73f331 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -3306,7 +3306,7 @@ int wolfTPM2_NVStoreKey(WOLFTPM2_DEV* dev, TPM_HANDLE primaryHandle, printf("TPM2_EvictControl (storing key to NV) not allowed on " "Windows TBS (err 0x%x)\n", rc); #endif - rc = TPM_RC_NV_UNAVAILABLE; + rc = TPM_RC_COMMAND_CODE; } #endif From 9cad7f4e240fe1a55d64ec5baeefd5442c6d54db Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 30 Oct 2023 11:34:16 -0700 Subject: [PATCH 5/6] Fix some of the example TODO's. Fixes for seal/unseal example. Fixes for TLS with param enc. Fix signed_timestamp with ECC. --- examples/run_examples.sh | 50 +++++++++++---------- examples/seal/seal.c | 10 +++-- examples/seal/unseal.c | 62 +++++++++++++++++++++------ examples/timestamp/signed_timestamp.c | 5 --- examples/tls/tls_client.c | 2 +- examples/tls/tls_server.c | 2 +- src/tpm2_wrap.c | 18 +++++--- 7 files changed, 97 insertions(+), 52 deletions(-) diff --git a/examples/run_examples.sh b/examples/run_examples.sh index a294670a..4713b955 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -77,12 +77,9 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1 - ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1 - # TODO: TPM2_Load (TPM_RC_INTEGRITY) - #./examples/keygen/keyload ecckeyblob.bin >> run.out fi rm -f ecckeyblob.bin @@ -201,7 +198,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]] RESULT=$? [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1 popd >> run.out - sleep 0.2 + sleep 0.4 ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1 @@ -214,7 +211,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]] RESULT=$? [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1 pushd $WOLFSSL_PATH >> run.out - sleep 0.2 + sleep 0.4 ./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1 @@ -223,24 +220,20 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]] if [ $WOLFCRYPT_ENABLE -eq 1 ]; then run_tpm_tls_client "rsa" "" - # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) - #run_tpm_tls_client "rsa" "-aes" + run_tpm_tls_client "rsa" "-aes" run_tpm_tls_client "ecc" "" - # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) - #run_tpm_tls_client "ecc" "-aes" + run_tpm_tls_client "ecc" "-aes" run_tpm_tls_server "rsa" "" - # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) - #run_tpm_tls_server "rsa" "-aes" + run_tpm_tls_server "rsa" "-aes" run_tpm_tls_server "ecc" "" - # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) - #run_tpm_tls_server "ecc" "-aes" + run_tpm_tls_server "ecc" "-aes" fi # Clock Tests echo -e "Clock tests" -./examples/timestamp/clock_set +./examples/timestamp/clock_set >> run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "clock set failed! $RESULT" && exit 1 @@ -255,11 +248,14 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then RESULT=$? [ $RESULT -ne 0 ] && echo -e "signed_timestamp param enc failed! $RESULT" && exit 1 fi -# TODO: Test broken (wolfTPM2_GetTime TPM_RC_SCHEME) -#./examples/timestamp/signed_timestamp -ecc >> run.out -#if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - #./examples/timestamp/signed_timestamp -ecc -aes >> run.out -#fi +./examples/timestamp/signed_timestamp -ecc >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc failed! $RESULT" && exit 1 +if [ $WOLFCRYPT_ENABLE -eq 1 ]; then + ./examples/timestamp/signed_timestamp -ecc -aes >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1 +fi ./examples/attestation/make_credential >> run.out RESULT=$? @@ -350,11 +346,21 @@ fi echo -e "Seal/Unseal (PCR policy)" ./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out RESULT=$? -[ $RESULT -ne 0 ] && echo -e "seal pcr failed! $RESULT" && exit 1 -# TODO (TPM2_Load TPM_RC_BAD_AUTH) -#./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out +[ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1 +./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1 rm -f sealedkeyblob.bin +if [ $WOLFCRYPT_ENABLE -eq 1 ]; then + ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 + rm -f sealedkeyblob.bin +fi # Seal/Unseal (Policy auth) echo -e "Seal/Unseal (Policy auth)" diff --git a/examples/seal/seal.c b/examples/seal/seal.c index 8b88e215..5c31ff83 100644 --- a/examples/seal/seal.c +++ b/examples/seal/seal.c @@ -40,9 +40,9 @@ static void usage(void) { printf("Expected usage:\n"); printf("./examples/seal/seal [filename] [userdata]\n"); - printf("* filename: Name of the file where the TPM key will be stored\n"); - printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces)\n"); - printf("Demo usage, without parameters, uses keyblob.bin as a filename\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); + printf("* filename: Name of the file where the TPM key will be stored (default: keyblob.bin)\n"); + printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces) (default: My1Pass2Phrase3)\n"); } int TPM2_Seal_Example(void* userCtx, int argc, char *argv[]) @@ -95,6 +95,7 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[]) printf("TPM2.0 Simple Seal example\n"); printf("\tKey Blob: %s\n", outputFile); + printf("\tUser Data: %s\n", userData); printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -159,6 +160,9 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[]) printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc)); } + /* Remove the auth for loaded TPM seal object */ + wolfTPM2_UnsetAuth(&dev, 0); + /* Close handles */ wolfTPM2_UnloadHandle(&dev, &storage.handle); wolfTPM2_UnloadHandle(&dev, &newKey.handle); diff --git a/examples/seal/unseal.c b/examples/seal/unseal.c index 2aa34f25..402fff15 100644 --- a/examples/seal/unseal.c +++ b/examples/seal/unseal.c @@ -41,7 +41,9 @@ static void usage(void) { printf("Expected usage:\n"); printf("./examples/seal/unseal [filename] [inkey_filename]\n"); - printf("* filename - File contaning a TPM seal key\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); + printf("* filename: Output for unsealed data (default: unseal.bin)\n"); + printf("* inkey_filename: File with sealed keyed hashed object (keyblob.bin)\n"); printf("Demo usage, without arguments, uses keyblob.bin file input.\n"); } @@ -49,8 +51,10 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[]) { int rc; WOLFTPM2_DEV dev; - WOLFTPM2_KEY key; - TPM2B_AUTH auth; + WOLFTPM2_KEYBLOB newKey; + WOLFTPM2_KEY storage; /* SRK */ + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; + WOLFTPM2_SESSION tpmSession; const char *filename = "unseal.bin"; const char *inkeyfilename = "keyblob.bin"; #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) @@ -60,14 +64,11 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[]) Unseal_In cmdIn_unseal; Unseal_Out cmdOut_unseal; - WOLFTPM2_KEYBLOB newKey; - WOLFTPM2_KEY storage; /* SRK */ - - + XMEMSET(&storage, 0, sizeof(storage)); + XMEMSET(&tpmSession, 0, sizeof(tpmSession)); XMEMSET(&cmdIn_unseal, 0, sizeof(cmdIn_unseal)); XMEMSET(&cmdOut_unseal, 0, sizeof(cmdOut_unseal)); - XMEMSET(&key, 0, sizeof(key)); - XMEMSET(&auth, 0, sizeof(auth)); + XMEMSET(&newKey, 0, sizeof(newKey)); if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || @@ -85,6 +86,23 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[]) inkeyfilename = argv[2]; } } + while (argc > 1) { + if (XSTRCMP(argv[argc-1], "-aes") == 0) { + paramEncAlg = TPM_ALG_CFB; + } + else if (XSTRCMP(argv[argc-1], "-xor") == 0) { + paramEncAlg = TPM_ALG_XOR; + } + else if (argv[argc-1][0] == '-') { + printf("Warning: Unrecognized option: %s\n", argv[argc-1]); + } + argc--; + } + + printf("TPM2.0 Simple Unseal example\n"); + printf("\tKey Blob: %s\n", inkeyfilename); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); + printf("Example how to unseal data using TPM2.0\n"); rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -97,6 +115,21 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[]) rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA); if (rc != 0) goto exit; + if (paramEncAlg != TPM_ALG_NULL) { + /* Start an authenticated session (salted / unbound) with parameter encryption */ + rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, + TPM_SE_HMAC, paramEncAlg); + if (rc != 0) goto exit; + printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + (word32)tpmSession.handle.hndl); + + /* set session for authorization of the storage key */ + rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + if (rc != 0) goto exit; + + } + rc = readKeyBlob(inkeyfilename, &newKey); if (rc != 0) goto exit; @@ -109,9 +142,9 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[]) (word32)newKey.handle.hndl); /* Set authorization for using the seal key */ - auth.size = (int)sizeof(gKeyAuth) - 1; - XMEMCPY(auth.buffer, gKeyAuth, auth.size); - wolfTPM2_SetAuthPassword(&dev, 0, &auth); + newKey.handle.auth.size = (int)sizeof(gKeyAuth) - 1; + XMEMCPY(newKey.handle.auth.buffer, gKeyAuth, newKey.handle.auth.size); + wolfTPM2_SetAuthHandle(&dev, 0, &newKey.handle); cmdIn_unseal.itemHandle = newKey.handle.hndl; @@ -146,12 +179,13 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[]) (void)filename; #endif - /* Remove the loaded TPM seal object */ - wolfTPM2_SetAuthPassword(&dev, 0, NULL); + /* Remove the auth for loaded TPM seal object */ + wolfTPM2_UnsetAuth(&dev, 0); exit: wolfTPM2_UnloadHandle(&dev, &storage.handle); wolfTPM2_UnloadHandle(&dev, &newKey.handle); + wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); wolfTPM2_Cleanup(&dev); return rc; diff --git a/examples/timestamp/signed_timestamp.c b/examples/timestamp/signed_timestamp.c index afb943d8..67deb1df 100644 --- a/examples/timestamp/signed_timestamp.c +++ b/examples/timestamp/signed_timestamp.c @@ -180,13 +180,8 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[]) if (paramEncAlg != TPM_ALG_NULL) { sessionAttributes |= (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt); } -#if 0 - /* TODO: Investigate param enc with signed timestamp */ rc = wolfTPM2_SetAuthSession(&dev, 2, &tpmSession, sessionAttributes); if (rc != 0) goto exit; -#else - (void)sessionAttributes; -#endif /* At this stage: The SRK is created, AIK is created and loaded, * Endorsement Hierarchy is enabled through policySecret, diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index 89fab461..b9107a5d 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -207,7 +207,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) (word32)tpmSession.handle.hndl); /* set session for authorization of the storage key */ - rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); if (rc != 0) goto exit; } diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index c7f3ae51..2ca18de8 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -222,7 +222,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) (word32)tpmSession.handle.hndl); /* set session for authorization of the storage key */ - rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); if (rc != 0) goto exit; diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index de73f331..5124efda 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -5823,17 +5823,23 @@ int wolfTPM2_GetTime(WOLFTPM2_KEY* aikKey, GetTime_Out* getTimeOut) int rc; GetTime_In getTimeCmd; - if (getTimeOut == NULL) return BAD_FUNC_ARG; + if (getTimeOut == NULL) + return BAD_FUNC_ARG; /* GetTime */ XMEMSET(&getTimeCmd, 0, sizeof(getTimeCmd)); XMEMSET(getTimeOut, 0, sizeof(*getTimeOut)); getTimeCmd.privacyAdminHandle = TPM_RH_ENDORSEMENT; - /* TPM_RH_NULL is a valid handle for NULL signature */ - getTimeCmd.signHandle = aikKey->handle.hndl; - /* TPM_ALG_NULL is a valid handle for NULL signature */ - getTimeCmd.inScheme.scheme = TPM_ALG_RSASSA; - getTimeCmd.inScheme.details.rsassa.hashAlg = TPM_ALG_SHA256; + if (aikKey != NULL) { + TPMT_ASYM_SCHEME* scheme = + &aikKey->pub.publicArea.parameters.asymDetail.scheme; + getTimeCmd.signHandle = aikKey->handle.hndl; + getTimeCmd.inScheme.scheme = scheme->scheme; + getTimeCmd.inScheme.details.any.hashAlg = scheme->details.anySig.hashAlg; + } + else { + getTimeCmd.signHandle = TPM_RH_NULL; + } getTimeCmd.qualifyingData.size = 0; /* optional */ rc = TPM2_GetTime(&getTimeCmd, getTimeOut); if (rc != TPM_RC_SUCCESS) { From a10a10db5dbf3d9bc2d4211e430d7fbe71b5b9fb Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 30 Oct 2023 12:01:04 -0700 Subject: [PATCH 6/6] Added v3.0 release notes and updated version. --- CMakeLists.txt | 2 +- ChangeLog.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ README.md | 1 + configure.ac | 4 ++-- wolftpm/version.h | 4 ++-- 5 files changed, 52 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 903c41a9..fdc39267 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -21,7 +21,7 @@ cmake_minimum_required(VERSION 3.16) -project(wolfTPM VERSION 2.7.0 LANGUAGES C) +project(wolfTPM VERSION 3.0.0 LANGUAGES C) set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin) set(WOLFTPM_DEFINITIONS) diff --git a/ChangeLog.md b/ChangeLog.md index f7155333..435ece49 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,51 @@ # Release Notes +## wolfTPM Release 3.0.0 (Oct 31, 2023) + +**Summary** + +Refactor of command authentication. Support for ECC sessions and secrets. Support for policy sealing/unsealing. Examples for secure boot. + +**Detail** +* Refactor of the command authentication. If command does not require auth do not supply it (PR #305) +* Refactor HAL and added Microchip Harmony SPI HAL support (PR #251) +* Relocate crypto callback code to its own code file (PR #304) +* Fixed using a custom wolfTPM CSR sigType (PR #307) +* Fixed support for ECC 384-bit only support (PR #307) +* Fixed issue with using struct assignment (switched to memcpy) (PR #303) +* Fixed various issues building with C++ compiler (PR #303) +* Fixed issues with STM32 I2C build and improved performance (PR #302) +* Fixed seal with RSA and PCR extend auth. (PR #296) +* Fixed issue including user_settings.h when `--disable-wolfcrypt` set (PR #285) +* Fixed TPM private key import with custom seed (PR #281) +* Fixed autogen.sh (autoconf) to generate without warnings (PR #279) +* Fixed TPM2 create with decrypt or restricted flag set (PR #275) +* Fixed and improved low resource build options (PR #269) +* Fixed the TPM_E_COMMAND_BLOCKED macro to have the correct value (PR #257) +* Fixed casting and unused variable problems on windows (PR #255) +* Fixed Linux usage of `cs_change` and added config overrides (PR #268) +* Fixed and improved the NV auth and session auth set/unset (PR #299) +* Fixed capability to handle unknown `TPM2_GetCapability` type and fix bad printf (PR #293) +* Fixed macros for file IO XFEOF and XREWIND to make sure they are available (PR #277) +* Fixed seal/unseal example (PR #306) +* Fixed TLS examples with param enc enabled (PR #306) +* Fixed signed_timestamp with ECC (PR #306) +* Added CI tests for CSharp wrappers (PR #307) +* Added support for sealing/unsealing based on a PCR that is signed externally (PR #294) +* Added examples for Secure Boot solution to store root of trust in NV (PR's #276, #289, #291 and #292) +* Added support for importing and loading public ECC/RSA keys formatted as PEM or DER (PR #290) +* Added new policy_nv example (PR #298) +* Added `-nvhandle` argument to nvram examples (PR #296) +* Added code to test external import between two TPM's (PR #288) +* Added support for STM32 Cube Expansion Pack (PR #287) +* Added support memory mapped (MMIO) TPM's (PR #271) +* Added `wc_SetSeed_Cb` call for FIPS ecc (PR #270) +* Added wrapper support for setting key usage (not just extended key usage) (PR #307) +* Added RSA key import methods to handle PEM and DER encoding directly (PR #252) +* Added thread local storage macro and make gActiveTPM local to the thread (PR #253) +* Added Microchip macro names and Support for bench with MPLABX Harmony (PR #256) +* Improvements to cmake build (PR's #280, #283 and #284) + ## wolfTPM Release 2.7.0 (Dec 27, 2022) **Summary** diff --git a/README.md b/README.md index b9f9fdf3..dc9e93d7 100644 --- a/README.md +++ b/README.md @@ -791,6 +791,7 @@ Connection: close ## Todo +* Key Generation and Attestation examples using endorsement hierarchy "-eh" are broken. * Update to v1.59 of specification (adding CertifyX509) * Inner wrap support for SensitiveToPrivate. diff --git a/configure.ac b/configure.ac index d4ffa9e3..06c26e25 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ # All right reserved. AC_COPYRIGHT([Copyright (C) 2014-2021 wolfSSL Inc.]) -AC_INIT([wolftpm],[2.7.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com]) +AC_INIT([wolftpm],[3.0.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com]) AC_PREREQ([2.63]) AC_CONFIG_AUX_DIR([build-aux]) @@ -28,7 +28,7 @@ AC_ARG_PROGRAM AC_CONFIG_HEADERS([src/config.h]) -WOLFTPM_LIBRARY_VERSION=15:0:0 +WOLFTPM_LIBRARY_VERSION=16:0:0 # | | | # +------+ | +---+ # | | | diff --git a/wolftpm/version.h b/wolftpm/version.h index 9daf62d3..11b60421 100644 --- a/wolftpm/version.h +++ b/wolftpm/version.h @@ -34,8 +34,8 @@ extern "C" { #endif -#define LIBWOLFTPM_VERSION_STRING "2.7.0" -#define LIBWOLFTPM_VERSION_HEX 0x02007000 +#define LIBWOLFTPM_VERSION_STRING "3.0.0" +#define LIBWOLFTPM_VERSION_HEX 0x03000000 #ifdef __cplusplus }