You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
103 lines
3.7 KiB
103 lines
3.7 KiB
9 months ago
|
From 7ef2fc501dfd3a989c986839b928ba967c57dca3 Mon Sep 17 00:00:00 2001
|
||
|
From: Dan Streetman <ddstreet@ieee.org>
|
||
|
Date: Mon, 19 Dec 2022 08:26:32 -0500
|
||
|
Subject: [PATCH] tpm2: add tpm2_load_external()
|
||
|
|
||
|
This allows loading an external object/key (e.g. an openssl public key) into
|
||
|
the TPM.
|
||
|
|
||
|
(cherry picked from commit efe153bdc2e57c0d0f9bc47a4010fc82743764e7)
|
||
|
|
||
|
Related: RHEL-16182
|
||
|
---
|
||
|
src/shared/tpm2-util.c | 66 ++++++++++++++++++++++++++++--------------
|
||
|
1 file changed, 45 insertions(+), 21 deletions(-)
|
||
|
|
||
|
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
|
||
|
index 6eb37a87aa..277cfa1e8e 100644
|
||
|
--- a/src/shared/tpm2-util.c
|
||
|
+++ b/src/shared/tpm2-util.c
|
||
|
@@ -1528,6 +1528,50 @@ static int tpm2_load(
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
+static int tpm2_load_external(
|
||
|
+ Tpm2Context *c,
|
||
|
+ const Tpm2Handle *session,
|
||
|
+ const TPM2B_PUBLIC *public,
|
||
|
+ const TPM2B_SENSITIVE *private,
|
||
|
+ Tpm2Handle **ret_handle) {
|
||
|
+
|
||
|
+ TSS2_RC rc;
|
||
|
+ int r;
|
||
|
+
|
||
|
+ assert(c);
|
||
|
+ assert(ret_handle);
|
||
|
+
|
||
|
+ log_debug("Loading external key into TPM.");
|
||
|
+
|
||
|
+ _cleanup_(tpm2_handle_freep) Tpm2Handle *handle = NULL;
|
||
|
+ r = tpm2_handle_new(c, &handle);
|
||
|
+ if (r < 0)
|
||
|
+ return r;
|
||
|
+
|
||
|
+ rc = sym_Esys_LoadExternal(
|
||
|
+ c->esys_context,
|
||
|
+ session ? session->esys_handle : ESYS_TR_NONE,
|
||
|
+ ESYS_TR_NONE,
|
||
|
+ ESYS_TR_NONE,
|
||
|
+ private,
|
||
|
+ public,
|
||
|
+#if HAVE_TSS2_ESYS3
|
||
|
+ /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested
|
||
|
+ * hierarchy, older versions need TPM2_RH_* instead. */
|
||
|
+ ESYS_TR_RH_OWNER,
|
||
|
+#else
|
||
|
+ TPM2_RH_OWNER,
|
||
|
+#endif
|
||
|
+ &handle->esys_handle);
|
||
|
+ if (rc != TSS2_RC_SUCCESS)
|
||
|
+ return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
||
|
+ "Failed to load public key into TPM: %s", sym_Tss2_RC_Decode(rc));
|
||
|
+
|
||
|
+ *ret_handle = TAKE_PTR(handle);
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
static int tpm2_pcr_read(
|
||
|
Tpm2Context *c,
|
||
|
const TPML_PCR_SELECTION *pcr_selection,
|
||
|
@@ -2616,30 +2660,10 @@ static int tpm2_policy_authorize(
|
||
|
log_debug("Adding PCR signature policy.");
|
||
|
|
||
|
_cleanup_(tpm2_handle_freep) Tpm2Handle *pubkey_handle = NULL;
|
||
|
- r = tpm2_handle_new(c, &pubkey_handle);
|
||
|
+ r = tpm2_load_external(c, NULL, public, NULL, &pubkey_handle);
|
||
|
if (r < 0)
|
||
|
return r;
|
||
|
|
||
|
- /* Load the key into the TPM */
|
||
|
- rc = sym_Esys_LoadExternal(
|
||
|
- c->esys_context,
|
||
|
- ESYS_TR_NONE,
|
||
|
- ESYS_TR_NONE,
|
||
|
- ESYS_TR_NONE,
|
||
|
- NULL,
|
||
|
- public,
|
||
|
-#if HAVE_TSS2_ESYS3
|
||
|
- /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested
|
||
|
- * hierarchy, older versions need TPM2_RH_* instead. */
|
||
|
- ESYS_TR_RH_OWNER,
|
||
|
-#else
|
||
|
- TPM2_RH_OWNER,
|
||
|
-#endif
|
||
|
- &pubkey_handle->esys_handle);
|
||
|
- if (rc != TSS2_RC_SUCCESS)
|
||
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
||
|
- "Failed to load public key into TPM: %s", sym_Tss2_RC_Decode(rc));
|
||
|
-
|
||
|
/* Acquire the "name" of what we just loaded */
|
||
|
_cleanup_(Esys_Freep) TPM2B_NAME *pubkey_name = NULL;
|
||
|
r = tpm2_get_name(c, pubkey_handle, &pubkey_name);
|