From a721d6941e65589fc0a88091b64c9b6a10792ff4 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Fri, 30 Jun 2023 12:52:10 -0400 Subject: [PATCH] tpm2: add tpm2_index_to_handle() and tpm2_index_from_handle() Adjust the tpm2_esys_handle_from_tpm_handle() function into better-named tpm2_index_to_handle(), which operates like tpm2_get_srk() but allows using any handle index. Also add matching tpm2_index_from_handle(). Also change the references to 'location' in tpm2_persist_handle() to more appropriate 'handle index'. (cherry picked from commit 13cf98f3623866c18e77488e405862aedb1ec5f5) Related: RHEL-16182 --- src/shared/tpm2-util.c | 146 +++++++++++++++++++++++------------------ src/shared/tpm2-util.h | 5 ++ 2 files changed, 88 insertions(+), 63 deletions(-) diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 131356538e..85ef4157ac 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -56,6 +56,7 @@ static TSS2_RC (*sym_Esys_TR_Close)(ESYS_CONTEXT *esys_context, ESYS_TR *rsrc_ha static TSS2_RC (*sym_Esys_TR_Deserialize)(ESYS_CONTEXT *esys_context, uint8_t const *buffer, size_t buffer_size, ESYS_TR *esys_handle) = NULL; static TSS2_RC (*sym_Esys_TR_FromTPMPublic)(ESYS_CONTEXT *esysContext, TPM2_HANDLE tpm_handle, ESYS_TR optionalSession1, ESYS_TR optionalSession2, ESYS_TR optionalSession3, ESYS_TR *object) = NULL; static TSS2_RC (*sym_Esys_TR_GetName)(ESYS_CONTEXT *esysContext, ESYS_TR handle, TPM2B_NAME **name) = NULL; +static TSS2_RC (*sym_Esys_TR_GetTpmHandle)(ESYS_CONTEXT *esys_context, ESYS_TR esys_handle, TPM2_HANDLE *tpm_handle) = NULL; static TSS2_RC (*sym_Esys_TR_Serialize)(ESYS_CONTEXT *esys_context, ESYS_TR object, uint8_t **buffer, size_t *buffer_size) = NULL; static TSS2_RC (*sym_Esys_TR_SetAuth)(ESYS_CONTEXT *esysContext, ESYS_TR handle, TPM2B_AUTH const *authValue) = NULL; static TSS2_RC (*sym_Esys_TRSess_GetAttributes)(ESYS_CONTEXT *esysContext, ESYS_TR session, TPMA_SESSION *flags) = NULL; @@ -114,6 +115,12 @@ int dlopen_tpm2(void) { if (r < 0) return r; + /* Esys_TR_GetTpmHandle was added to tpm2-tss in version 2.4.0. Once we can set a minimum tpm2-tss + * version of 2.4.0 this sym can be moved up to the normal list above. */ + r = dlsym_many_or_warn(libtss2_esys_dl, LOG_DEBUG, DLSYM_ARG_FORCE(Esys_TR_GetTpmHandle)); + if (r < 0) + log_debug("libtss2-esys too old, does not include Esys_TR_GetTpmHandle."); + r = dlopen_many_sym_or_warn( &libtss2_rc_dl, "libtss2-rc.so.0", LOG_DEBUG, DLSYM_ARG(Tss2_RC_Decode)); @@ -697,53 +704,59 @@ int tpm2_handle_new(Tpm2Context *context, Tpm2Handle **ret_handle) { return 0; } -/* Create a Tpm2Handle object that references a pre-existing handle in the TPM, at the TPM2_HANDLE address - * provided. This should be used only for persistent, transient, or NV handles. Returns 1 on success, 0 if - * the requested handle is not present in the TPM, or < 0 on error. */ -static int tpm2_esys_handle_from_tpm_handle( +/* Create a Tpm2Handle object that references a pre-existing handle in the TPM, at the handle index provided. + * This should be used only for persistent, transient, or NV handles; and the handle must already exist in + * the TPM at the specified handle index. The handle index should not be 0. Returns 1 if found, 0 if the + * index is empty, or < 0 on error. Also see tpm2_get_srk() below; the SRK is a commonly used persistent + * Tpm2Handle. */ +int tpm2_index_to_handle( Tpm2Context *c, + TPM2_HANDLE index, const Tpm2Handle *session, - TPM2_HANDLE tpm_handle, + TPM2B_PUBLIC **ret_public, + TPM2B_NAME **ret_name, + TPM2B_NAME **ret_qname, Tpm2Handle **ret_handle) { TSS2_RC rc; int r; assert(c); - assert(tpm_handle > 0); - assert(ret_handle); /* Let's restrict this, at least for now, to allow only some handle types. */ - switch (TPM2_HANDLE_TYPE(tpm_handle)) { + switch (TPM2_HANDLE_TYPE(index)) { case TPM2_HT_PERSISTENT: case TPM2_HT_NV_INDEX: case TPM2_HT_TRANSIENT: break; case TPM2_HT_PCR: return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Refusing to create ESYS handle for PCR handle 0x%08" PRIx32 ".", - tpm_handle); + "Invalid handle 0x%08" PRIx32 " (in PCR range).", index); case TPM2_HT_HMAC_SESSION: case TPM2_HT_POLICY_SESSION: return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Refusing to create ESYS handle for session handle 0x%08" PRIx32 ".", - tpm_handle); + "Invalid handle 0x%08" PRIx32 " (in session range).", index); case TPM2_HT_PERMANENT: /* Permanent handles are defined, e.g. ESYS_TR_RH_OWNER. */ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Refusing to create ESYS handle for permanent handle 0x%08" PRIx32 ".", - tpm_handle); + "Invalid handle 0x%08" PRIx32 " (in permanent range).", index); default: return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Refusing to create ESYS handle for unknown handle 0x%08" PRIx32 ".", - tpm_handle); + "Invalid handle 0x%08" PRIx32 " (in unknown range).", index); } - r = tpm2_get_capability_handle(c, tpm_handle); + r = tpm2_get_capability_handle(c, index); if (r < 0) return r; if (r == 0) { - log_debug("TPM handle 0x%08" PRIx32 " not populated.", tpm_handle); - *ret_handle = NULL; + log_debug("TPM handle 0x%08" PRIx32 " not populated.", index); + if (ret_public) + *ret_public = NULL; + if (ret_name) + *ret_name = NULL; + if (ret_qname) + *ret_qname = NULL; + if (ret_handle) + *ret_handle = NULL; return 0; } @@ -758,7 +771,7 @@ static int tpm2_esys_handle_from_tpm_handle( rc = sym_Esys_TR_FromTPMPublic( c->esys_context, - tpm_handle, + index, session ? session->esys_handle : ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, @@ -767,25 +780,61 @@ static int tpm2_esys_handle_from_tpm_handle( return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to read public info: %s", sym_Tss2_RC_Decode(rc)); - *ret_handle = TAKE_PTR(handle); + if (ret_public || ret_name || ret_qname) { + r = tpm2_read_public(c, session, handle, ret_public, ret_name, ret_qname); + if (r < 0) + return r; + } + + if (ret_handle) + *ret_handle = TAKE_PTR(handle); return 1; } -/* Copy an object in the TPM at a transient location to a persistent location. +/* Get the handle index for the provided Tpm2Handle. */ +int tpm2_index_from_handle(Tpm2Context *c, const Tpm2Handle *handle, TPM2_HANDLE *ret_index) { + TSS2_RC rc; + + assert(c); + assert(handle); + assert(ret_index); + + /* Esys_TR_GetTpmHandle was added to tpm2-tss in version 2.4.0. Once we can set a minimum tpm2-tss + * version of 2.4.0 this check can be removed. */ + if (!sym_Esys_TR_GetTpmHandle) + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "libtss2-esys too old, does not include Esys_TR_GetTpmHandle."); + + rc = sym_Esys_TR_GetTpmHandle(c->esys_context, handle->esys_handle, ret_index); + if (rc != TSS2_RC_SUCCESS) + return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to get handle index: %s", sym_Tss2_RC_Decode(rc)); + + return 0; +} + +/* Copy an object in the TPM at a transient handle to a persistent handle. * - * The provided transient handle must exist in the TPM in the transient range. The persistent location may be - * 0 or any location in the persistent range. If 0, this will try each handle in the persistent range, in - * ascending order, until an available one is found. If non-zero, only the requested persistent location will + * The provided transient handle must exist in the TPM in the transient range. The persistent handle may be 0 + * or any handle in the persistent range. If 0, this will try each handle in the persistent range, in + * ascending order, until an available one is found. If non-zero, only the requested persistent handle will * be used. * + * Note that the persistent handle parameter is an handle index (i.e. number), while the transient handle is + * a Tpm2Handle object. The returned persistent handle will be a Tpm2Handle object that is located in the TPM + * at the requested persistent handle index (or the first available if none was requested). + * * Returns 1 if the object was successfully persisted, or 0 if there is already a key at the requested - * location(s), or < 0 on error. The persistent handle is only provided when returning 1. */ + * handle, or < 0 on error. Theoretically, this would also return 0 if no specific persistent handle is + * requiested but all persistent handles are used, but it is extremely unlikely the TPM has enough internal + * memory to store the entire persistent range, in which case an error will be returned if the TPM is out of + * memory for persistent storage. The persistent handle is only provided when returning 1. */ static int tpm2_persist_handle( Tpm2Context *c, const Tpm2Handle *transient_handle, const Tpm2Handle *session, - TPMI_DH_PERSISTENT persistent_location, + TPMI_DH_PERSISTENT persistent_handle_index, Tpm2Handle **ret_persistent_handle) { /* We don't use TPM2_PERSISTENT_FIRST and TPM2_PERSISTENT_LAST here due to: @@ -797,13 +846,13 @@ static int tpm2_persist_handle( assert(c); assert(transient_handle); - /* If persistent location specified, only try that. */ - if (persistent_location != 0) { - if (TPM2_HANDLE_TYPE(persistent_location) != TPM2_HT_PERSISTENT) + /* If persistent handle index specified, only try that. */ + if (persistent_handle_index != 0) { + if (TPM2_HANDLE_TYPE(persistent_handle_index) != TPM2_HT_PERSISTENT) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), - "Handle not in persistent range: 0x%x", persistent_location); + "Handle not in persistent range: 0x%x", persistent_handle_index); - first = last = persistent_location; + first = last = persistent_handle_index; } for (TPMI_DH_PERSISTENT requested = first; requested <= last; requested++) { @@ -901,7 +950,7 @@ static int tpm2_credit_random(Tpm2Context *c) { return 0; } -static int tpm2_read_public( +int tpm2_read_public( Tpm2Context *c, const Tpm2Handle *session, const Tpm2Handle *handle, @@ -1113,36 +1162,7 @@ static int tpm2_get_srk( TPM2B_NAME **ret_qname, Tpm2Handle **ret_handle) { - int r; - - assert(c); - - _cleanup_(tpm2_handle_freep) Tpm2Handle *handle = NULL; - r = tpm2_esys_handle_from_tpm_handle(c, session, TPM2_SRK_HANDLE, &handle); - if (r < 0) - return r; - if (r == 0) { /* SRK not found */ - if (ret_public) - *ret_public = NULL; - if (ret_name) - *ret_name = NULL; - if (ret_qname) - *ret_qname = NULL; - if (ret_handle) - *ret_handle = NULL; - return 0; - } - - if (ret_public || ret_name || ret_qname) { - r = tpm2_read_public(c, session, handle, ret_public, ret_name, ret_qname); - if (r < 0) - return r; - } - - if (ret_handle) - *ret_handle = TAKE_PTR(handle); - - return 1; + return tpm2_index_to_handle(c, TPM2_SRK_HANDLE, session, ret_public, ret_name, ret_qname, ret_handle); } /* Get the SRK, creating one if needed. Returns 0 on success, or < 0 on error. */ diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 7b0750b03a..c8da857eb4 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -155,6 +155,11 @@ void tpm2_log_debug_buffer(const void *buffer, size_t size, const char *msg); void tpm2_log_debug_digest(const TPM2B_DIGEST *digest, const char *msg); void tpm2_log_debug_name(const TPM2B_NAME *name, const char *msg); +int tpm2_index_to_handle(Tpm2Context *c, TPM2_HANDLE index, const Tpm2Handle *session, TPM2B_PUBLIC **ret_public, TPM2B_NAME **ret_name, TPM2B_NAME **ret_qname, Tpm2Handle **ret_handle); +int tpm2_index_from_handle(Tpm2Context *c, const Tpm2Handle *handle, TPM2_HANDLE *ret_index); + +int tpm2_read_public(Tpm2Context *c, const Tpm2Handle *session, const Tpm2Handle *handle, TPM2B_PUBLIC **ret_public, TPM2B_NAME **ret_name, TPM2B_NAME **ret_qname); + int tpm2_pcr_read(Tpm2Context *c, const TPML_PCR_SELECTION *pcr_selection, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values); int tpm2_pcr_read_missing_values(Tpm2Context *c, Tpm2PCRValue *pcr_values, size_t n_pcr_values);