You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
187 lines
6.3 KiB
187 lines
6.3 KiB
From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001
|
|
From: Imran Desai <imran.desai@intel.com>
|
|
Date: Thu, 21 May 2020 11:31:43 -0700
|
|
Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared
|
|
if policy specified
|
|
|
|
Fixes #2037
|
|
|
|
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
|
---
|
|
man/tpm2_create.1.md | 9 +++-
|
|
test/integration/tests/import_tpm.sh | 78 +++++++++++++++++-----------
|
|
tools/tpm2_create.c | 10 ++--
|
|
3 files changed, 60 insertions(+), 37 deletions(-)
|
|
|
|
diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md
|
|
index e8e5eaac49c3..9a7ba33e6017 100644
|
|
--- a/man/tpm2_create.1.md
|
|
+++ b/man/tpm2_create.1.md
|
|
@@ -13,7 +13,7 @@
|
|
**tpm2_create**(1) - Create a child object. The object can either be a key or
|
|
a sealing object. A sealing object allows to seal user data to the TPM, with a
|
|
maximum size of 256 bytes. Additionally it will load the created object if the
|
|
-**-o** is specified.
|
|
+**-c** is specified.
|
|
|
|
# OPTIONS
|
|
|
|
@@ -55,6 +55,13 @@ These options for creating the TPM entity:
|
|
and unsealing. I.e. one cannot use an object for sealing and cryptography
|
|
operations.
|
|
|
|
+ When **-L** is specified for adding policy based authorization information
|
|
+ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH`
|
|
+ is cleared unless an explicit choice is made by setting of the attribute
|
|
+ with **-a** option. This prevents creation of objects with inadvertant auth
|
|
+ model where in user intended to enforce a policy but inadvertantly created
|
|
+ an object with empty auth which can be used instead of policy authorization.
|
|
+
|
|
* **-i**, **\--sealing-input**=_FILE_ or _STDIN_:
|
|
|
|
The data file to be sealed, optional. If file is -, read from stdin.
|
|
diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh
|
|
index ff48185aba70..3d1e10820844 100755
|
|
--- a/test/integration/tests/import_tpm.sh
|
|
+++ b/test/integration/tests/import_tpm.sh
|
|
@@ -54,8 +54,13 @@ load_new_parent() {
|
|
create_load_duplicatee() {
|
|
# Create the key we want to duplicate
|
|
create_policy dpolicy.dat TPM2_CC_Duplicate
|
|
- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \
|
|
- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
|
|
+ if [ -z "$2" ];then
|
|
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \
|
|
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
|
|
+ else
|
|
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \
|
|
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
|
|
+ fi
|
|
# Load the key
|
|
tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
|
|
# Extract the public part for import later
|
|
@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do
|
|
done
|
|
done
|
|
|
|
-# Part 2 :
|
|
-# Create a rsa key (Kd)
|
|
-# Encrypt a message using Kd
|
|
-# Duplicate Kd
|
|
-# Import & Load Kd
|
|
-# Decrypt the message and verify
|
|
-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
|
|
-# New parent ...
|
|
-create_load_new_parent
|
|
-# Key to be duplicated
|
|
-create_load_duplicatee rsa
|
|
-# Encrypt a secret message
|
|
-echo "Mary had a little lamb ..." > plain.txt
|
|
-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
|
|
-# Duplicate the key
|
|
-do_duplication null
|
|
-# Remove, we're done with it
|
|
-rm new_parent.ctx
|
|
-# Load the full thing this time
|
|
-load_new_parent
|
|
-# Import & load the duplicate
|
|
-do_import_load null
|
|
-# Decrypt the secret message using duplicated key
|
|
-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt
|
|
-# Check we got it right ...
|
|
-diff recovered.txt plain.txt
|
|
-# Cleanup
|
|
-rm plain.txt recovered.txt cipher.txt
|
|
-cleanup "no-shut-down"
|
|
+test_key_usage() {
|
|
+ # Part 2 :
|
|
+ # Create a rsa key (Kd)
|
|
+ # Encrypt a message using Kd
|
|
+ # Duplicate Kd
|
|
+ # Import & Load Kd
|
|
+ # Decrypt the message and verify
|
|
+ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
|
|
+ # New parent ...
|
|
+ create_load_new_parent
|
|
+ # Key to be duplicated
|
|
+ create_load_duplicatee rsa "$1"
|
|
+ # Encrypt a secret message
|
|
+ echo "Mary had a little lamb ..." > plain.txt
|
|
+ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
|
|
+ # Duplicate the key
|
|
+ do_duplication null
|
|
+ # Remove, we're done with it
|
|
+ rm new_parent.ctx
|
|
+ # Load the full thing this time
|
|
+ load_new_parent
|
|
+ # Import & load the duplicate
|
|
+ do_import_load null
|
|
+ # Decrypt the secret message using duplicated key
|
|
+ if [ -z "$1" ];then
|
|
+ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt
|
|
+ else
|
|
+ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt
|
|
+ fi
|
|
+ # Check we got it right ...
|
|
+ diff recovered.txt plain.txt
|
|
+ # Cleanup
|
|
+ rm plain.txt recovered.txt cipher.txt
|
|
+ cleanup "no-shut-down"
|
|
+}
|
|
+
|
|
+#Test key with password
|
|
+test_key_usage foo
|
|
+#Test key without password
|
|
+test_key_usage
|
|
|
|
exit 0
|
|
diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
|
|
index 941b77655f55..8e92cc747e17 100644
|
|
--- a/tools/tpm2_create.c
|
|
+++ b/tools/tpm2_create.c
|
|
@@ -47,7 +47,7 @@ struct tpm_create_ctx {
|
|
TPML_PCR_SELECTION creation_pcr;
|
|
|
|
struct {
|
|
- UINT8 b :1;
|
|
+ UINT8 a :1;
|
|
UINT8 i :1;
|
|
UINT8 L :1;
|
|
UINT8 u :1;
|
|
@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) {
|
|
break;
|
|
case 'a':
|
|
ctx.object.attrs = value;
|
|
- ctx.flags.b = 1;
|
|
+ ctx.flags.a = 1;
|
|
break;
|
|
case 'i':
|
|
ctx.object.sealed_data = strcmp("-", value) ? value : NULL;
|
|
@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
|
|
|
ctx.object.alg = "keyedhash";
|
|
|
|
- if (!ctx.flags.b) {
|
|
+ if (!ctx.flags.a) {
|
|
attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT;
|
|
attrs &= ~TPMA_OBJECT_DECRYPT;
|
|
attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
|
|
}
|
|
- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) {
|
|
+ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) {
|
|
attrs &= ~TPMA_OBJECT_DECRYPT;
|
|
}
|
|
|
|
@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
|
|
return tool_rc_general_error;
|
|
}
|
|
|
|
- if (ctx.flags.L && !ctx.object.auth_str) {
|
|
+ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) {
|
|
ctx.object.public.publicArea.objectAttributes &=
|
|
~TPMA_OBJECT_USERWITHAUTH;
|
|
}
|
|
--
|
|
2.27.0
|
|
|