API tools faq
paste
Guest User

Untitled

a guest
Oct 17th, 2018
134
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.18 KB | None | 0 0
raw download clone embed print report
  1. # 10/2/2018:
  2.  
  3. tpm_sealsecret creates a persistent object.
  4.  
  5. The range for persistent objects is `0x81000000 - 0x817fffff`
  6.  
  7. The object created by the provisioning script for the LUKS volume is following:
  8.  
  9. ```
  10. 0. Persistent handle: 0x81010002
  11. {
  12. Type: 0x8
  13. Hash algorithm(nameAlg): 0xb
  14. Attributes: 0x52 <- 1 0 0 1 0 0 1 0
  15. | | | | | | | |
  16. | | | | | | | \_
  17. | | | | | | \___ bit 1:SET (1): The hierarchy of the object, as indicated by its Qualified Name, may not change.
  18. | | | | | \_____
  19. | | | | \_______
  20. | | | \_________ bit 4: SET (1): The parent of the object may not change.
  21. | | \___________
  22. | \_____________
  23. \_______________ bit 7: SET (1): Approval of ADMIN role actions with this object may only be done with a policy session.
  24. ```
  25.  
  26. The commands to unseal the object with `0x81010002` handle from Linux userspace (`tpm2_unseal` utility) are:
  27.  
  28. ```sh
  29. rm -f out && tpm_unsealsecret 0x81010002 out
  30. ```
  31.  
  32. The TPM command causes the following output on the simulator:
  33.  
  34. ```sh
  35. SWTPM_IO_Read: length 27
  36. 80 02 00 00 00 1B 00 00 01 5E 81 01 00 02 00 00
  37. 00 09 40 00 00 09 00 00 00 00 00
  38. SWTPM_NVRAM_StoreData: To name permall
  39. SWTPM_NVRAM_GetFilenameForName: For name permall
  40. SWTPM_NVRAM_GetFilenameForName: File name /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
  41. SWTPM_NVRAM_StoreData: Opening file /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
  42. SWTPM_NVRAM_StoreData: Writing 4522 bytes of data
  43. SWTPM_NVRAM_StoreData: Closing file /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
  44. SWTPM_NVRAM_StoreData: Closed file /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
  45. SWTPM_NVRAM_StoreData: rc=0
  46. SWTPM_IO_Write: length 28
  47. 80 02 00 00 00 1C 00 00 00 00 00 00 00 09 00 07
  48. 61 62 63 31 32 33 0A 00 00 01 00 00
  49. ```
  50.  
  51. ## Dissection of the command sent down to the TPM
  52.  
  53. The layout of the actual command as displayed by `swtpm`:
  54.  
  55. ```
  56. 80 02 00 00 00 1B 00 00 01 5E 81 01 00 02 00 00 00 09 40 00 00 09 00 00 00 00 00
  57. ----- ----------- ----------- ----------- ----------- ----------- ----------- --
  58. | | | | | | | |
  59. | | | | | | | |
  60. | | | | | | | \_______
  61. | | | | | | |
  62. | | | | | | \________________
  63. | | | | | |
  64. | | | | | \_____________________________ TPM_RS_PW **Table 28 — Definition of (TPM_HANDLE) TPM_RH Constants, Part 2: Structures**
  65. | | | | |
  66. | | | | \__________________________________________ ???
  67. | | | |
  68. | | | \_______________________________________________________ handle (input value 0x81010002)
  69. | | |
  70. | | \____________________________________________________________________ TPM_CC_Unseal
  71. | |
  72. | \_________________________________________________________________________________ commandSize
  73. |
  74. \___________________________________________________________________________________________ TPM_ST_SESSIONS
  75. ```
  76.  
  77. Highlights of the command code path:
  78.  
  79. 1. The entry point is in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/tpm2_unseal.c`
  80.  
  81. 2. The `main` function is implemented in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/main.c`, common to all utilities.
  82.  
  83. 3. `init` function processes the arguments. We use only `-H` (handle) and no password or context.
  84.  
  85. 4. The `init`, `execute_tool`, and `unseal_and_save` fill just a few fields for the marshalled data.
  86.  
  87. 5. Both command- and authorization-wise of the marshalled data is filled by `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/Tss2_Sys_Unseal.c`
  88.  
  89. 6. `execute_tools` fills `ctx.sessionData.sessionHandle = TPM_RS_PW; [Line 199: int execute_tool(int argc, char *argv[], char *envp[], common_opts_t *opts, in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/tpm2_unseal.c`
  90.  
  91. 7. The authorization settings are set by `SYS_CONTEXT->rval = Tss2_Sys_SetCmdAuths( sysContext, cmdAuthsArray ); [256: TSS2_RC CommonOneCall(if - in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/CommandUtil.c]`
  92.  
  93. 8. `Tss_Sys_SetCmdAuths` is implemented in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/authorizations.c`
  94.  
  95.  
  96. The marshalled data sent down to the TPM for `TPM_CC_Unseal` is defined in **Table 31 of Trusted Platform Module Library, Part 3: Commands**
  97.  
  98. ```
  99. TPMI_ST_COMMAND_TAG tag TPM_ST_SESSIONS
  100. UINT32 commandSize
  101. TPM_CC commandCode TPM_CC_Unseal
  102. TPMI_DH_OBJECT @itemHandle handle of a loaded data object
  103. Auth Index: 1
  104. Auth Role: USER
  105. ```
  106.  
  107. `@` of the last item, `@itemHandle` indicates that an authorization session is required for use of the entity associated with the handle.
  108.  
  109. The values of the above structure are the following:
  110.  
  111. ### TPMI_ST_COMMAND_TAG
  112.  
  113. Defined in **Table 19 — Definition of (UINT16) TPM_ST Constants <IN/OUT, S>, Part 2: Structures** as 0x8002
  114.  
  115. ### commandSize
  116.  
  117. `commandSize` is the ... + size of the authorization session data. It get filled by `Tss2_Sys_SetCmdAuths`.
  118.  
  119. Computation:
  120.  
  121. ```
  122. authSize += sizeof( TPMI_SH_AUTH_SESSION ); // Handle
  123. authSize += sizeof( UINT16 ) + cmdAuthsArray->cmdAuths[i]->nonce.t.size; // nonce
  124. authSize += sizeof( UINT8 ); // sessionAttribues
  125. authSize += sizeof( UINT16 ) + cmdAuthsArray->cmdAuths[i]->hmac.t.size; // hmac
  126. ```
  127.  
  128. Type inferring:
  129.  
  130.  
  131. ```
  132. TPMI_SH_AUTH_SESSION => TPM_HANDLE => UINT32
  133. TPM2B_NONCE => TPM2B_DIGEST =>
  134. TPMA_SESSION => UINT32 (UNION)
  135. ```
  136.  
  137.  
  138. ### `TPM_CC_Unseal`
  139.  
  140. Defined in **Table 12 — Definition of (UINT32) TPM_CC Constants (Numeric Order) <IN/OUT, S>, Part 2: Structures** as 0x15e
  141.  
  142. ### `TPMI_DH_OJECTS` handle
  143.  
  144. ### Authorization session data
  145.  
  146. The specs indicates that the `TPM_CC_Unseal` command requires an authorization session.
  147.  
  148. The structured is defined in **Table 124 — Definition of TPMS_AUTH_COMMAND Structure <IN>, Part 2: Structures**
  149.  
  150. ```
  151. Parameter Type Description
  152. ------------------------------------------------------------------------------------------------
  153. sessionHandle TPMI_SH_AUTH_SESSION+ the session handle
  154. nonce TPM2B_NONCE the session nonce, may be the Empty Buffer
  155. sessionAttributes TPMA_SESSION the session attributes
  156. hmac TPM2B_AUTH either an HMAC, a password, or an EmptyAuth
  157. ````
  158.  
  159.  
  160. `???` is also filled by `Tss2_Sys_SetCmdAuths` (as commandSize).
  161.  
  162. The following is exact location that adds `???`: `rval = CopySessionsDataIn( &otherData, cmdAuthsArray ); [119: TSS2_RC Tss2_Sys_SetCmdAuths(in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/authorizations.c]`
  163.  
  164. `CopySessionsDataIn` is `TSS2_RC CopySessionDataIn( void **otherData, TPMS_AUTH_COMMAND const *sessionData, UINT32 *sessionSizePtr ) [74: // in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/CopySessionData.c]`
  165.  
  166.  
  167.  
  168. ```
  169. /* Table 44 Definition of TPM_HANDLE TPMI_SH_AUTH_SESSION Type <INOUT> */
  170. typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
  171. ```
  172.  
  173.  
  174. ```
  175. //
  176. // Input structure for authorization area(s).
  177. //
  178. typedef struct {
  179. uint8_t cmdAuthsCount;
  180. TPMS_AUTH_COMMAND **cmdAuths;
  181. } TSS2_SYS_CMD_AUTHS;
  182. ```
  183.  
  184.  
  185.  
  186. ```
  187. 80 02 00 00 00 1B 00 00 01 5E 81 01 00 02 00 00 00 09 40 00 00 09 00 00 00 00 00
  188.  
  189. |
  190. | +------------------------+--------------------+---------------------------------+
  191. 80 02 | | TPMI_ST_COMMAND_TAG | tag | TPM_ST_SESSIONS |
  192. | +------------------------+--------------------+---------------------------------+
  193. 00 00 00 1B | | UINT32 | commandSize | | ------> UINT32
  194. | +------------------------+--------------------+---------------------------------+
  195. 00 00 01 5e | | TPM_CC | commandCode | TPM_CC_Unseal | ------> UINT32
  196. | +------------------------+--------------------+---------------------------------+
  197. 81 01 00 02 | | TPMI_DH_OBJECT | @itemHandle | handle of a loaded data object | ------> TPM_HANDLE -> UINT32
  198. | | | | Auth Index: 1 |
  199. | | | | Auth Role: USER |
  200. | +------------------------+--------------------+---------------------------------+
  201. |
  202. | +------------------------+--------------------+---------------------------------+
  203. 00 00 00 09 | | TPMI_SH_AUTH_SESSION+ | sessionHandle | the session handle | ------> TPM_HANDLE -> UINT32
  204. | +------------------------+--------------------+---------------------------------+
  205. 40 00 00 09 | | TPM2B_NONCE | nonce | the session nonce, may be the | ------> TPM2B_DIGEST -> +--------------------------------+---------+-----------------------------------------------------+
  206. | | | | Empty Buffer | | size | UINT16 | size in octets of the buffer field; may be 0 |
  207. | +------------------------+--------------------+---------------------------------+ +--------------------------------+---------+-----------------------------------------------------+
  208. 00 | | TPMA_SESSION | sessionAttributes | the session attributes | -- | buffer[size]{:sizeof(TPMU_HA)} | BYTE | the buffer area that can be no larger than a digest |
  209. | +------------------------+--------------------+---------------------------------+ \ +--------------------------------+---------+-----------------------------------------------------+
  210. | | TPM2B_AUTH | hmac | either an HMAC, a password, or | \
  211. 00 00 00 00 | | | | an EmptyAuth | - \-> UINT8
  212. | +------------------------+-------------------+----------------------------------+ \
  213. | \---> TPM2B_DIGEST -> +--------------------------------+---------+-----------------------------------------------------+
  214. | size | UINT16 | size in octets of the buffer field; may be 0 |
  215. +--------------------------------+---------+-----------------------------------------------------+
  216. | buffer[size]{:sizeof(TPMU_HA)} | BYTE | the buffer area that can be no larger than a digest |
  217. +--------------------------------+---------+-----------------------------------------------------+
  218. ```
  219.  
  220.  
  221. TPMI_SH_AUTH_SESSION
  222. The TPMI_SH_AUTH_SESSION interface type is TPM-defined values that are used to indicate that the handle refers to an authorization session.
  223. Table 45 — Definition of (TPM_HANDLE) TPMI_SH_AUTH_SESSION Type <IN/OUT>
  224.  
  225. Values Comments
  226. {HMAC_SESSION_FIRST : HMAC_SESSION_LAST} range of HMAC authorization session handles
  227. {POLICY_SESSION_FIRST: POLICY_SESSION_LAST} range of policy authorization session handles
  228. +TPM_RS_PW a password authorization
  229.  
  230. #TPM_RC_VALUE error returned if the handle is out of range
  231.  
  232.  
  233.  
  234.  
  235.  
  236.  
  237.  
  238. ## Dissection of the response from the TPM
  239.  
  240. The response from the TPM is defined in **Table 32 of Trusted Platform Module Library, Part 3: Commands**
  241.  
  242. ```
  243. TPM_ST tag see clause 6
  244. UINT32 responseSize
  245. TPM_RC responseCode
  246. TPM2B_SENSITIVE_DATA outData unsealed data
  247. Size of outData is limited to be no more than 128 octets
  248. ```
  249.  
  250. The layout of the actual response as displayed by `swtpm`:
  251.  
  252. ```
  253. SWTPM_IO_Write: length 31
  254. 80 02 00 00 00 1F 00 00 00 00 00 00 00 0C 00 0A 31 64 65 61 64 62 65 65 66 0A 00 00 01 00 00
  255. ----- ----------- ----------- ----- -----------------------------
  256. | | | | | |
  257. | | | | | |
  258. | | | | | \___ TPM2B_SENSITIVE_DATA.buffer
  259. | | | | |
  260. | | | | \______________________ TPM2B_SENSITIVE_DATA.size
  261. | | | |
  262. | | | \________________________________ ??? (where this field is defined in the specs)
  263. | | |
  264. | | \_____________________________________________ TPM_RC responseCode: typedef UINT32 TPM_RC; [Line 339: // Table 15 - TPM_RC Constants in ../edk2/MdePkg/Include/IndustryStandard/Tpm20.h]
  265. | |
  266. | \__________________________________________________________ UINT32 responseSize
  267. |
  268. \____________________________________________________________________ TPM_ST tag see clause 6
  269. ```
  270.  
  271. Highlights of the response code path.
  272. (1-5) are common with the command code path.
  273.  
  274. 1. The entry point in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/tpm2_unseal.c`
  275. 2. The `main` function is in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/main.c`, common to all utilities.
  276. 3. `init` processes the arguments. We use only `-H` (handle) and no password or context.
  277. 4. The `init`, `execute_tool`, and `unseal_and_save` fill just a few fields for the marshalled data.
  278. 5. Un-marshalling starts in `TSS2_RC CommonOneCall( [243: TSS2_RC CommonOneCall( in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/CommandUtil.c`
  279. 6. Then `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/unmarshal_simple_tpm2b.c" line 81`
  280. 7. Then reaches `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/Tss2_Sys_Unseal.c`
  281.  
  282.  
  283.  
  284. ** THE MODELINE SHOULD BE THE LAST LINE IN THE FILE **
  285.  
  286. [modeline]: # ( vim: set et ts=2 sw=2 fenc=utf-8 spell spl=en: )
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!