Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # 10/2/2018:
- tpm_sealsecret creates a persistent object.
- The range for persistent objects is `0x81000000 - 0x817fffff`
- The object created by the provisioning script for the LUKS volume is following:
- ```
- 0. Persistent handle: 0x81010002
- {
- Type: 0x8
- Hash algorithm(nameAlg): 0xb
- Attributes: 0x52 <- 1 0 0 1 0 0 1 0
- | | | | | | | |
- | | | | | | | \_
- | | | | | | \___ bit 1:SET (1): The hierarchy of the object, as indicated by its Qualified Name, may not change.
- | | | | | \_____
- | | | | \_______
- | | | \_________ bit 4: SET (1): The parent of the object may not change.
- | | \___________
- | \_____________
- \_______________ bit 7: SET (1): Approval of ADMIN role actions with this object may only be done with a policy session.
- ```
- The commands to unseal the object with `0x81010002` handle from Linux userspace (`tpm2_unseal` utility) are:
- ```sh
- rm -f out && tpm_unsealsecret 0x81010002 out
- ```
- The TPM command causes the following output on the simulator:
- ```sh
- SWTPM_IO_Read: length 27
- 80 02 00 00 00 1B 00 00 01 5E 81 01 00 02 00 00
- 00 09 40 00 00 09 00 00 00 00 00
- SWTPM_NVRAM_StoreData: To name permall
- SWTPM_NVRAM_GetFilenameForName: For name permall
- SWTPM_NVRAM_GetFilenameForName: File name /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
- SWTPM_NVRAM_StoreData: Opening file /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
- SWTPM_NVRAM_StoreData: Writing 4522 bytes of data
- SWTPM_NVRAM_StoreData: Closing file /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
- SWTPM_NVRAM_StoreData: Closed file /home/ccopos/PROJECTS/USA-STJ260017/tpmstate/tpm2-00.permall
- SWTPM_NVRAM_StoreData: rc=0
- SWTPM_IO_Write: length 28
- 80 02 00 00 00 1C 00 00 00 00 00 00 00 09 00 07
- 61 62 63 31 32 33 0A 00 00 01 00 00
- ```
- ## Dissection of the command sent down to the TPM
- The layout of the actual command as displayed by `swtpm`:
- ```
- 80 02 00 00 00 1B 00 00 01 5E 81 01 00 02 00 00 00 09 40 00 00 09 00 00 00 00 00
- ----- ----------- ----------- ----------- ----------- ----------- ----------- --
- | | | | | | | |
- | | | | | | | |
- | | | | | | | \_______
- | | | | | | |
- | | | | | | \________________
- | | | | | |
- | | | | | \_____________________________ TPM_RS_PW **Table 28 — Definition of (TPM_HANDLE) TPM_RH Constants, Part 2: Structures**
- | | | | |
- | | | | \__________________________________________ ???
- | | | |
- | | | \_______________________________________________________ handle (input value 0x81010002)
- | | |
- | | \____________________________________________________________________ TPM_CC_Unseal
- | |
- | \_________________________________________________________________________________ commandSize
- |
- \___________________________________________________________________________________________ TPM_ST_SESSIONS
- ```
- Highlights of the command code path:
- 1. The entry point is in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/tpm2_unseal.c`
- 2. The `main` function is implemented in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/main.c`, common to all utilities.
- 3. `init` function processes the arguments. We use only `-H` (handle) and no password or context.
- 4. The `init`, `execute_tool`, and `unseal_and_save` fill just a few fields for the marshalled data.
- 5. Both command- and authorization-wise of the marshalled data is filled by `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/Tss2_Sys_Unseal.c`
- 6. `execute_tools` fills `ctx.sessionData.sessionHandle = TPM_RS_PW; [Line 199: int execute_tool(int argc, char *argv[], char *envp[], common_opts_t *opts, in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/tpm2_unseal.c`
- 7. The authorization settings are set by `SYS_CONTEXT->rval = Tss2_Sys_SetCmdAuths( sysContext, cmdAuthsArray ); [256: TSS2_RC CommonOneCall(if - in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/CommandUtil.c]`
- 8. `Tss_Sys_SetCmdAuths` is implemented in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/authorizations.c`
- The marshalled data sent down to the TPM for `TPM_CC_Unseal` is defined in **Table 31 of Trusted Platform Module Library, Part 3: Commands**
- ```
- TPMI_ST_COMMAND_TAG tag TPM_ST_SESSIONS
- UINT32 commandSize
- TPM_CC commandCode TPM_CC_Unseal
- TPMI_DH_OBJECT @itemHandle handle of a loaded data object
- Auth Index: 1
- Auth Role: USER
- ```
- `@` of the last item, `@itemHandle` indicates that an authorization session is required for use of the entity associated with the handle.
- The values of the above structure are the following:
- ### TPMI_ST_COMMAND_TAG
- Defined in **Table 19 — Definition of (UINT16) TPM_ST Constants <IN/OUT, S>, Part 2: Structures** as 0x8002
- ### commandSize
- `commandSize` is the ... + size of the authorization session data. It get filled by `Tss2_Sys_SetCmdAuths`.
- Computation:
- ```
- authSize += sizeof( TPMI_SH_AUTH_SESSION ); // Handle
- authSize += sizeof( UINT16 ) + cmdAuthsArray->cmdAuths[i]->nonce.t.size; // nonce
- authSize += sizeof( UINT8 ); // sessionAttribues
- authSize += sizeof( UINT16 ) + cmdAuthsArray->cmdAuths[i]->hmac.t.size; // hmac
- ```
- Type inferring:
- ```
- TPMI_SH_AUTH_SESSION => TPM_HANDLE => UINT32
- TPM2B_NONCE => TPM2B_DIGEST =>
- TPMA_SESSION => UINT32 (UNION)
- ```
- ### `TPM_CC_Unseal`
- Defined in **Table 12 — Definition of (UINT32) TPM_CC Constants (Numeric Order) <IN/OUT, S>, Part 2: Structures** as 0x15e
- ### `TPMI_DH_OJECTS` handle
- ### Authorization session data
- The specs indicates that the `TPM_CC_Unseal` command requires an authorization session.
- The structured is defined in **Table 124 — Definition of TPMS_AUTH_COMMAND Structure <IN>, Part 2: Structures**
- ```
- Parameter Type Description
- ------------------------------------------------------------------------------------------------
- sessionHandle TPMI_SH_AUTH_SESSION+ the session handle
- nonce TPM2B_NONCE the session nonce, may be the Empty Buffer
- sessionAttributes TPMA_SESSION the session attributes
- hmac TPM2B_AUTH either an HMAC, a password, or an EmptyAuth
- ````
- `???` is also filled by `Tss2_Sys_SetCmdAuths` (as commandSize).
- The following is exact location that adds `???`: `rval = CopySessionsDataIn( &otherData, cmdAuthsArray ); [119: TSS2_RC Tss2_Sys_SetCmdAuths(in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/authorizations.c]`
- `CopySessionsDataIn` is `TSS2_RC CopySessionDataIn( void **otherData, TPMS_AUTH_COMMAND const *sessionData, UINT32 *sessionSizePtr ) [74: // in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/CopySessionData.c]`
- ```
- /* Table 44 Definition of TPM_HANDLE TPMI_SH_AUTH_SESSION Type <INOUT> */
- typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
- ```
- ```
- //
- // Input structure for authorization area(s).
- //
- typedef struct {
- uint8_t cmdAuthsCount;
- TPMS_AUTH_COMMAND **cmdAuths;
- } TSS2_SYS_CMD_AUTHS;
- ```
- ```
- 80 02 00 00 00 1B 00 00 01 5E 81 01 00 02 00 00 00 09 40 00 00 09 00 00 00 00 00
- |
- | +------------------------+--------------------+---------------------------------+
- 80 02 | | TPMI_ST_COMMAND_TAG | tag | TPM_ST_SESSIONS |
- | +------------------------+--------------------+---------------------------------+
- 00 00 00 1B | | UINT32 | commandSize | | ------> UINT32
- | +------------------------+--------------------+---------------------------------+
- 00 00 01 5e | | TPM_CC | commandCode | TPM_CC_Unseal | ------> UINT32
- | +------------------------+--------------------+---------------------------------+
- 81 01 00 02 | | TPMI_DH_OBJECT | @itemHandle | handle of a loaded data object | ------> TPM_HANDLE -> UINT32
- | | | | Auth Index: 1 |
- | | | | Auth Role: USER |
- | +------------------------+--------------------+---------------------------------+
- |
- | +------------------------+--------------------+---------------------------------+
- 00 00 00 09 | | TPMI_SH_AUTH_SESSION+ | sessionHandle | the session handle | ------> TPM_HANDLE -> UINT32
- | +------------------------+--------------------+---------------------------------+
- 40 00 00 09 | | TPM2B_NONCE | nonce | the session nonce, may be the | ------> TPM2B_DIGEST -> +--------------------------------+---------+-----------------------------------------------------+
- | | | | Empty Buffer | | size | UINT16 | size in octets of the buffer field; may be 0 |
- | +------------------------+--------------------+---------------------------------+ +--------------------------------+---------+-----------------------------------------------------+
- 00 | | TPMA_SESSION | sessionAttributes | the session attributes | -- | buffer[size]{:sizeof(TPMU_HA)} | BYTE | the buffer area that can be no larger than a digest |
- | +------------------------+--------------------+---------------------------------+ \ +--------------------------------+---------+-----------------------------------------------------+
- | | TPM2B_AUTH | hmac | either an HMAC, a password, or | \
- 00 00 00 00 | | | | an EmptyAuth | - \-> UINT8
- | +------------------------+-------------------+----------------------------------+ \
- | \---> TPM2B_DIGEST -> +--------------------------------+---------+-----------------------------------------------------+
- | size | UINT16 | size in octets of the buffer field; may be 0 |
- +--------------------------------+---------+-----------------------------------------------------+
- | buffer[size]{:sizeof(TPMU_HA)} | BYTE | the buffer area that can be no larger than a digest |
- +--------------------------------+---------+-----------------------------------------------------+
- ```
- TPMI_SH_AUTH_SESSION
- The TPMI_SH_AUTH_SESSION interface type is TPM-defined values that are used to indicate that the handle refers to an authorization session.
- Table 45 — Definition of (TPM_HANDLE) TPMI_SH_AUTH_SESSION Type <IN/OUT>
- Values Comments
- {HMAC_SESSION_FIRST : HMAC_SESSION_LAST} range of HMAC authorization session handles
- {POLICY_SESSION_FIRST: POLICY_SESSION_LAST} range of policy authorization session handles
- +TPM_RS_PW a password authorization
- #TPM_RC_VALUE error returned if the handle is out of range
- ## Dissection of the response from the TPM
- The response from the TPM is defined in **Table 32 of Trusted Platform Module Library, Part 3: Commands**
- ```
- TPM_ST tag see clause 6
- UINT32 responseSize
- TPM_RC responseCode
- TPM2B_SENSITIVE_DATA outData unsealed data
- Size of outData is limited to be no more than 128 octets
- ```
- The layout of the actual response as displayed by `swtpm`:
- ```
- SWTPM_IO_Write: length 31
- 80 02 00 00 00 1F 00 00 00 00 00 00 00 0C 00 0A 31 64 65 61 64 62 65 65 66 0A 00 00 01 00 00
- ----- ----------- ----------- ----- -----------------------------
- | | | | | |
- | | | | | |
- | | | | | \___ TPM2B_SENSITIVE_DATA.buffer
- | | | | |
- | | | | \______________________ TPM2B_SENSITIVE_DATA.size
- | | | |
- | | | \________________________________ ??? (where this field is defined in the specs)
- | | |
- | | \_____________________________________________ TPM_RC responseCode: typedef UINT32 TPM_RC; [Line 339: // Table 15 - TPM_RC Constants in ../edk2/MdePkg/Include/IndustryStandard/Tpm20.h]
- | |
- | \__________________________________________________________ UINT32 responseSize
- |
- \____________________________________________________________________ TPM_ST tag see clause 6
- ```
- Highlights of the response code path.
- (1-5) are common with the command code path.
- 1. The entry point in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/tpm2_unseal.c`
- 2. The `main` function is in `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tools/2.1.0+gitAUTOINC+97306d6dc1-r0/git/tools/main.c`, common to all utilities.
- 3. `init` processes the arguments. We use only `-H` (handle) and no password or context.
- 4. The `init`, `execute_tool`, and `unseal_and_save` fill just a few fields for the marshalled data.
- 5. Un-marshalling starts in `TSS2_RC CommonOneCall( [243: TSS2_RC CommonOneCall( in ../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/CommandUtil.c`
- 6. Then `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi_util/unmarshal_simple_tpm2b.c" line 81`
- 7. Then reaches `../DEVEL/build/tmp-glibc/work/core2-64-wrs-linux/tpm2.0-tss/1.1.0+gitAUTOINC+3fb91634e6-r0/git/sysapi/sysapi/Tss2_Sys_Unseal.c`
- ** THE MODELINE SHOULD BE THE LAST LINE IN THE FILE **
- [modeline]: # ( vim: set et ts=2 sw=2 fenc=utf-8 spell spl=en: )
Add Comment
Please, Sign In to add comment