system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 02:34:54 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

Merge pull request #26357 from ddstreet/tpm2_policy_session

Browse source 
Tpm2 policy session
This commit is contained in:
Luca Boccassi 2023-05-06 17:02:26 +01:00 committed by GitHub
parent 9dfed0d4cc 2cd9d57548
commit 3be6943e07
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 130 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

217
src/shared/tpm2-util.c
View file

@ -52,6 +52,7 @@ TSS2_RC (*sym_Esys_PolicyPCR)(ESYS_CONTEXT *esysContext, ESYS_TR policySession,
TSS2_RC (*sym_Esys_ReadPublic)(ESYS_CONTEXT *esysContext, ESYS_TR objectHandle, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, TPM2B_PUBLIC **outPublic, TPM2B_NAME **name, TPM2B_NAME **qualifiedName);
TSS2_RC (*sym_Esys_StartAuthSession)(ESYS_CONTEXT *esysContext, ESYS_TR tpmKey, ESYS_TR bind, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_NONCE *nonceCaller, TPM2_SE sessionType, const TPMT_SYM_DEF *symmetric, TPMI_ALG_HASH authHash, ESYS_TR *sessionHandle) = NULL;
TSS2_RC (*sym_Esys_Startup)(ESYS_CONTEXT *esysContext, TPM2_SU startupType) = NULL;
TSS2_RC (*sym_Esys_TRSess_GetAttributes)(ESYS_CONTEXT *esysContext, ESYS_TR session, TPMA_SESSION *flags);
TSS2_RC (*sym_Esys_TRSess_SetAttributes)(ESYS_CONTEXT *esysContext, ESYS_TR session, TPMA_SESSION flags, TPMA_SESSION mask);
TSS2_RC (*sym_Esys_TR_GetName)(ESYS_CONTEXT *esysContext, ESYS_TR handle, TPM2B_NAME **name);
TSS2_RC (*sym_Esys_TR_Deserialize)(ESYS_CONTEXT *esys_context, uint8_t const *buffer, size_t buffer_size, ESYS_TR *esys_handle);
@ -93,6 +94,7 @@ int dlopen_tpm2(void) {
DLSYM_ARG(Esys_ReadPublic),
DLSYM_ARG(Esys_StartAuthSession),
DLSYM_ARG(Esys_Startup),
DLSYM_ARG(Esys_TRSess_GetAttributes),
DLSYM_ARG(Esys_TRSess_SetAttributes),
DLSYM_ARG(Esys_TR_FromTPMPublic),
DLSYM_ARG(Esys_TR_GetName),
@ -1393,6 +1395,20 @@ static void hash_pin(const char *pin, size_t len, TPM2B_AUTH *auth) {
sha256_finish_ctx(&hash, auth->buffer);
}
static bool tpm2_is_encryption_session(Tpm2Context *c, const Tpm2Handle *session) {
TPMA_SESSION flags = 0;
TSS2_RC rc;
assert(c);
assert(session);
rc = sym_Esys_TRSess_GetAttributes(c->esys_context, session->esys_handle, &flags);
if (rc != TSS2_RC_SUCCESS)
return false;
return (flags & TPMA_SESSION_DECRYPT) && (flags & TPMA_SESSION_ENCRYPT);
}
static int tpm2_make_encryption_session(
Tpm2Context *c,
const Tpm2Handle *primary,
@ -1476,6 +1492,59 @@ static int tpm2_make_encryption_session(
return 0;
}
static int tpm2_make_policy_session(
Tpm2Context *c,
const Tpm2Handle *primary,
const Tpm2Handle *encryption_session,
bool trial,
Tpm2Handle **ret_session) {
static const TPMT_SYM_DEF symmetric = {
.algorithm = TPM2_ALG_AES,
.keyBits.aes = 128,
.mode.aes = TPM2_ALG_CFB,
};
TPM2_SE session_type = trial ? TPM2_SE_TRIAL : TPM2_SE_POLICY;
TSS2_RC rc;
int r;
assert(c);
assert(primary);
assert(encryption_session);
assert(ret_session);
if (!tpm2_is_encryption_session(c, encryption_session))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Missing encryption session");
log_debug("Starting policy session.");
_cleanup_tpm2_handle_ Tpm2Handle *session = NULL;
r = tpm2_handle_new(c, &session);
if (r < 0)
return r;
rc = sym_Esys_StartAuthSession(
c->esys_context,
primary->esys_handle,
ESYS_TR_NONE,
encryption_session->esys_handle,
ESYS_TR_NONE,
ESYS_TR_NONE,
NULL,
session_type,
&symmetric,
TPM2_ALG_SHA256,
&session->esys_handle);
if (rc != TSS2_RC_SUCCESS)
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to open session in TPM: %s", sym_Tss2_RC_Decode(rc));
*ret_session = TAKE_PTR(session);
return 0;
}
static int openssl_pubkey_to_tpm2_pubkey(
const void *pubkey,
size_t pubkey_size,
@ -1693,87 +1762,36 @@ static int find_signature(
#endif
}
static int tpm2_make_policy_session(
static int tpm2_build_sealing_policy(
Tpm2Context *c,
const Tpm2Handle *primary,
const Tpm2Handle *parent_session,
TPM2_SE session_type,
const Tpm2Handle *session,
uint32_t hash_pcr_mask,
uint16_t pcr_bank, /* If UINT16_MAX, pick best bank automatically, otherwise specify bank explicitly. */
uint16_t pcr_bank,
const void *pubkey,
size_t pubkey_size,
uint32_t pubkey_pcr_mask,
JsonVariant *signature_json,
bool use_pin,
Tpm2Handle **ret_session,
TPM2B_DIGEST **ret_policy_digest,
TPMI_ALG_HASH *ret_pcr_bank) {
TPM2B_DIGEST **ret_policy_digest) {
static const TPMT_SYM_DEF symmetric = {
.algorithm = TPM2_ALG_AES,
.keyBits.aes = 128,
.mode.aes = TPM2_ALG_CFB,
};
TSS2_RC rc;
int r;
assert(c);
assert(session);
assert(pubkey || pubkey_size == 0);
assert(pubkey_pcr_mask == 0 || pubkey_size > 0);
log_debug("Starting authentication session.");
/* So apparently some TPM implementations don't implement trial mode correctly. To avoid issues let's
* avoid it when it is easy to. At the moment we only really need trial mode for the signed PCR
* policies (since only then we need to shove PCR values into the policy that don't match current
* state anyway), hence if we have none of those we don't need to bother. Hence, let's patch in
* TPM2_SE_POLICY even if trial mode is requested unless a pubkey PCR mask is specified that is
* non-zero, i.e. signed PCR policy is requested.
*
* One day we should switch to calculating policy hashes client side when trial mode is requested, to
* avoid this mess. */
if (session_type == TPM2_SE_TRIAL && pubkey_pcr_mask == 0)
session_type = TPM2_SE_POLICY;
log_debug("Building sealing policy.");
if ((hash_pcr_mask | pubkey_pcr_mask) != 0) {
/* We are told to configure a PCR policy of some form, let's determine/validate the PCR bank to use. */
if (pcr_bank != UINT16_MAX) {
r = tpm2_pcr_mask_good(c, pcr_bank, hash_pcr_mask|pubkey_pcr_mask);
if (r < 0)
return r;
if (r == 0)
log_warning("Selected TPM2 PCRs are not initialized on this system, most likely due to a firmware issue. PCR policy is effectively not enforced. Proceeding anyway.");
} else {
/* No bank configured, pick automatically. Some TPM2 devices only can do SHA1. If we
* detect that use that, but preferably use SHA256 */
r = tpm2_get_best_pcr_bank(c, hash_pcr_mask|pubkey_pcr_mask, &pcr_bank);
if (r < 0)
return r;
}
r = tpm2_pcr_mask_good(c, pcr_bank, hash_pcr_mask|pubkey_pcr_mask);
if (r < 0)
return r;
if (r == 0)
log_warning("Selected TPM2 PCRs are not initialized on this system.");
}
_cleanup_tpm2_handle_ Tpm2Handle *session = NULL;
r = tpm2_handle_new(c, &session);
if (r < 0)
return r;
rc = sym_Esys_StartAuthSession(
c->esys_context,
primary->esys_handle,
ESYS_TR_NONE,
parent_session->esys_handle,
ESYS_TR_NONE,
ESYS_TR_NONE,
NULL,
session_type,
&symmetric,
TPM2_ALG_SHA256,
&session->esys_handle);
if (rc != TSS2_RC_SUCCESS)
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to open session in TPM: %s", sym_Tss2_RC_Decode(rc));
if (pubkey_pcr_mask != 0) {
_cleanup_free_ void *fp = NULL;
size_t fp_size = 0;
@ -1954,12 +1972,6 @@ static int tpm2_make_policy_session(
if (r < 0)
return r;
if (ret_session)
*ret_session = TAKE_PTR(session);
if (ret_pcr_bank)
*ret_pcr_bank = pcr_bank;
return 0;
}
@ -2032,33 +2044,57 @@ int tpm2_seal(const char *device,
if (r < 0)
return r;
TPMI_ALG_HASH pcr_bank = 0;
if (hash_pcr_mask | pubkey_pcr_mask) {
/* Some TPM2 devices only can do SHA1. Prefer SHA256 but allow SHA1. */
r = tpm2_get_best_pcr_bank(c, hash_pcr_mask|pubkey_pcr_mask, &pcr_bank);
if (r < 0)
return r;
}
_cleanup_tpm2_handle_ Tpm2Handle *primary = NULL;
r = tpm2_make_primary(c, /* alg = */0, !!ret_srk_buf, &primary_alg, &primary);
if (r < 0)
return r;
/* we cannot use the bind key before its created */
_cleanup_tpm2_handle_ Tpm2Handle *session = NULL;
r = tpm2_make_encryption_session(c, primary, &TPM2_HANDLE_NONE, NULL, &session);
_cleanup_tpm2_handle_ Tpm2Handle *encryption_session = NULL;
r = tpm2_make_encryption_session(c, primary, &TPM2_HANDLE_NONE, NULL, &encryption_session);
if (r < 0)
return r;
/* So apparently some TPM implementations don't implement trial mode correctly. To avoid issues let's
* avoid it when it is easy to. At the moment we only really need trial mode for the signed PCR
* policies (since only then we need to shove PCR values into the policy that don't match current
* state anyway), hence if we have none of those we don't need to bother. Hence, let's patch in
* TPM2_SE_POLICY even if trial mode is requested unless a pubkey PCR mask is specified that is
* non-zero, i.e. signed PCR policy is requested.
*
* One day we should switch to calculating policy hashes client side when trial mode is requested, to
* avoid this mess. */
bool trial = (pubkey_pcr_mask != 0);
_cleanup_tpm2_handle_ Tpm2Handle *policy_session = NULL;
r = tpm2_make_policy_session(
c,
primary,
encryption_session,
trial,
&policy_session);
if (r < 0)
return r;
_cleanup_(Esys_Freep) TPM2B_DIGEST *policy_digest = NULL;
TPMI_ALG_HASH pcr_bank;
r = tpm2_make_policy_session(
r = tpm2_build_sealing_policy(
c,
primary,
session,
TPM2_SE_TRIAL,
policy_session,
hash_pcr_mask,
/* pcr_bank= */ UINT16_MAX,
pcr_bank,
pubkey, pubkey_size,
pubkey_pcr_mask,
/* signature_json= */ NULL,
!!pin,
/* ret_session= */ NULL,
&policy_digest,
&pcr_bank);
&policy_digest);
if (r < 0)
return r;
@ -2099,7 +2135,7 @@ int tpm2_seal(const char *device,
rc = sym_Esys_Create(
c->esys_context,
primary->esys_handle,
session->esys_handle, /* use HMAC session to enable parameter encryption */
encryption_session->esys_handle, /* use HMAC session to enable parameter encryption */
ESYS_TR_NONE,
ESYS_TR_NONE,
&hmac_sensitive,
@ -2317,8 +2353,8 @@ int tpm2_unseal(const char *device,
sym_Tss2_RC_Decode(rc));
}
_cleanup_tpm2_handle_ Tpm2Handle *hmac_session = NULL;
r = tpm2_make_encryption_session(c, primary, hmac_key, pin, &hmac_session);
_cleanup_tpm2_handle_ Tpm2Handle *encryption_session = NULL;
r = tpm2_make_encryption_session(c, primary, hmac_key, pin, &encryption_session);
if (r < 0)
return r;
@ -2328,17 +2364,22 @@ int tpm2_unseal(const char *device,
r = tpm2_make_policy_session(
c,
primary,
hmac_session,
TPM2_SE_POLICY,
encryption_session,
/* trial= */ false,
&policy_session);
if (r < 0)
return r;
r = tpm2_build_sealing_policy(
c,
policy_session,
hash_pcr_mask,
pcr_bank,
pubkey, pubkey_size,
pubkey_pcr_mask,
signature,
!!pin,
&policy_session,
&policy_digest,
/* ret_pcr_bank= */ NULL);
&policy_digest);
if (r < 0)
return r;
@ -2356,7 +2397,7 @@ int tpm2_unseal(const char *device,
c->esys_context,
hmac_key->esys_handle,
policy_session->esys_handle,
hmac_session->esys_handle, /* use HMAC session to enable parameter encryption */
encryption_session->esys_handle, /* use HMAC session to enable parameter encryption */
ESYS_TR_NONE,
&unsealed);
if (rc == TSS2_RC_SUCCESS)

1
src/shared/tpm2-util.h
View file

@ -56,6 +56,7 @@ extern TSS2_RC (*sym_Esys_PolicyGetDigest)(ESYS_CONTEXT *esysContext, ESYS_TR po
extern TSS2_RC (*sym_Esys_PolicyPCR)(ESYS_CONTEXT *esysContext, ESYS_TR policySession, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_DIGEST *pcrDigest, const TPML_PCR_SELECTION *pcrs);
extern TSS2_RC (*sym_Esys_StartAuthSession)(ESYS_CONTEXT *esysContext, ESYS_TR tpmKey, ESYS_TR bind, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_NONCE *nonceCaller, TPM2_SE sessionType, const TPMT_SYM_DEF *symmetric, TPMI_ALG_HASH authHash, ESYS_TR *sessionHandle);
extern TSS2_RC (*sym_Esys_Startup)(ESYS_CONTEXT *esysContext, TPM2_SU startupType);
extern TSS2_RC (*sym_Esys_TRSess_GetAttributes)(ESYS_CONTEXT *esysContext, ESYS_TR session, TPMA_SESSION *flags);
extern TSS2_RC (*sym_Esys_TRSess_SetAttributes)(ESYS_CONTEXT *esysContext, ESYS_TR session, TPMA_SESSION flags, TPMA_SESSION mask);
extern TSS2_RC (*sym_Esys_TR_GetName)(ESYS_CONTEXT *esysContext, ESYS_TR handle, TPM2B_NAME **name);
extern TSS2_RC (*sym_Esys_TR_SetAuth)(ESYS_CONTEXT *esysContext, ESYS_TR handle, TPM2B_AUTH const *authValue);