Skip to content

Commit 5bb979c

Browse files
kukrimatekukrimate
committed
tpm2: Make it possible to customize the name algorithm for TPM sealed keys
This is accomplished by adding the new field 'NameAlg' to the structure 'ProtectKeyParams'. This means callers of these external APIs will need to fill in the new field (affected tests): - NewExternalTPMProtectedKey (platform_test.go) - NewTPMProtectedKey (seal_test.go, update_test.go, platform_test.go) - NewTPMPassphraseProtectedKey (platform_test.go) Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
1 parent 191696d commit 5bb979c

4 files changed

Lines changed: 75 additions & 19 deletions

File tree

tpm2/platform_test.go

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ func (s *platformSuite) TestRecoverKeysIntegrated(c *C) {
7777
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
7878
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
7979
Role: "foo",
80+
NameAlg: tpm2.HashAlgorithmSHA256,
8081
}
8182

8283
k, primaryKey, unlockKey, err := NewTPMProtectedKey(s.TPM(), params)
@@ -95,6 +96,7 @@ func (s *platformSuite) TestRecoverKeysWithPassphraseIntegrated(c *C) {
9596
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
9697
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
9798
Role: "bar",
99+
NameAlg: tpm2.HashAlgorithmSHA256,
98100
}
99101

100102
passphraseParams := &PassphraseProtectKeyParams{
@@ -117,6 +119,7 @@ func (s *platformSuite) TestRecoverKeysWithPassphraseIntegratedPBKDF2(c *C) {
117119
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
118120
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
119121
Role: "foo",
122+
NameAlg: tpm2.HashAlgorithmSHA256,
120123
}
121124

122125
passphraseParams := &PassphraseProtectKeyParams{
@@ -143,6 +146,7 @@ func (s *platformSuite) TestRecoverKeysWithBadPassphraseIntegrated(c *C) {
143146
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
144147
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
145148
Role: "foo",
149+
NameAlg: tpm2.HashAlgorithmSHA256,
146150
}
147151

148152
passphraseParams := &PassphraseProtectKeyParams{
@@ -163,6 +167,7 @@ func (s *platformSuite) TestChangePassphraseIntegrated(c *C) {
163167
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
164168
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
165169
Role: "foo",
170+
NameAlg: tpm2.HashAlgorithmSHA256,
166171
}
167172

168173
passphraseParams := &PassphraseProtectKeyParams{
@@ -187,6 +192,7 @@ func (s *platformSuite) TestChangePassphraseWithBadPassphraseIntegrated(c *C) {
187192
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
188193
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
189194
Role: "foo",
195+
NameAlg: tpm2.HashAlgorithmSHA256,
190196
}
191197

192198
passphraseParams := &PassphraseProtectKeyParams{
@@ -255,13 +261,15 @@ func (s *platformSuite) TestRecoverKeysSimplePCRProfile(c *C) {
255261
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
256262
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
257263
Role: "foo",
264+
NameAlg: tpm2.HashAlgorithmSHA256,
258265
})
259266
}
260267

261268
func (s *platformSuite) TestRecoverKeysNilPCRProfile(c *C) {
262269
s.testRecoverKeys(c, &ProtectKeyParams{
263270
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
264271
Role: "foo",
272+
NameAlg: tpm2.HashAlgorithmSHA256,
265273
})
266274
}
267275

@@ -270,6 +278,7 @@ func (s *platformSuite) TestRecoverKeysNoPCRPolicyCounter(c *C) {
270278
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
271279
PCRPolicyCounterHandle: tpm2.HandleNull,
272280
Role: "foo",
281+
NameAlg: tpm2.HashAlgorithmSHA256,
273282
})
274283
}
275284

@@ -278,6 +287,7 @@ func (s *platformSuite) TestRecoverKeysDifferentRole(c *C) {
278287
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
279288
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
280289
Role: "bar",
290+
NameAlg: tpm2.HashAlgorithmSHA256,
281291
})
282292
}
283293

@@ -289,6 +299,7 @@ func (s *platformSuite) TestRecoverKeysTPMLockout(c *C) {
289299
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
290300
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
291301
Role: "",
302+
NameAlg: tpm2.HashAlgorithmSHA256,
292303
})
293304
}
294305

@@ -297,6 +308,7 @@ func (s *platformSuite) testRecoverKeysNoValidSRK(c *C, prepareSrk func()) {
297308
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
298309
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
299310
Role: "foo",
311+
NameAlg: tpm2.HashAlgorithmSHA256,
300312
}
301313

302314
k, primaryKey, unlockKey, err := NewTPMProtectedKey(s.TPM(), params)
@@ -387,13 +399,15 @@ func (s *platformSuite) testRecoverKeysImportable(c *C, params *ProtectKeyParams
387399
func (s *platformSuite) TestRecoverKeysImportableSimplePCRProfile(c *C) {
388400
s.testRecoverKeysImportable(c, &ProtectKeyParams{
389401
PCRProfile: tpm2test.NewResolvedPCRProfileFromCurrentValues(c, s.TPM().TPMContext, tpm2.HashAlgorithmSHA256, []int{7}),
390-
PCRPolicyCounterHandle: tpm2.HandleNull})
402+
PCRPolicyCounterHandle: tpm2.HandleNull,
403+
NameAlg: tpm2.HashAlgorithmSHA256})
391404
}
392405

393406
func (s *platformSuite) TestRecoverKeysImportableNilPCRProfile(c *C) {
394407
s.testRecoverKeysImportable(c, &ProtectKeyParams{
395408
PCRPolicyCounterHandle: tpm2.HandleNull,
396-
Role: ""})
409+
Role: "",
410+
NameAlg: tpm2.HashAlgorithmSHA256})
397411
}
398412

399413
func (s *platformSuite) TestRecoverKeysNoTPMConnection(c *C) {
@@ -404,6 +418,7 @@ func (s *platformSuite) TestRecoverKeysNoTPMConnection(c *C) {
404418
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
405419
PCRPolicyCounterHandle: tpm2.HandleNull,
406420
Role: "",
421+
NameAlg: tpm2.HashAlgorithmSHA256,
407422
})
408423
c.Check(err, IsNil)
409424

@@ -431,7 +446,8 @@ func (s *platformSuite) testRecoverKeysUnsealErrorHandling(c *C, prepare func(*s
431446
params := &ProtectKeyParams{
432447
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7, 23}),
433448
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
434-
Role: "foo"}
449+
Role: "foo",
450+
NameAlg: tpm2.HashAlgorithmSHA256}
435451

436452
k, primaryKey, _, err := NewTPMProtectedKey(s.TPM(), params)
437453
c.Assert(err, IsNil)
@@ -581,6 +597,7 @@ func (s *platformSuite) TestRecoverKeysWithAuthKey(c *C) {
581597
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
582598
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
583599
Role: "foo",
600+
NameAlg: tpm2.HashAlgorithmSHA256,
584601
}
585602

586603
k, primaryKey, unlockKey, err := NewTPMProtectedKey(s.TPM(), params)
@@ -671,6 +688,7 @@ func (s *platformSuite) TestRecoverKeysWithIncorrectAuthKey(c *C) {
671688
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
672689
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
673690
Role: "",
691+
NameAlg: tpm2.HashAlgorithmSHA256,
674692
}
675693

676694
k, _, _, err := NewTPMProtectedKey(s.TPM(), params)
@@ -754,6 +772,7 @@ func (s *platformSuite) TestChangeAuthKeyWithIncorrectAuthKey(c *C) {
754772
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
755773
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
756774
Role: "",
775+
NameAlg: tpm2.HashAlgorithmSHA256,
757776
}
758777

759778
k, _, _, err := NewTPMProtectedKey(s.TPM(), params)
@@ -839,6 +858,7 @@ func (s *platformSuite) TestRecoverKeysWithAuthKeyTPMLockout(c *C) {
839858
PCRProfile: tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
840859
PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
841860
Role: "",
861+
NameAlg: tpm2.HashAlgorithmSHA256,
842862
}
843863

844864
k, _, _, err := NewTPMProtectedKey(s.TPM(), params)

tpm2/seal.go

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,8 @@ type ProtectKeyParams struct {
5959
PCRPolicyCounterHandle tpm2.Handle
6060

6161
PrimaryKey secboot.PrimaryKey
62+
63+
NameAlg tpm2.HashAlgorithmId
6264
}
6365

6466
type PassphraseProtectKeyParams struct {
@@ -102,6 +104,7 @@ type makeSealedKeyDataParams struct {
102104
PcrPolicyCounterHandle tpm2.Handle
103105
PrimaryKey secboot.PrimaryKey
104106
AuthMode secboot.AuthMode
107+
NameAlg tpm2.HashAlgorithmId
105108
}
106109

107110
// makeSealedKeyData makes a sealed key data using the supplied parameters, keySealer implementation,
@@ -146,10 +149,9 @@ var makeSealedKeyData = func(tpm *tpm2.TPMContext, params *makeSealedKeyDataPara
146149
}
147150

148151
// Create the initial policy data.
149-
nameAlg := tpm2.HashAlgorithmSHA256
150152
requireAuthValue := params.AuthMode != secboot.AuthModeNone
151153

152-
policyData, authPolicyDigest, err := newKeyDataPolicy(nameAlg, authPublicKey, params.Role, pcrPolicyCounterPub, requireAuthValue)
154+
policyData, authPolicyDigest, err := newKeyDataPolicy(params.NameAlg, authPublicKey, params.Role, pcrPolicyCounterPub, requireAuthValue)
153155
if err != nil {
154156
return nil, nil, nil, xerrors.Errorf("cannot create initial policy data: %w", err)
155157
}
@@ -163,7 +165,7 @@ var makeSealedKeyData = func(tpm *tpm2.TPMContext, params *makeSealedKeyDataPara
163165
// Seal the symmetric key and nonce. The final boolean argument is set to true in order
164166
// to disable dictionary attack protection (ie, adding the noDA attribute). We want this
165167
// when no user auth value is required.
166-
priv, pub, importSymSeed, err := sealer.CreateSealedObject(symKey[:], nameAlg, authPolicyDigest, !requireAuthValue)
168+
priv, pub, importSymSeed, err := sealer.CreateSealedObject(symKey[:], params.NameAlg, authPolicyDigest, !requireAuthValue)
167169
if err != nil {
168170
return nil, nil, nil, err
169171
}
@@ -253,6 +255,7 @@ func NewExternalTPMProtectedKey(tpmKey *tpm2.Public, params *ProtectKeyParams) (
253255
AuthMode: secboot.AuthModeNone,
254256
Role: params.Role,
255257
PcrProfile: params.PCRProfile,
258+
NameAlg: params.NameAlg,
256259
}, sealer, makeKeyDataNoAuth, nil)
257260
}
258261

@@ -291,6 +294,7 @@ func NewTPMProtectedKey(tpm *Connection, params *ProtectKeyParams) (protectedKey
291294
PcrPolicyCounterHandle: params.PCRPolicyCounterHandle,
292295
PrimaryKey: params.PrimaryKey,
293296
AuthMode: secboot.AuthModeNone,
297+
NameAlg: params.NameAlg,
294298
}, sealer, makeKeyDataNoAuth, tpm.HmacSession())
295299
}
296300

@@ -308,5 +312,6 @@ func NewTPMPassphraseProtectedKey(tpm *Connection, params *PassphraseProtectKeyP
308312
AuthMode: secboot.AuthModePassphrase,
309313
Role: params.Role,
310314
PcrProfile: params.PCRProfile,
315+
NameAlg: params.NameAlg,
311316
}, sealer, makeKeyDataWithPassphraseConstructor(tpm, params.KDFOptions, passphrase), tpm.HmacSession())
312317
}

0 commit comments

Comments
 (0)