[SeaBIOS] [PATCH 2/2] tcbios: Add menu item to create a primary storage key for TPM 2

13 Dec 2017

Add a menu item to create an SRK with the handle 0x81000001
per the Infrastructure Work Group specification
TCG TPM v2.0 Provisioning Guidance; Version 1.0, Rev 1.0, March 15, 2017
https://trustedcomputinggroup.org/tcg-tpm-v2-0-provisioning-guidance/
For the creation flags to set on the EK we follow the above spec
Section 7.5.1 "Storage Primary Key (SRK) Templates" and the following spec
TCG EK Credential Profile For TPM Family 2.0; Level 0; Rev 14, Nov. 4 2014
https://trustedcomputinggroup.org/tcg-ek-credential-profile-tpm-family-2-0/
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com
---
 src/std/tcg.h |  3 ++-
 src/tcgbios.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/src/std/tcg.h b/src/std/tcg.h
index beecd1f..19dab64 100644
--- a/src/std/tcg.h
+++ b/src/std/tcg.h
@@ -599,7 +599,7 @@ struct pcctes_romex
 #define TPM_STATE_OWNERINSTALL 8
#define TPM2_STATE_CREATE_EK 1
-#define TPM2_STATE_CREATE_PSK 2
+#define TPM2_STATE_CREATE_SPK 2
#define TPM_PPI_OP_NOOP 0
 #define TPM_PPI_OP_ENABLE 1
@@ -612,5 +612,6 @@ struct pcctes_romex
/* additional operations */
 #define TPM_PPI_EXT_OP_CREATE_EK  (0xe0 + 0)
+#define TPM_PPI_EXT_OP_CREATE_SPK (0xe0 + 1)
#endif // tcg.h
diff --git a/src/tcgbios.c b/src/tcgbios.c
index e5b5678..9348a23 100644
--- a/src/tcgbios.c
+++ b/src/tcgbios.c
@@ -1866,6 +1866,50 @@ tpm20_create_ek(int verbose, u32 *keyhandle)
 }
static int
+tpm20_create_spk(int verbose, u32 *keyhandle)
+{
+    struct tpm2_tpmt_public {
+        u16 publen;
+        u16 alg_key;
+        u16 alg_hash;
+        u32 keyflags;
+        u16 authpolicylen;
+        u8 authpolicy[0];
+        struct symkeydata {
+            u16 algorithm;
+            u16 keyBits;
+            u16 mode;
+        } symkeydata;
+        u16 scheme;
+        u16 keyBits;
+        u32 exponent;
+    } PACKED ttp = {
+        .publen = cpu_to_be16(sizeof(ttp)),
+        .alg_key = cpu_to_be16(TPM2_ALG_RSA),
+        .alg_hash = cpu_to_be16(TPM2_ALG_SHA256),
+        .keyflags = cpu_to_be32(TPM2_OBJECT_FIXEDTPM |
+                                TPM2_OBJECT_FIXEDPARENT |
+                                TPM2_OBJECT_SENSITIVEDATAORIGIN |
+                                TPM2_OBJECT_USERWITHAUTH |
+                                TPM2_OBJECT_NODA |
+                                TPM2_OBJECT_RESTRICTED |
+                                TPM2_OBJECT_DECRYPT),
+        .authpolicylen = cpu_to_be16(sizeof(ttp.authpolicy)),
+        .symkeydata = {
+            .algorithm = cpu_to_be16(TPM2_ALG_AES),
+            .keyBits = cpu_to_be16(128),
+            .mode = cpu_to_be16(TPM2_ALG_CFB),
+        },
+        .scheme = cpu_to_be16(TPM2_ALG_NULL),
+        .keyBits = cpu_to_be16(2048),
+        .exponent = cpu_to_be32(0),
+    };
+
+    return tpm20_createprimary(TPM2_RH_OWNER, &ttp, sizeof(ttp),
+                               keyhandle);
+}
+
+static int
 tpm20_evictcontrol(u32 authhandle, u32 keyhandle,
                    u32 persistentHandle)
 {
@@ -1922,6 +1966,15 @@ tpm20_process_cfg(tpm_ppi_code msgCode, int verbose)
                                      keyhandle,
                                      0x81010001);
             break;
+
+        case TPM_PPI_EXT_OP_CREATE_SPK:
+            ret = tpm20_create_spk(verbose, &keyhandle);
+            if (ret)
+                break;
+            ret = tpm20_evictcontrol(TPM2_RH_OWNER,
+                                     keyhandle,
+                                     0x81000001);
+            break;
     }
if (ret)
@@ -2121,6 +2174,7 @@ tpm20_get_tpm_state(void)
struct tpml_handle *handles = (struct tpml_handle *)&trg->data;
     int has_ek = 0;
+    int has_spk = 0;
num_handles = be32_to_cpu(handles->count);
@@ -2128,10 +2182,14 @@ tpm20_get_tpm_state(void)
         u32 h = be32_to_cpu(handles->handle[i]);
         if (h >= 0x81010000 && h <= 0x8101ffff)
              has_ek = 1;
+        if (h >= 0x81000000 && h <= 0x8100ffff)
+             has_spk = 1;
     }
if (!has_ek)
         state |= TPM2_STATE_CREATE_EK;
+    if (!has_spk)
+        state |= TPM2_STATE_CREATE_SPK;
return state;
 }
@@ -2148,6 +2206,12 @@ tpm20_show_tpm_menu(int state, int next_scancodes[4])
         printf(" - has");
     printf(" a persistent endorsement key.\n");
+    if (state & TPM2_STATE_CREATE_SPK)
+        printf(" - does not have");
+    else
+        printf(" - has");
+    printf(" a persistent storage primary key.\n");
+
     printf("\n1. Clear TPM\n");
     next_scancodes[i++] = 2;
@@ -2155,6 +2219,10 @@ tpm20_show_tpm_menu(int state, int next_scancodes[4])
         printf("2. Create a persistent endorsement primary key\n");
         next_scancodes[i++] = 3;
     }
+    if (state & TPM2_STATE_CREATE_SPK) {
+        printf("3. Create a primary storage key\n");
+        next_scancodes[i++] = 4;
+    }
     next_scancodes[i++] = 0;
 }
@@ -2197,6 +2265,9 @@ tpm20_menu(void)
             case 3:
                 msgCode = TPM_PPI_EXT_OP_CREATE_EK;
                 break;
+            case 4:
+                msgCode = TPM_PPI_EXT_OP_CREATE_SPK;
+                break;
             default:
                 continue;
             }
-- 
2.5.5



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[SeaBIOS] [PATCH 2/2] tcbios: Add menu item to create a primary storage key for TPM 2