[SeaBIOS] [PATCH 2/2] tcbios: Add menu item to create a primary storage key for TPM 2

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Dec 13 19:00:32 CET 2017 

Add a menu item to create an SRK with the handle 0x81000001
per the Infrastructure Work Group specification

TCG TPM v2.0 Provisioning Guidance; Version 1.0, Rev 1.0, March 15, 2017

https://trustedcomputinggroup.org/tcg-tpm-v2-0-provisioning-guidance/

For the creation flags to set on the EK we follow the above spec
Section 7.5.1 "Storage Primary Key (SRK) Templates" and the following spec

TCG EK Credential Profile For TPM Family 2.0; Level 0; Rev 14, Nov. 4 2014

https://trustedcomputinggroup.org/tcg-ek-credential-profile-tpm-family-2-0/

Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
 src/std/tcg.h |  3 ++-
 src/tcgbios.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/src/std/tcg.h b/src/std/tcg.h
index beecd1f..19dab64 100644
--- a/src/std/tcg.h
+++ b/src/std/tcg.h
@@ -599,7 +599,7 @@ struct pcctes_romex
 #define TPM_STATE_OWNERINSTALL 8
 
 #define TPM2_STATE_CREATE_EK 1
-#define TPM2_STATE_CREATE_PSK 2
+#define TPM2_STATE_CREATE_SPK 2
 
 #define TPM_PPI_OP_NOOP 0
 #define TPM_PPI_OP_ENABLE 1
@@ -612,5 +612,6 @@ struct pcctes_romex
 
 /* additional operations */
 #define TPM_PPI_EXT_OP_CREATE_EK  (0xe0 + 0)
+#define TPM_PPI_EXT_OP_CREATE_SPK (0xe0 + 1)
 
 #endif // tcg.h
diff --git a/src/tcgbios.c b/src/tcgbios.c
index e5b5678..9348a23 100644
--- a/src/tcgbios.c
+++ b/src/tcgbios.c
@@ -1866,6 +1866,50 @@ tpm20_create_ek(int verbose, u32 *keyhandle)
 }
 
 static int
+tpm20_create_spk(int verbose, u32 *keyhandle)
+{
+    struct tpm2_tpmt_public {
+        u16 publen;
+        u16 alg_key;
+        u16 alg_hash;
+        u32 keyflags;
+        u16 authpolicylen;
+        u8 authpolicy[0];
+        struct symkeydata {
+            u16 algorithm;
+            u16 keyBits;
+            u16 mode;
+        } symkeydata;
+        u16 scheme;
+        u16 keyBits;
+        u32 exponent;
+    } PACKED ttp = {
+        .publen = cpu_to_be16(sizeof(ttp)),
+        .alg_key = cpu_to_be16(TPM2_ALG_RSA),
+        .alg_hash = cpu_to_be16(TPM2_ALG_SHA256),
+        .keyflags = cpu_to_be32(TPM2_OBJECT_FIXEDTPM |
+                                TPM2_OBJECT_FIXEDPARENT |
+                                TPM2_OBJECT_SENSITIVEDATAORIGIN |
+                                TPM2_OBJECT_USERWITHAUTH |
+                                TPM2_OBJECT_NODA |
+                                TPM2_OBJECT_RESTRICTED |
+                                TPM2_OBJECT_DECRYPT),
+        .authpolicylen = cpu_to_be16(sizeof(ttp.authpolicy)),
+        .symkeydata = {
+            .algorithm = cpu_to_be16(TPM2_ALG_AES),
+            .keyBits = cpu_to_be16(128),
+            .mode = cpu_to_be16(TPM2_ALG_CFB),
+        },
+        .scheme = cpu_to_be16(TPM2_ALG_NULL),
+        .keyBits = cpu_to_be16(2048),
+        .exponent = cpu_to_be32(0),
+    };
+
+    return tpm20_createprimary(TPM2_RH_OWNER, &ttp, sizeof(ttp),
+                               keyhandle);
+}
+
+static int
 tpm20_evictcontrol(u32 authhandle, u32 keyhandle,
                    u32 persistentHandle)
 {
@@ -1922,6 +1966,15 @@ tpm20_process_cfg(tpm_ppi_code msgCode, int verbose)
                                      keyhandle,
                                      0x81010001);
             break;
+
+        case TPM_PPI_EXT_OP_CREATE_SPK:
+            ret = tpm20_create_spk(verbose, &keyhandle);
+            if (ret)
+                break;
+            ret = tpm20_evictcontrol(TPM2_RH_OWNER,
+                                     keyhandle,
+                                     0x81000001);
+            break;
     }
 
     if (ret)
@@ -2121,6 +2174,7 @@ tpm20_get_tpm_state(void)
 
     struct tpml_handle *handles = (struct tpml_handle *)&trg->data;
     int has_ek = 0;
+    int has_spk = 0;
 
     num_handles = be32_to_cpu(handles->count);
 
@@ -2128,10 +2182,14 @@ tpm20_get_tpm_state(void)
         u32 h = be32_to_cpu(handles->handle[i]);
         if (h >= 0x81010000 && h <= 0x8101ffff)
              has_ek = 1;
+        if (h >= 0x81000000 && h <= 0x8100ffff)
+             has_spk = 1;
     }
 
     if (!has_ek)
         state |= TPM2_STATE_CREATE_EK;
+    if (!has_spk)
+        state |= TPM2_STATE_CREATE_SPK;
 
     return state;
 }
@@ -2148,6 +2206,12 @@ tpm20_show_tpm_menu(int state, int next_scancodes[4])
         printf(" - has");
     printf(" a persistent endorsement key.\n");
 
+    if (state & TPM2_STATE_CREATE_SPK)
+        printf(" - does not have");
+    else
+        printf(" - has");
+    printf(" a persistent storage primary key.\n");
+
     printf("\n1. Clear TPM\n");
     next_scancodes[i++] = 2;
 
@@ -2155,6 +2219,10 @@ tpm20_show_tpm_menu(int state, int next_scancodes[4])
         printf("2. Create a persistent endorsement primary key\n");
         next_scancodes[i++] = 3;
     }
+    if (state & TPM2_STATE_CREATE_SPK) {
+        printf("3. Create a primary storage key\n");
+        next_scancodes[i++] = 4;
+    }
     next_scancodes[i++] = 0;
 }
 
@@ -2197,6 +2265,9 @@ tpm20_menu(void)
             case 3:
                 msgCode = TPM_PPI_EXT_OP_CREATE_EK;
                 break;
+            case 4:
+                msgCode = TPM_PPI_EXT_OP_CREATE_SPK;
+                break;
             default:
                 continue;
             }
-- 
2.5.5

More information about the SeaBIOS mailing list