Add RuntimeAttribute 'fips-140-3' that restricts a TPM 2 following
requirements of the FIPS-140-3 standard:
- Prevents raw RSA encryption and decryption
- Prevents SHA1 signature generation + verification
- Prevents derivation of ECC keys from derivation parent and for creation
of ephemeral keys
- Performs a pairwise consistency test on RSA keys and ECC signing keys
- Enables continous DRBG test
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Per "TCG FIPS 140-3 guidance for TPM 2.0" document the following functions
must prevent an asymmetric ECC key derivation:
- Table 14: TPM2_CreateLoaded
- Table 18: TPM2_ZGen_2Phase
- Table 26: TPM2_Commit
- Table 26: TPM2_EC_Ephemeral
Return TPM_RC_TYPE as a return code to indicate failure of deriving a key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
drbg-continous-test enables an existing code block that was previously
only enabled when FIPS_COMPLIANT #define was set. This code block
ensures that previous 4 consecutive random numbers do not appear again
at the beginning of a 16-byte block.
Extend an existing test case with this new attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature verification like FIPS mode on the host does
by implementing attribute no-sha1-signing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature generation like FIPS mode on the host does
for RSA and all ECC (ecdsa, ecdaa, ecschnorr, sm2) signing algorithms
by implementing attribute no-sha1-signing.
Since CryptRSASign and CryptEccSign are called from CryptSign the
check for SHA1 can be done there. The other call locations are
from the algorithm test functions where the default hash is SHA512.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for RuntimeAttributes which will be provided using
the Attribute key in the map.
Implement a fip-host attribute that at this point does not do much.
Add test case for fips-host attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement TPMLIB_WasManufactured API call for a TPM 2 so that callers can
detect whether a TPM 2 instance was newly created and therefore the
profile that was set was also applied.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Bump up the StateFormatLevel to 6 and use it to introduce a new OBJECT
marshalling format version '4' that slighly changes how an OBJECT is
marshalled:
- only marshal the private exponent for an RSA key
- always marshal the new hierarchy field
The marshalling code can still write previous version '3' when an older
StateFormatLevel is used to support backwards compatibility.
Adjust the test cases marshalling an RSA key OBJECT to check against
expected sizes across a series of StateFormatLevels.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The new isNameHashDefined session attribute allows to better
differentiate between cpHash and nameHash being set. Both of these are part
of a union. However, using this new flag would potentially introduce
compatibility issues for older versions that did not have this flag and
if an older session was to be used with this newer version of TPM 2. To
avoid this use the current stateFormatLevel (4) to decide whether to set
and get the isNameHashDefined session attribute that did not exists before
stateFormatLevel 4. Instrument the code accordingly so that expected
behavior of old TPM 2 state (null profile) does not change while new TPM 2
state with the new default-v1 profile may use the new behavor.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable Camellia-192 and AES-192 and bump up the stateFormatLevel to '4'.
This now prevents using this state with previous stateFormatLevels (< 4)
because there Camellia-192 or AES-192 was not enabled and the user would
otherwise not be able to decrypt data with either one if it was usable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable new commands ECC_Decrypt and ECC_Encrypt in the TPmProfile.h
and also in the 'default' profile. Since the additional commands extend
the ppList and auditCommands array, bump up the version of the stateLevel
to '2' and use the new marshalling functions by using the PERSISTENT_DATA
blob_version '5'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also extend the man page to describe the new output.
swtpm_ioctl --info 0x40 --tcp :2322 | jq
{
"AvailableProfiles": [
{
"Name": "default-v1",
"StateFormatLevel": 4,
"Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19a",
"Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Description": "This profile enables all currenly supported commands and algorithms. It is applied when the user chooses no profile."
},
{
"Name": "null",
"StateFormatLevel": 1,
"Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197",
"Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Description": "The profile enables the commands and algorithms that were enabled in libtpms v0.9. This profile is automatically used when the state does not have a profile, for example when it was created by libtpms v0.9 or before."
},
...
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also extend the man page to describe the new output.
swtpm_ioctl --info 0x20 --tcp :2322 | jq
{
"ActiveProfile": {
"Name": "null",
"StateFormatLevel": 1,
"Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197",
"Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Description": "The profile enables the commands and algorithms that were enabled in libtpms v0.9. This profile is automatically used when the state does not have a profile, for example when it was created by libtpms v0.9 or before."
}
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also extend the man page to describe the new output.
swtpm_ioctl --info 0x10 --tcp :2322 | jq
{
"RuntimeCommands": {
"Implemented": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19a",
"CanBeDisabled": "0x11f,0x121-0x122,0x124-0x128,0x12a-0x12e,0x130,0x132-0x13b,0x13d-0x140,0x142,0x146-0x147,0x149-0x14d,0x14f-0x152,0x154-0x155,0x159,0x15b,0x15d-0x15e,0x160-0x164,0x167-0x168,0x16a-0x172,0x174,0x177-0x178,0x17b,0x17f-0x181,0x183-0x184,0x187-0x193,0x197,0x199-0x19a",
"Enabled": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19a",
"Disabled": ""
}
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend TPM2_GetInfo() to return information about runtime-enabled
algorithms like this:
$ swtpm_ioctl --info 8 --tcp :2322 | jq
{
"RuntimeAlgorithms": {
"Implemented": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,ecc-nist-p192,ecc-nist-p224,ecc-nist-p256,ecc-nist-p384,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"CanBeDisabled": "tdes,sha1,sha512,rsassa,rsaes,rsapss,ecmqv,ecc-nist,ecc-bn,ecc-nist-p192,ecc-nist-p224,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,camellia,cmac,ctr,ofb,cbc,ecb",
"Enabled": "rsa,rsa-min-size=1024,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,null,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-bn,ecc-nist-p192,ecc-nist-p224,ecc-nist-p256,ecc-nist-p384,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Disabled": "tdes,sha1,sha512,rsassa,rsaes,rsapss,ecmqv,ecc-nist"
}
}
Also describe the JSON object in the TPMLIB_GetInfo man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Update the description of the tpm_io_getlocality() callback function
that the TPM 2 code invokes to get the currently active locality.
It is expected that the called software is trusted and returns a valid
locality number at all times and thus also always return TPM_SUCCESS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When testing downgrading from libtpms 0.8 to 0.7 (which is not
possible), the error message which is reported is:
libtpms/tpm2: Unexpect value for MAX_RSA_KEY_BITS; its value 3072 is
not = 2048; (version: 2).
codespell (https://github.com/codespell-project/codespell) reports a
misspelling for "Unexpect", which should be "Unexpected". As the project
contains many more misspellings in comments, error messages and
documentation, fix all misspellings reported by codespell.
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
Return the RSAKeySizes in the JSON produced by TPM2_GetInfo() under
a new flag with value '4'. This helps higher level tools and users
to easily determine what key sizes are supported for RSA.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Leave a note in the TPMLIB_RegisterCallbacks() function about
the effects of leaving the store- and loaddata functions in the
interface unset.
Leave another not in TPMLIB_MainInit() to not use the library without
calling TPMLIB_RegiserCallbacks().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some man pages were not installed due to a typo in the name of
the variable. This patch fixes the issue.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Introduce --with-tpm2 for ./configure to enable building with
TPM 2 functionality. Delay the building of TPM 2 code until more
patches are applied and the vTPM state that's created has a chance
of being backwards compatible.
Extend the libtpms API to allow user to choose version of TPM.
Missing functionality at this point:
- TPM 2 needs to be extended to serialize and deserialize its volatile state
- Handling of the establishment bit
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Clear all the cached states blobs set using TPMLIB_SetState if one
of them cannot be accepted.
Signed-off-by: Stfean Berger <stefanb@linux.vnet.ibm.com>
Expose the two new API calls TPMLIB_GetState() and TPMLIB_SetState().
Fix one parameter in the TPMLIB_GetState() call.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This patch adds APIs for getting and setting all types of state
blobs. We cache these blobs and allow them to be picked up when
the TPM starts. It will get any of these state blobs, if they
were set, before we go out and try to read the state blob from
a file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The EK certificates need information about the TPM specification that was
implemented. The best place to get the information from seems the TPM itself.
So we implement a function TPMLIB_GetInfo() to allow to query for the TPM
specification information and possibly other information in the future.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The logic for invoking the validation of the TPM 1.2 state was
broken. The validation of volatile and save state state requires
that the permanent state is available, so we always load it
first.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement TPMLIB_ValidateState(), which is supposed to be used
for checking usability of state blobs before TPMLIB_MainInit()
is called or TPM_Startup has been sent to the TPM.
This function is useful to be called once TPM state blobs
have been migrated to a destination and we need to check
whether libtpms can use these state blobs and if not
we have a chance to fall back to the migration source host.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Also allow to get the minimum and maximum supported buffer size
with the TPMLIB_SetBufferSize() call.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement TPMLIB_SetBufferSize() for setting the size of the I/O buffer
that the TPM may advertise. For TPM 1.2 the size remains fixed since the
TIS interface can handle the current 4096 bytes.
This function will be important for TPM 2 with a CRB interface that cannot
handle 4096 bytes.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add API calls TPMLIB_SetDebugFD(), TPMLIB_SetDebugLevel(),
TPMLIB_SetDebugPrefix().
Convert the internal printing of debugging strings to
correspond to the log level. Print the prefix in front
of every line.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove unnecessary files in the repository and add boostrap.sh to create the
configure file and other files we are removing here. Users have to run
bootstrap.sh to have those files created in their build environment.
Update the INSTALL instructions.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Acked-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
This is the initial import of the libtpms library. The libtpms library
provides software emulation of a Trusted Platform Module (TPM). It is
intended to be used by applications when a hardware TPM is not adequate.
For example, a hypervisor can use libtpms to emulate an independent TPM
for each of it's virtual machine guests. The library provides a high-
level API for developers to integrate the emulated TPM support into
their application.
The code was originally written by Kenneth Goldman <kgoldman@us.ibm.com>
and Stefan Berger <stefanb@us.ibm.com>.
The code is licensed under the Modified BSD License.
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
