Proxmox-Port/libtpms
1
0
Fork 0
mirror of https://github.com/stefanberger/libtpms synced 2025-08-26 22:07:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,271 Commits 27 Branches 45 Tags 10 MiB
stefanberger/svn-hierarchy-enablement
Commit Graph

30 Commits

Author SHA1 Message Date
Stefan Berger
d5368c7c41 tpm2: Enable SVN-limited hierarchy: svn-limited-hierarchy (SFL 8) 
Implement support for a profile attribute svn-limited-hierarchy that must
be set for SVN-limited hiearchy support to be enabled. Bump up the
StateFormatLevel to 8 and store the SVN base secret starting with
StateFormatLevel 8.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-11-12 08:26:54 -05:00
Stefan Berger
b8c9153a3f tpm2: Only copy Attributes when non-modifyable profile is chosen 
If the user provides no Attributes field in the profile then do not copy
the attributes from the internal profile if that profile may be modified.
In this case assume that the the user wanted no attributes. It now is
also unnecessary that any Attributes be set in a modifyable profile ever,
since they will not be copied.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-10-17 16:30:30 -04:00
Stefan Berger
a5248a9859 test: Allow setting Attributes in JSON profile with an empty string 
Adjust the regex checking the JSON input to allow for empty string values,
which will be only used by 'Attributes' since they are all optional.
Then, allow the user to provide an empty string with the Attributes in the
JSON like this: {...,"Attributes":"", ...}

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-10-17 16:30:30 -04:00
Stefan Berger
aef0ecbeb4 tpm2: Add missing attributes to code documentation and man pages 
Add attributes documentation where found missing.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-10-17 16:30:30 -04:00
Stefan Berger
774cee962e tpm2: Restrict profile names to 32 characters 
Restrict profile names to 32 characters to avoid having to carry
excessively long names in the TPM's state file.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-10-10 08:42:36 -04:00
Stefan Berger
21e19ffe8d tpm2: Run PCT test on RSA keys and EC signing keys: pct 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-10-03 14:06:33 -04:00
Stefan Berger
99b52fa982 tpm2: Enable DRBG continous test: drbg-continous-test 
drbg-continous-test enables an existing code block that was previously
only enabled when FIPS_COMPLIANT #define was set. This code block
ensures that previous 4 consecutive random numbers do not appear again
at the beginning of a 16-byte block.

Extend an existing test case with this new attribute.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-10-03 08:52:35 -04:00
Stefan Berger
363cbae3b0 tpm2: Allow naming of custom profiles with prefix 'custom:' 
Allow the name of custom profiles to also have the prefix 'custom:'.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-10-01 10:56:52 -04:00
Stefan Berger
2a883017d6 tpm2: Remove unused function parameters or mark them as unused 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-24 09:32:02 -04:00
Stefan Berger
8b4ad203d0 tpm2: Correct the ending of the string at max characters 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-24 09:32:02 -04:00
Stefan Berger
e898872637 tpm2: Adjust selection of StateFormatLevel 
When a non-modifyable profile is chosen then copy the StateFormatLevel
(SFL) from the internal profile as before. A reason for copying the SFL
is also because the user is not allowed to make modifications to this
type of profile. Otherwise, if the user chooses a modifyable profile,
then let the user choose the StateFormatLevel.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-13 17:04:38 -04:00
Stefan Berger
c7baa7e1ac tpm2: Deduplicate verbs in Commands, Algorithms and Attributes in profile 
Deduplicate verbs in Commands, Algorithms, and Attributes strings in a
profile and when a verb with an '=' sign is found, such as
ecc-min-size=224, and there is a duplicate later in the string, such as
ecc-min-size=256, then keep the last one.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-11 16:14:08 -04:00
Stefan Berger
e197df642b tpm2: Implement attribute for FIPS-enabled host: fips-host 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-03 10:28:55 -04:00
Stefan Berger
2d8d6a256c tpm2: Prevent SHA1 signature verification: no-sha1-verification 
Prevent SHA1 signature verification like FIPS mode on the host does
by implementing attribute no-sha1-signing.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-03 10:28:55 -04:00
Stefan Berger
2fc551ffbc tpm2: Prevent SHA1 signature generation using new flag: no-sha1-signing 
Prevent SHA1 signature generation like FIPS mode on the host does
for RSA and all ECC (ecdsa, ecdaa, ecschnorr, sm2) signing algorithms
by implementing attribute no-sha1-signing.
Since CryptRSASign and CryptEccSign are called from CryptSign the
check for SHA1 can be done there. The other call locations are
from the algorithm test functions where the default hash is SHA512.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-03 10:28:55 -04:00
Stefan Berger
2db51d0f88 tpm2: Prevent unpadded/raw RSA en- and decryption: no-unpadded-encryption 
Implement attribute no-unpadded-encrytion to prevent unpadded/raw RSA
encryption and decryption.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-03 10:28:55 -04:00
Stefan Berger
2a296082f0 tpm2: Implement function checking attributeFlags 
Implement function to check whether a profile requires attribute
flags to be 'enforced'.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-03 10:28:55 -04:00
Stefan Berger
45467a2d83 tpm2: Implement support for RuntimeAttributes (StateFormatLevel 7) 
Implement support for RuntimeAttributes which will be provided using
the Attribute key in the map.

Implement a fip-host attribute that at this point does not do much.

Add test case for fips-host attribute.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-09-03 10:28:55 -04:00
Stefan Berger
d3ce650f93 tpm2: Include limits.h for UINT_MAX (BSD) 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-08-20 10:16:02 -04:00
Stefan Berger
247a100cd8 tpm2: Add ecc-sm2-p256 to all profiles 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-26 22:34:38 -04:00
Stefan Berger
1df35f6c77 tpm2: Change marshalled fields of OBJECT (StateFormatLevel 6) 
Bump up the StateFormatLevel to 6 and use it to introduce a new OBJECT
marshalling format version '4' that slighly changes how an OBJECT is
marshalled:

- only marshal the private exponent for an RSA key
- always marshal the new hierarchy field

The marshalling code can still write previous version '3' when an older
StateFormatLevel is used to support backwards compatibility.

Adjust the test cases marshalling an RSA key OBJECT to check against
expected sizes across a series of StateFormatLevels.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-25 11:17:42 -04:00
Stefan Berger
d6c1b22f60 tpm2: Rework failure codes retruned by GetStateFormatLevelFromJSON 
Replace failure code TPM_RC_FAILURE when an invalid interger is encounterd
while parsing the StateFormatLevel from the json and have it return
TPM_RC_VALUE. Also improve the handling of the different error codes
returned from this function by a caller.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-19 16:18:50 -04:00
Stefan Berger
c254804d59 tpm2: Return TPM_RC_VALUE when profile cannot be found by name 
Return TPM_RC_VALUE rather than TPM_RC_FAILURE when a profile cannot
be found by its name.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-19 16:18:50 -04:00
Stefan Berger
8e27756625 tpm2: Enable TPM2_PolicyParameters in default-v1 profile 
Enable TPM2_PolicyParameters in default-v1 profile and bump up the
StateFormatLevel to '5'.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-18 16:36:02 -04:00
Stefan Berger
7b26afa705 rev180: Introduce isNameHashDefined and use it (bugfix?) 
The new isNameHashDefined session attribute allows to better
differentiate between cpHash and nameHash being set. Both of these are part
of a union. However, using this new flag would potentially introduce
compatibility issues for older versions that did not have this flag and
if an older session was to be used with this newer version of TPM 2. To
avoid this use the current stateFormatLevel (4) to decide whether to set
and get the isNameHashDefined session attribute that did not exists before
stateFormatLevel 4. Instrument the code accordingly so that expected
behavior of old TPM 2 state (null profile) does not change while new TPM 2
state with the new default-v1 profile may use the new behavor.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-18 16:36:02 -04:00
Stefan Berger
ee141c60e0 tpm2: Enable Camellia-192 and AES-192 and bump up stateFormatLevel 
Enable Camellia-192 and AES-192 and bump up the stateFormatLevel to '4'.
This now prevents using this state with previous stateFormatLevels (< 4)
because there Camellia-192 or AES-192 was not enabled and the user would
otherwise not be able to decrypt data with either one if it was usable.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-15 14:09:09 -04:00
Stefan Berger
341a278896 tpm2: Enable ECC_Decrypt & ECC_Encrypt in 'default' profile 
Enable new commands ECC_Decrypt and ECC_Encrypt in the TPmProfile.h
and also in the 'default' profile. Since the additional commands extend
the ppList and auditCommands array, bump up the version of the stateLevel
to '2' and use the new marshalling functions by using the PERSISTENT_DATA
blob_version '5'.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-15 14:09:09 -04:00
Stefan Berger
a848c37b7b tpm2: Implement RuntimeProfileGetSeedCompatLevel() 
The maximum SEED_COMPAT_LEVEL that libtpms may use depends on the earliest
version of libtpms that a profile can run on. Therefore, implement
RuntimeProfileGetSeedCompatLevel() to determine the SEED_COMPAT_LEVEL that
a profile can use, which depends on the profile's stateCompatLevel (which
in turn depends on the version of libtpms)

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-15 11:51:38 -04:00
Stefan Berger
3b5afd325c tpm2: Extend TPM2_GetInfo with info about available profiles 
Also extend the man page to describe the new output.

swtpm_ioctl --info 0x40 --tcp :2322 | jq
{
  "AvailableProfiles": [
    {
      "Name": "default-v1",
      "StateFormatLevel": 4,
      "Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19a",
      "Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
      "Description": "This profile enables all currenly supported commands and algorithms. It is applied when the user chooses no profile."
    },
    {
      "Name": "null",
      "StateFormatLevel": 1,
      "Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197",
      "Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
      "Description": "The profile enables the commands and algorithms that were enabled in libtpms v0.9. This profile is automatically used when the state does not have a profile, for example when it was created by libtpms v0.9 or before."
    },
    ...
}

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-15 11:51:38 -04:00
Stefan Berger
31dc25a92c tpm2: Add support for setting a runtime profile 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2024-07-15 11:51:38 -04:00