swtpm_setup: Create RSA 2048 and ECC NIST P256 keys and certs

Following "TCG PC Client Platform TPM Profile Specification for TPM 2.0, version 1.04, Rev 37" create and RSA and an ECC NIST P256 key now. We will upgrade the ECC NIST key to P384 in the next step. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2025-08-22 19:04:35 +00:00 · 2020-04-30 01:41:13 -04:00 · 2020-04-30 01:41:13 -04:00 · d65f5ae13b
commit d65f5ae13b
parent 8dd0eb5d44
1 changed files with 53 additions and 13 deletions
--- a/src/swtpm_setup/swtpm_setup.sh.in
+++ b/src/swtpm_setup/swtpm_setup.sh.in
@ -127,7 +127,11 @@ TPM2_NV_INDEX_ECC_EKCert=$((0x01c0000a))
 TPM2_NV_INDEX_ECC_EKTemplate=$((0x01c0000c))
 TPM2_NV_INDEX_PlatformCert=$((0x01c08000))

-TPM2_EK_HANDLE=$((0x81010001))
+TPM2_NV_INDEX_ECC_SECP384R1_HI_EKCert=$((0x01c00016))
+TPM2_NV_INDEX_ECC_SECP384R1_HI_EKTemplate=$((0x01c00017))
+
+TPM2_EK_RSA_HANDLE=$((0x81010001))
+TPM2_EK_ECC_SECP384R1_HANDLE=$((0x81010016))
 TPM2_SPK_HANDLE=$((0x81000001))

 # Default logging goes to stderr
@ -146,6 +150,9 @@ NONCE_RSA_SIZE=256
 NONCE_ECC_256='\x00\x20'${NB32}
 NONCE_ECC_256_SIZE=32

+NONCE_ECC_384='\x00\x30'${NB32}${NB16}
+NONCE_ECC_384_SIZE=48
+
 NONCE_EMPTY='\x00\x00'
 NONCE_EMPTY_SIZE=0

@ -1507,7 +1514,7 @@ tpm2_create_ek_and_cert()
 	local EK_CERT_FILE="$certsdir/ek.cert"
 	local EK_TEMP_FILE="$certsdir/ektemplate"

-	local ek nvindex nvindex_str
+	local ek nvindex nvindex_str keytype
 	local nvindexattrs=$((TPMA_NV_PLATFORMCREATE | \
 		TPMA_NV_AUTHREAD | \
 		TPMA_NV_OWNERREAD | \
@ -1516,19 +1523,27 @@ tpm2_create_ek_and_cert()
 		TPMA_NV_NO_DA | \
 		TPMA_NV_WRITEDEFINE))

+	if [ $((flags & SETUP_TPM2_ECC_F)) -ne 0 ]; then
+		keytype="ECC"
+		tpm2_ek_handle=$TPM2_EK_ECC_SECP384R1_HANDLE
+	else
+		keytype="RSA"
+		tpm2_ek_handle=$TPM2_EK_RSA_HANDLE
+	fi
+
 	if [ $((flags & SETUP_CREATE_EK_F)) -ne 0 ]; then
-		ek=$(tpm2_create_ek "$flags" "${TPM2_EK_HANDLE}" "${EK_TEMP_FILE}")
+		ek=$(tpm2_create_ek "$flags" "${tpm2_ek_handle}" "${EK_TEMP_FILE}")
 		if [ $? -ne 0 ]; then
 			logerr "tpm2_create_ek failed"
 			return 1
 		fi
-		logit "Successfully created EK with handle" \
-		      "$(printf "0x%08x" ${TPM2_EK_HANDLE})."
+		logit "Successfully created $keytype EK with handle" \
+		      "$(printf "0x%08x" ${tpm2_ek_handle})."

 		if [ $((flags & SETUP_TPM2_ECC_F)) -eq 0 ]; then
 			nvindex=${TPM2_NV_INDEX_RSA_EKTemplate}
 		else
-			nvindex=${TPM2_NV_INDEX_ECC_EKTemplate}
+			nvindex=${TPM2_NV_INDEX_ECC_SECP384R1_HI_EKTemplate}
 		fi
 		nvindex_str="$(printf "0x%08x" ${nvindex})"

@ -1554,7 +1569,7 @@ tpm2_create_ek_and_cert()
 					return 1
 				fi
 			fi
-			logit "Successfully created NVRAM area ${nvindex_str} for EK template."
+			logit "Successfully created NVRAM area ${nvindex_str} for $keytype EK template."
 		fi
 		rm -f "${EK_TEMP_FILE}"
 	fi
@ -1571,7 +1586,7 @@ tpm2_create_ek_and_cert()
 		if [ $((flags & SETUP_TPM2_ECC_F)) -eq 0 ]; then
 			nvindex=${TPM2_NV_INDEX_RSA_EKCert}
 		else
-			nvindex=${TPM2_NV_INDEX_ECC_EKCert}
+			nvindex=${TPM2_NV_INDEX_ECC_SECP384R1_HI_EKCert}
 		fi
 		nvindex_str="$(printf "0x%08x" ${nvindex})"

@ -1579,7 +1594,7 @@ tpm2_create_ek_and_cert()
 			"$(get_filesize "${EK_CERT_FILE}")"
 		if [ $? -ne 0 ]; then
 			logerr "Could not create NVRAM area ${nvindex_str}" \
-			       "for EK certificate."
+			       "for $keytype EK certificate."
 			return 1
 		fi
 		tpm2_nv_write ${nvindex} "${EK_CERT_FILE}"
@ -1596,7 +1611,7 @@ tpm2_create_ek_and_cert()
 				return 1
 			fi
 		fi
-		logit "Successfully created NVRAM area ${nvindex_str} for EK certificate."
+		logit "Successfully created NVRAM area ${nvindex_str} for $keytype EK certificate."
 		rm -f "${EK_CERT_FILE}"
 	fi

@ -1634,6 +1649,29 @@ tpm2_create_ek_and_cert()
 	return 0
 }

+# Create RSA and ECC EKs and their certs
+# @param1: flags
+# @param2: configuration file
+# @param3: certificates directory
+# @param4: VM identifier
+tpm2_create_eks_and_certs()
+{
+	local flags="$1"
+	local config_file="$2"
+	local certs_dir="$3"
+	local vmid="$4"
+
+	# 1st key will be RSA
+	flags=$((flags & ~SETUP_TPM2_ECC_F))
+	tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid"
+	[ $? -ne 0 ] && return 1
+
+	# 2nd key will be an ECC; no more platform cert
+	flags=$(((flags & ~SETUP_PLATFORM_CERT_F) | SETUP_TPM2_ECC_F))
+	tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid"
+	return 0
+}
+
 # Create the platform key, either RSA or ECC
 #
 # @param1: flags
@ -2027,7 +2065,7 @@ init_tpm2()
 		      "handle $(printf "0x%08x" ${TPM2_SPK_HANDLE})."
 	fi

-	tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid"
+	tpm2_create_eks_and_certs "$flags" "$config_file" "$certsdir" "$vmid"
 	[ $? -ne 0 ] && return 1

 	if [ "$pcr_banks" != "-" ]; then
@ -2130,7 +2168,8 @@ The following options are supported:

 --tpm2           : Setup a TPM 2; by default a TPM 1.2 is setup.

--createek       : Create the EK
+--createek       : Create the EK; for a TPM 2 an RSA and ECC EK will be
+                   created

 --allow-signing  : Create an EK that can be used for signing;
                   this option requires --tpm2.
@ -2139,7 +2178,8 @@ The following options are supported:
                   this is the default unless --allow-signing is given;
                   this option requires --tpm2.

--ecc            : Create ECC keys rather than RSA keys; this requires --tpm2
+--ecc            : This option allows to create a TPM 2's ECC key as storage
+                   primary key; a TPM 2 always gets an RSA and an ECC EK key.

 --take-ownership : Take ownership; this option implies --createek
  --ownerpass  <password>