diff --git a/src/swtpm_setup/swtpm_setup.sh.in b/src/swtpm_setup/swtpm_setup.sh.in index f4159ad..eba5063 100755 --- a/src/swtpm_setup/swtpm_setup.sh.in +++ b/src/swtpm_setup/swtpm_setup.sh.in @@ -127,7 +127,11 @@ TPM2_NV_INDEX_ECC_EKCert=$((0x01c0000a)) TPM2_NV_INDEX_ECC_EKTemplate=$((0x01c0000c)) TPM2_NV_INDEX_PlatformCert=$((0x01c08000)) -TPM2_EK_HANDLE=$((0x81010001)) +TPM2_NV_INDEX_ECC_SECP384R1_HI_EKCert=$((0x01c00016)) +TPM2_NV_INDEX_ECC_SECP384R1_HI_EKTemplate=$((0x01c00017)) + +TPM2_EK_RSA_HANDLE=$((0x81010001)) +TPM2_EK_ECC_SECP384R1_HANDLE=$((0x81010016)) TPM2_SPK_HANDLE=$((0x81000001)) # Default logging goes to stderr @@ -146,6 +150,9 @@ NONCE_RSA_SIZE=256 NONCE_ECC_256='\x00\x20'${NB32} NONCE_ECC_256_SIZE=32 +NONCE_ECC_384='\x00\x30'${NB32}${NB16} +NONCE_ECC_384_SIZE=48 + NONCE_EMPTY='\x00\x00' NONCE_EMPTY_SIZE=0 @@ -1507,7 +1514,7 @@ tpm2_create_ek_and_cert() local EK_CERT_FILE="$certsdir/ek.cert" local EK_TEMP_FILE="$certsdir/ektemplate" - local ek nvindex nvindex_str + local ek nvindex nvindex_str keytype local nvindexattrs=$((TPMA_NV_PLATFORMCREATE | \ TPMA_NV_AUTHREAD | \ TPMA_NV_OWNERREAD | \ @@ -1516,19 +1523,27 @@ tpm2_create_ek_and_cert() TPMA_NV_NO_DA | \ TPMA_NV_WRITEDEFINE)) + if [ $((flags & SETUP_TPM2_ECC_F)) -ne 0 ]; then + keytype="ECC" + tpm2_ek_handle=$TPM2_EK_ECC_SECP384R1_HANDLE + else + keytype="RSA" + tpm2_ek_handle=$TPM2_EK_RSA_HANDLE + fi + if [ $((flags & SETUP_CREATE_EK_F)) -ne 0 ]; then - ek=$(tpm2_create_ek "$flags" "${TPM2_EK_HANDLE}" "${EK_TEMP_FILE}") + ek=$(tpm2_create_ek "$flags" "${tpm2_ek_handle}" "${EK_TEMP_FILE}") if [ $? -ne 0 ]; then logerr "tpm2_create_ek failed" return 1 fi - logit "Successfully created EK with handle" \ - "$(printf "0x%08x" ${TPM2_EK_HANDLE})." + logit "Successfully created $keytype EK with handle" \ + "$(printf "0x%08x" ${tpm2_ek_handle})." if [ $((flags & SETUP_TPM2_ECC_F)) -eq 0 ]; then nvindex=${TPM2_NV_INDEX_RSA_EKTemplate} else - nvindex=${TPM2_NV_INDEX_ECC_EKTemplate} + nvindex=${TPM2_NV_INDEX_ECC_SECP384R1_HI_EKTemplate} fi nvindex_str="$(printf "0x%08x" ${nvindex})" @@ -1554,7 +1569,7 @@ tpm2_create_ek_and_cert() return 1 fi fi - logit "Successfully created NVRAM area ${nvindex_str} for EK template." + logit "Successfully created NVRAM area ${nvindex_str} for $keytype EK template." fi rm -f "${EK_TEMP_FILE}" fi @@ -1571,7 +1586,7 @@ tpm2_create_ek_and_cert() if [ $((flags & SETUP_TPM2_ECC_F)) -eq 0 ]; then nvindex=${TPM2_NV_INDEX_RSA_EKCert} else - nvindex=${TPM2_NV_INDEX_ECC_EKCert} + nvindex=${TPM2_NV_INDEX_ECC_SECP384R1_HI_EKCert} fi nvindex_str="$(printf "0x%08x" ${nvindex})" @@ -1579,7 +1594,7 @@ tpm2_create_ek_and_cert() "$(get_filesize "${EK_CERT_FILE}")" if [ $? -ne 0 ]; then logerr "Could not create NVRAM area ${nvindex_str}" \ - "for EK certificate." + "for $keytype EK certificate." return 1 fi tpm2_nv_write ${nvindex} "${EK_CERT_FILE}" @@ -1596,7 +1611,7 @@ tpm2_create_ek_and_cert() return 1 fi fi - logit "Successfully created NVRAM area ${nvindex_str} for EK certificate." + logit "Successfully created NVRAM area ${nvindex_str} for $keytype EK certificate." rm -f "${EK_CERT_FILE}" fi @@ -1634,6 +1649,29 @@ tpm2_create_ek_and_cert() return 0 } +# Create RSA and ECC EKs and their certs +# @param1: flags +# @param2: configuration file +# @param3: certificates directory +# @param4: VM identifier +tpm2_create_eks_and_certs() +{ + local flags="$1" + local config_file="$2" + local certs_dir="$3" + local vmid="$4" + + # 1st key will be RSA + flags=$((flags & ~SETUP_TPM2_ECC_F)) + tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid" + [ $? -ne 0 ] && return 1 + + # 2nd key will be an ECC; no more platform cert + flags=$(((flags & ~SETUP_PLATFORM_CERT_F) | SETUP_TPM2_ECC_F)) + tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid" + return 0 +} + # Create the platform key, either RSA or ECC # # @param1: flags @@ -2027,7 +2065,7 @@ init_tpm2() "handle $(printf "0x%08x" ${TPM2_SPK_HANDLE})." fi - tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid" + tpm2_create_eks_and_certs "$flags" "$config_file" "$certsdir" "$vmid" [ $? -ne 0 ] && return 1 if [ "$pcr_banks" != "-" ]; then @@ -2130,7 +2168,8 @@ The following options are supported: --tpm2 : Setup a TPM 2; by default a TPM 1.2 is setup. ---createek : Create the EK +--createek : Create the EK; for a TPM 2 an RSA and ECC EK will be + created --allow-signing : Create an EK that can be used for signing; this option requires --tpm2. @@ -2139,7 +2178,8 @@ The following options are supported: this is the default unless --allow-signing is given; this option requires --tpm2. ---ecc : Create ECC keys rather than RSA keys; this requires --tpm2 +--ecc : This option allows to create a TPM 2's ECC key as storage + primary key; a TPM 2 always gets an RSA and an ECC EK key. --take-ownership : Take ownership; this option implies --createek --ownerpass