From d65f5ae13be66d1de5030004b5ca70e7835d23da Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 30 Apr 2020 01:41:13 -0400 Subject: [PATCH] swtpm_setup: Create RSA 2048 and ECC NIST P256 keys and certs Following "TCG PC Client Platform TPM Profile Specification for TPM 2.0, version 1.04, Rev 37" create and RSA and an ECC NIST P256 key now. We will upgrade the ECC NIST key to P384 in the next step. Signed-off-by: Stefan Berger --- src/swtpm_setup/swtpm_setup.sh.in | 66 +++++++++++++++++++++++++------ 1 file changed, 53 insertions(+), 13 deletions(-) diff --git a/src/swtpm_setup/swtpm_setup.sh.in b/src/swtpm_setup/swtpm_setup.sh.in index f4159ad..eba5063 100755 --- a/src/swtpm_setup/swtpm_setup.sh.in +++ b/src/swtpm_setup/swtpm_setup.sh.in @@ -127,7 +127,11 @@ TPM2_NV_INDEX_ECC_EKCert=$((0x01c0000a)) TPM2_NV_INDEX_ECC_EKTemplate=$((0x01c0000c)) TPM2_NV_INDEX_PlatformCert=$((0x01c08000)) -TPM2_EK_HANDLE=$((0x81010001)) +TPM2_NV_INDEX_ECC_SECP384R1_HI_EKCert=$((0x01c00016)) +TPM2_NV_INDEX_ECC_SECP384R1_HI_EKTemplate=$((0x01c00017)) + +TPM2_EK_RSA_HANDLE=$((0x81010001)) +TPM2_EK_ECC_SECP384R1_HANDLE=$((0x81010016)) TPM2_SPK_HANDLE=$((0x81000001)) # Default logging goes to stderr @@ -146,6 +150,9 @@ NONCE_RSA_SIZE=256 NONCE_ECC_256='\x00\x20'${NB32} NONCE_ECC_256_SIZE=32 +NONCE_ECC_384='\x00\x30'${NB32}${NB16} +NONCE_ECC_384_SIZE=48 + NONCE_EMPTY='\x00\x00' NONCE_EMPTY_SIZE=0 @@ -1507,7 +1514,7 @@ tpm2_create_ek_and_cert() local EK_CERT_FILE="$certsdir/ek.cert" local EK_TEMP_FILE="$certsdir/ektemplate" - local ek nvindex nvindex_str + local ek nvindex nvindex_str keytype local nvindexattrs=$((TPMA_NV_PLATFORMCREATE | \ TPMA_NV_AUTHREAD | \ TPMA_NV_OWNERREAD | \ @@ -1516,19 +1523,27 @@ tpm2_create_ek_and_cert() TPMA_NV_NO_DA | \ TPMA_NV_WRITEDEFINE)) + if [ $((flags & SETUP_TPM2_ECC_F)) -ne 0 ]; then + keytype="ECC" + tpm2_ek_handle=$TPM2_EK_ECC_SECP384R1_HANDLE + else + keytype="RSA" + tpm2_ek_handle=$TPM2_EK_RSA_HANDLE + fi + if [ $((flags & SETUP_CREATE_EK_F)) -ne 0 ]; then - ek=$(tpm2_create_ek "$flags" "${TPM2_EK_HANDLE}" "${EK_TEMP_FILE}") + ek=$(tpm2_create_ek "$flags" "${tpm2_ek_handle}" "${EK_TEMP_FILE}") if [ $? -ne 0 ]; then logerr "tpm2_create_ek failed" return 1 fi - logit "Successfully created EK with handle" \ - "$(printf "0x%08x" ${TPM2_EK_HANDLE})." + logit "Successfully created $keytype EK with handle" \ + "$(printf "0x%08x" ${tpm2_ek_handle})." if [ $((flags & SETUP_TPM2_ECC_F)) -eq 0 ]; then nvindex=${TPM2_NV_INDEX_RSA_EKTemplate} else - nvindex=${TPM2_NV_INDEX_ECC_EKTemplate} + nvindex=${TPM2_NV_INDEX_ECC_SECP384R1_HI_EKTemplate} fi nvindex_str="$(printf "0x%08x" ${nvindex})" @@ -1554,7 +1569,7 @@ tpm2_create_ek_and_cert() return 1 fi fi - logit "Successfully created NVRAM area ${nvindex_str} for EK template." + logit "Successfully created NVRAM area ${nvindex_str} for $keytype EK template." fi rm -f "${EK_TEMP_FILE}" fi @@ -1571,7 +1586,7 @@ tpm2_create_ek_and_cert() if [ $((flags & SETUP_TPM2_ECC_F)) -eq 0 ]; then nvindex=${TPM2_NV_INDEX_RSA_EKCert} else - nvindex=${TPM2_NV_INDEX_ECC_EKCert} + nvindex=${TPM2_NV_INDEX_ECC_SECP384R1_HI_EKCert} fi nvindex_str="$(printf "0x%08x" ${nvindex})" @@ -1579,7 +1594,7 @@ tpm2_create_ek_and_cert() "$(get_filesize "${EK_CERT_FILE}")" if [ $? -ne 0 ]; then logerr "Could not create NVRAM area ${nvindex_str}" \ - "for EK certificate." + "for $keytype EK certificate." return 1 fi tpm2_nv_write ${nvindex} "${EK_CERT_FILE}" @@ -1596,7 +1611,7 @@ tpm2_create_ek_and_cert() return 1 fi fi - logit "Successfully created NVRAM area ${nvindex_str} for EK certificate." + logit "Successfully created NVRAM area ${nvindex_str} for $keytype EK certificate." rm -f "${EK_CERT_FILE}" fi @@ -1634,6 +1649,29 @@ tpm2_create_ek_and_cert() return 0 } +# Create RSA and ECC EKs and their certs +# @param1: flags +# @param2: configuration file +# @param3: certificates directory +# @param4: VM identifier +tpm2_create_eks_and_certs() +{ + local flags="$1" + local config_file="$2" + local certs_dir="$3" + local vmid="$4" + + # 1st key will be RSA + flags=$((flags & ~SETUP_TPM2_ECC_F)) + tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid" + [ $? -ne 0 ] && return 1 + + # 2nd key will be an ECC; no more platform cert + flags=$(((flags & ~SETUP_PLATFORM_CERT_F) | SETUP_TPM2_ECC_F)) + tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid" + return 0 +} + # Create the platform key, either RSA or ECC # # @param1: flags @@ -2027,7 +2065,7 @@ init_tpm2() "handle $(printf "0x%08x" ${TPM2_SPK_HANDLE})." fi - tpm2_create_ek_and_cert "$flags" "$config_file" "$certsdir" "$vmid" + tpm2_create_eks_and_certs "$flags" "$config_file" "$certsdir" "$vmid" [ $? -ne 0 ] && return 1 if [ "$pcr_banks" != "-" ]; then @@ -2130,7 +2168,8 @@ The following options are supported: --tpm2 : Setup a TPM 2; by default a TPM 1.2 is setup. ---createek : Create the EK +--createek : Create the EK; for a TPM 2 an RSA and ECC EK will be + created --allow-signing : Create an EK that can be used for signing; this option requires --tpm2. @@ -2139,7 +2178,8 @@ The following options are supported: this is the default unless --allow-signing is given; this option requires --tpm2. ---ecc : Create ECC keys rather than RSA keys; this requires --tpm2 +--ecc : This option allows to create a TPM 2's ECC key as storage + primary key; a TPM 2 always gets an RSA and an ECC EK key. --take-ownership : Take ownership; this option implies --createek --ownerpass