vTPM/TPM2: Support TPM 2.0 bind and unbind data

Bind data with TPM2_RSA_Encrypt, which performs RSA encryption using
the indicated padding scheme according to PKCS#1v2.1(PKCS#1). If the
scheme of keyHandle is TPM_ALG_NULL, then the caller may use inScheme
to specify the padding scheme.
Unbind data with TPM2_RSA_Decrypt, which performs RSA decryption using
the indicated padding scheme according to PKCS#1v2.1(PKCS#1).

Signed-off-by: Quan Xu <quan.xu@intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

diff --git a/vtpmmgr/disk_tpm.c b/vtpmmgr/disk_tpm.c
index d650fbca09d4fe2081e6ca075ee52f0bc98034de..45a326ade0816719c5a976074c3b3e30cda83e0b 100644 (file)
--- a/vtpmmgr/disk_tpm.c
+++ b/vtpmmgr/disk_tpm.c
@@ -12,17 +12,20 @@
 #include <polarssl/sha1.h>
 
 #include "tpm.h"
+#include "tpm2.h"
 #include "tcg.h"
 
 #include "vtpmmgr.h"
 #include "vtpm_disk.h"
 #include "disk_tpm.h"
 
+#include "log.h"
 // Print out input/output of seal/unseal operations (includes keys)
 #undef DEBUG_SEAL_OPS
 
 #ifdef DEBUG_SEAL_OPS
 #include "marshal.h"
+#include "tpm2_marshal.h"
 #endif
 
 struct pcr_list {
@@ -31,11 +34,16 @@ struct pcr_list {
 
 static struct pcr_list hwtpm;
 
+/*Ignore PCR on TPM 2.0, read PCR values for TPM 1.x seal | unseal*/
 void TPM_read_pcrs(void)
 {
        int i;
-       for(i=0; i < 24; i++)
-               TPM_PCR_Read(i, &hwtpm.pcrs[i]);
+       for (i=0; i < 24; i++) {
+        if (hw_is_tpm2())
+            tpm2_pcr_read(i, (uint8_t *)&hwtpm.pcrs[i]);
+        else
+                   TPM_PCR_Read(i, &hwtpm.pcrs[i]);
+    }
 }
 
 struct pcr_composite_3 {
@@ -138,6 +146,36 @@ int TPM_disk_seal(struct disk_seal_entry *dst, const void* src, size_t size)
        return rc;
 }
 
+TPM_RC TPM2_disk_bind(struct disk_seal_entry *dst, void* src, unsigned int size)
+{
+    TPM_RESULT status = TPM_SUCCESS;
+
+    TPMTRYRETURN(TPM2_Bind(vtpm_globals.sk_handle,
+                           src,
+                           size,
+                           dst->sealed_data));
+
+abort_egress:
+egress:
+   return status;
+}
+
+TPM_RC TPM2_disk_unbind(void *dst, unsigned int *size, const struct disk_seal_entry *src)
+{
+    TPM_RESULT status = TPM_SUCCESS;
+    unsigned char buf[RSA_CIPHER_SIZE];
+
+    memcpy(buf, src->sealed_data, RSA_CIPHER_SIZE);
+    TPMTRYRETURN(TPM2_UnBind(vtpm_globals.sk_handle,
+                             RSA_CIPHER_SIZE,
+                             buf,
+                             size,
+                             dst));
+abort_egress:
+egress:
+   return status;
+}
+
 int TPM_disk_unseal(void *dst, size_t size, const struct disk_seal_entry *src)
 {
        uint32_t rc;

diff --git a/vtpmmgr/disk_tpm.h b/vtpmmgr/disk_tpm.h
index b23589566372b5337bbae5070e5138b59cc5ef26..57ae2a6321fc766e873a75f070020da4f8ef0bac 100644 (file)
--- a/vtpmmgr/disk_tpm.h
+++ b/vtpmmgr/disk_tpm.h
@@ -10,6 +10,10 @@ void TPM_pcr_digest(struct hash160 *buf, le32_t selection);
 int TPM_disk_seal(struct disk_seal_entry *dst, const void* src, size_t size);
 int TPM_disk_unseal(void *dst, size_t size, const struct disk_seal_entry *src);
 
+/*TPM 2.0 Bind and Unbind */
+TPM_RC TPM2_disk_bind(struct disk_seal_entry *dst, void* src, unsigned int size);
+TPM_RC TPM2_disk_unbind(void *dst, unsigned int *size, const struct disk_seal_entry *src);
+
 /* NVRAM to allow revocation of TM-KEY */
 int TPM_disk_nvalloc(be32_t *nvram_slot, struct tpm_authdata auth);
 int TPM_disk_nvread(void *buf, size_t bufsiz, be32_t nvram_slot, struct tpm_authdata auth);