vTPM/TPM2: TPM 2.0 takes ownership and create SRK

TPM2_CreatePrimary is used to create a Primary Object under one of
the Primary Seeds or a Temporary Object under TPM_RH_NULL. The command
uses a TPM2B_PUBLIC as a template for the object to be created. The
command will create and load a Primary Object. The sensitive area is
not returned. Any type of object and attributes combination that is
allowed by TPM2_Create() may be created by this command. The constraints
on templates and parameters are the same as TPM2_Create() except that a
Primary Storage Key and a Temporary Storage Key are not constrained to
use the algorithms of their parents.

Signed-off-by: Quan Xu <quan.xu@intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

diff --git a/vtpmmgr/init.c b/vtpmmgr/init.c
index f3aa02f21cc17e7db3083bc009ddf4f538090a42..c6540718bd84ac7c8b91665284e9e0cf3a951e8a 100644 (file)
--- a/vtpmmgr/init.c
+++ b/vtpmmgr/init.c
@@ -51,6 +51,7 @@
 #include "vtpm_disk.h"
 #include "tpm.h"
 #include "marshal.h"
+#include "tpm2.h"
 
 struct Opts {
    enum {
@@ -509,3 +510,73 @@ void vtpmmgr_shutdown(void)
 
    vtpmloginfo(VTPM_LOG_VTPM, "VTPM Manager stopped.\n");
 }
+
+/* TPM 2.0 */
+
+static void tpm2_AuthArea_ctor(const char *authValue, UINT32 authLen,
+                               TPM_AuthArea *auth)
+{
+    auth->sessionHandle = TPM_RS_PW;
+    auth->nonce.size = 0;
+    auth->sessionAttributes = 1;
+    auth->auth.size = authLen;
+    memcpy(auth->auth.buffer, authValue, authLen);
+    auth->size = 9 + authLen;
+}
+
+TPM_RC tpm2_take_ownership(void)
+{
+    TPM_RC status = TPM_SUCCESS;
+
+    tpm2_AuthArea_ctor(NULL, 0, &vtpm_globals.pw_auth);
+
+    /* create SRK */
+    TPM2_CreatePrimary_Params_in in = {
+        .inSensitive = {
+            .size = 4,
+            .sensitive = {
+                .userAuth.size = 0,
+                .userAuth.buffer = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\
+                                     0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
+                .data.size = 0,
+            },
+        },
+        .inPublic = {
+            .size = 60,
+            .publicArea = {
+                .type = TPM2_ALG_RSA,
+                .nameAlg = TPM2_ALG_SHA256,
+#define SRK_OBJ_ATTR (fixedTPM | fixedParent  | userWithAuth | \
+                      sensitiveDataOrigin | restricted | decrypt)
+                .objectAttributes = SRK_OBJ_ATTR,
+                .authPolicy.size = 0,
+                .parameters.rsaDetail = {
+                    .symmetric = {
+                    .algorithm = TPM2_ALG_AES,
+                    .keyBits.aes = AES_KEY_SIZES_BITS,
+                    .mode.aes = TPM2_ALG_CFB,
+                    },
+                .scheme = { TPM2_ALG_NULL },
+                .keyBits = RSA_KEY_SIZES_BITS,
+                .exponent = 0,
+                },
+                .unique.rsa.size = 0,
+            },
+        },
+            .outsideInfo.size = 0,
+            .creationPCR.count = 0,
+    };
+
+    TPMTRYRETURN(TPM2_CreatePrimary(TPM_RH_OWNER,&in,
+                                    &vtpm_globals.srk_handle, NULL));
+    vtpmloginfo(VTPM_LOG_VTPM, "SRK handle: 0x%X\n", vtpm_globals.srk_handle);
+    {
+        const char data[20] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\
+                                0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+        tpm2_AuthArea_ctor(data, 20, &vtpm_globals.srk_auth_area);
+    }
+    /*end create SRK*/
+
+abort_egress:
+    return status;
+}

diff --git a/vtpmmgr/vtpmmgr.h b/vtpmmgr/vtpmmgr.h
index 0d0c604eaaf414a055812867dc36ff4e4a98e3bb..95519baef4c44ffccb49aac33a61197d79641777 100644 (file)
--- a/vtpmmgr/vtpmmgr.h
+++ b/vtpmmgr/vtpmmgr.h
@@ -93,4 +93,7 @@ inline TPM_RESULT vtpmmgr_rand(unsigned char* bytes, size_t num_bytes) {
    return ctr_drbg_random(&vtpm_globals.ctr_drbg, bytes, num_bytes) == 0 ? 0 : TPM_FAIL;
 }
 
+/* TPM 2.0 */
+TPM_RC tpm2_take_ownership(void);
+
 #endif