Added parameter encryption support to more examples. Fix to not set "encrypt" or "decrypt" if command doesn't allow it. Updated documentation.

Author: dgarske

.gitignore

@@ -38,7 +38,6 @@ examples/tls/tls_client
 examples/pkcs7/pkcs7
 examples/timestamp/signed_timestamp
 examples/pcr/quote
-examples/pcr/quote_paramenc
 examples/pcr/extend
 examples/pcr/reset
 examples/timestamp/clock_set
@@ -51,8 +50,6 @@ tests/unit.test
 examples/keygen/keyload
 examples/keygen/keygen
 examples/keygen/keyimport
-examples/keygen/keygen_paramenc
-examples/keygen/keyload_paramenc
 
 # Generated Cert Files
 certs/ca-*.pem

README.md

@@ -24,6 +24,7 @@ Portable TPM 2.0 project designed for embedded use.
 	* TLS Client
 	* TLS Server
 	* Benchmarking TPM algorithms and TLS
+* Parameter encryption support using AES-CFB or XOR. Supports salted unbound authenticated sessions.
 
 Note: See [examples/README.md](examples/README.md) for details on using the examples.
 
@@ -637,6 +638,10 @@ Connection: close
 ## Todo
 
 * Update to v1.59 of specification.
+* Add HMAC support for "authValue".
+* Add ECC encrypted salt.
+* Add bound auth session support.
+* Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support.
 
 ## Support
 

examples/README.md

@@ -6,6 +6,8 @@ The examples create RSA and ECC keys in NV for testing using handles defined in
 
 The PKCS #7 and TLS examples require generating CSR's and signing them using a test script. See CSR and Certificate Signing below.
 
+To enable parameter encryption use `-aes` for AES-CFB mode or `-xor` for XOR mode. Only some TPM commands / responses support parameter encryption. If the TPM2_ API has .flags `CMD_FLAG_ENC2` or `CMD_FLAG_DEC2` set then the command will use parameter encryption / decryption.
+
 ## Native API Test
 
 Demonstrates calling native TPM2_* API's.
@@ -110,8 +112,8 @@ To use symmetric AES/Hashing/HMAC with the TPM define `WOLFTPM_USE_SYMMETRIC`.
 Generation of the Client and Server Certificates requires running:
 
 
-1. `./examples/keygen/keygen rsa_test_blob.raw -RSA -T`
-2. `./examples/keygen/keygen ecc_test_blob.raw -ECC -T`
+1. `./examples/keygen/keygen rsa_test_blob.raw -rsa -t`
+2. `./examples/keygen/keygen ecc_test_blob.raw -ecc -t`
 3. `./examples/csr/csr`
 4. `./certs/certreq.sh`
 5. Copy the CA files from wolfTPM to wolfSSL certs directory.
@@ -134,9 +136,9 @@ or
 `./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V`
 
 Then run the wolfTPM TLS client example:
-`./examples/tls/tls_client RSA`
+`./examples/tls/tls_client -rsa`
 or
-`./examples/tls/tls_client ECC`
+`./examples/tls/tls_client -ecc`
 
 
 ### TLS Server
@@ -146,9 +148,9 @@ This example shows using a TPM key and certificate for a TLS server.
 By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
 
 Run the wolfTPM TLS server example:
-`./examples/tls/tls_server RSA`
+`./examples/tls/tls_server -rsa`
 or
-`./examples/tls/tls_server ECC`
+`./examples/tls/tls_server -ecc`
 
 Then run the wolfSSL example client this like:
 `./examples/client/client -h localhost -p 11111 -g -d`
@@ -194,7 +196,7 @@ Performance benchmarks.
 Examples for generating a TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
 
 ```
-$ ./examples/keygen/keygen keyblob.bin -RSA
+$ ./examples/keygen/keygen keyblob.bin -rsa
 TPM2.0 Key generation example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Creating new RSA key...
@@ -208,7 +210,7 @@ Reading 840 bytes from keyblob.bin
 Loaded key to 0x80000001
 
 
-$ ./examples/keygen/keygen keyblob.bin -ECC
+$ ./examples/keygen/keygen keyblob.bin -ecc
 TPM2.0 Key generation example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Creating new ECC key...
@@ -225,7 +227,7 @@ Loaded key to 0x80000001
 Example for importing a private key as TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
 
 ```
-$ ./examples/keygen/keyimport keyblob.bin -RSA
+$ ./examples/keygen/keyimport keyblob.bin -rsa
 TPM2.0 Key import example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Imported key (pub 278, priv 222 bytes)
@@ -238,7 +240,7 @@ Reading 840 bytes from keyblob.bin
 Loaded key to 0x80000001
 
 
-$ ./examples/keygen/keyimport keyblob.bin -ECC
+$ ./examples/keygen/keyimport keyblob.bin -ecc
 TPM2.0 Key Import example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Imported key (pub 86, priv 126 bytes)

examples/bench/bench.c

@@ -181,11 +181,22 @@ static int bench_sym_aes(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* storageKey,
     return rc;
 }
 
+static void usage(void)
+{
+    printf("Expected usage:\n");
+    printf("./examples/bench/bench [-aes/xor]\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");   
+}
+
 /******************************************************************************/
 /* --- BEGIN Bench Wrapper -- */
 /******************************************************************************/
+int TPM2_Wrapper_Bench(void* userCtx)
+{
+    return TPM2_Wrapper_BenchArgs(userCtx, 0, NULL);
+}
 
-int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
+int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
 {
     int rc;
     WOLFTPM2_DEV dev;
@@ -199,11 +210,35 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
     TPM2B_ECC_POINT pubPoint;
     double start;
     int count;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
+    WOLFTPM2_SESSION tpmSession;
+
+    if (argc >= 2) {
+        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
+            XSTRNCMP(argv[1], "-h", 2) == 0 ||
+            XSTRNCMP(argv[1], "--help", 6) == 0) {
+            usage();
+            return 0;
+        }
+    }
+    while (argc > 1) {
+        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
+            paramEncAlg = TPM_ALG_CFB;
+        }
+        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
+            paramEncAlg = TPM_ALG_XOR;
+        }
+        argc--;
+    }
 
-    printf("TPM2 Benchmark using Wrapper API's\n");
+    XMEMSET(&storageKey, 0, sizeof(storageKey));
+    XMEMSET(&eccKey, 0, sizeof(eccKey));
+    XMEMSET(&rsaKey, 0, sizeof(rsaKey));
+    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
 
-    (void)argc;
-    (void)argv;
+
+    printf("TPM2 Benchmark using Wrapper API's\n");
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
 
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -213,6 +248,20 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
     rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
+    if (paramEncAlg != TPM_ALG_NULL) {
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
+            TPM_SE_HMAC, paramEncAlg);
+        if (rc != 0) goto exit;
+        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+            (word32)tpmSession.handle.hndl);
+
+        /* set session for authorization of the storage key */
+        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+        if (rc != 0) goto exit;
+    }
+
     /* RNG Benchmark */
     bench_stats_start(&count, &start);
     do {
@@ -423,6 +472,7 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
 
     wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
     wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
 
     wolfTPM2_Cleanup(&dev);
 
@@ -441,7 +491,7 @@ int main(int argc, char *argv[])
     int rc = -1;
 
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(NO_TPM_BENCH)
-    rc = TPM2_Wrapper_Bench(NULL, argc, argv);
+    rc = TPM2_Wrapper_BenchArgs(NULL, argc, argv);
 #else
     printf("Wrapper code not compiled in\n");
 #endif

examples/bench/bench.h

@@ -26,7 +26,8 @@
     extern "C" {
 #endif
 
-int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[]);
+int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]);
+int TPM2_Wrapper_Bench(void* userCtx);
 
 #ifdef __cplusplus
     }  /* extern "C" */

examples/csr/csr.c

@@ -137,7 +137,11 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
     return rc;
 }
 
-int TPM2_CSR_Example(void* userCtx, int argc, char *argv[])
+int TPM2_CSR_Example(void* userCtx)
+{
+    return TPM2_CSR_ExampleArgs(userCtx, 0, NULL);
+}
+int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
 {
     int rc;
     WOLFTPM2_DEV dev;
@@ -243,7 +247,7 @@ int main(int argc, char *argv[])
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
     defined(WOLFSSL_CERT_REQ) && \
     (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
-    rc = TPM2_CSR_Example(NULL, argc, argv);
+    rc = TPM2_CSR_ExampleArgs(NULL, argc, argv);
 #else
     (void)argc;
     (void)argv;

examples/csr/csr.h

@@ -26,7 +26,8 @@
     extern "C" {
 #endif
 
-int TPM2_CSR_Example(void* userCtx, int argc, char *argv[]);
+int TPM2_CSR_Example(void* userCtx);
+int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]);
 
 #ifdef __cplusplus
     }  /* extern "C" */

examples/keygen/keygen.c

@@ -37,9 +37,10 @@
 static void usage(void)
 {
     printf("Expected usage:\n");
-    printf("keygen [keyblob.bin] [-ECC/-RSA] [-T] [-e]\n");
-    printf("-T: Use default template (otherwise AIK)\n");
-    printf("-e: Use Parameter Encryption\n");
+    printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa] [-t] [-aes/xor]\n");
+    printf("* -ecc: Use RSA or ECC for keys\n");
+    printf("* -t: Use default template (otherwise AIK)\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 
 int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
@@ -50,7 +51,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_KEYBLOB newKey;
     TPMT_PUBLIC publicTemplate;
     TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
-    int useParamEnc = 0;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
     WOLFTPM2_SESSION tpmSession;
     TPM2B_AUTH auth;
     int bAIK = 1;
@@ -71,14 +72,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
             outputFile = argv[1];
     }
     while (argc > 1) {
-        if (XSTRNCMP(argv[argc-1], "-ECC", 4) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
             alg = TPM_ALG_ECC;
         }
-        if (XSTRNCMP(argv[argc-1], "-T", 2) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-t", 2) == 0) {
             bAIK = 0;
         }
-        if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
-            useParamEnc = 1;
+        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
+            paramEncAlg = TPM_ALG_CFB;
+        }
+        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
+            paramEncAlg = TPM_ALG_XOR;
         }
         argc--;
     }
@@ -92,7 +96,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     printf("\tKey Blob: %s\n", outputFile);
     printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
     printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default");
-    printf("\tUse Parameter Encryption: %d\n", useParamEnc);
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
     if (rc != TPM_RC_SUCCESS) {
@@ -104,10 +108,10 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
-    if (useParamEnc) {
-        /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
+    if (paramEncAlg != TPM_ALG_NULL) {
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
         rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
-            TPM_SE_POLICY, TPM_ALG_CFB);
+            TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
             (word32)tpmSession.handle.hndl);

examples/keygen/keygen.h

@@ -29,8 +29,6 @@
 int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]);
-int TPM2_Keygen_ParamEnc_Example(void* userCtx, int argc, char *argv[]);
-int TPM2_Keyload_ParamEnc_Example(void* userCtx, int argc, char *argv[]);
 
 #ifdef __cplusplus
     }  /* extern "C" */