Merge pull request #129 from tomoveu/add-keygen-example

Author: elms

.gitignore

@@ -38,7 +38,6 @@ examples/tls/tls_client
 examples/pkcs7/pkcs7
 examples/timestamp/signed_timestamp
 examples/pcr/quote
-examples/pcr/quote_paramenc
 examples/pcr/extend
 examples/pcr/reset
 examples/timestamp/clock_set

README.md

@@ -24,6 +24,7 @@ Portable TPM 2.0 project designed for embedded use.
 	* TLS Client
 	* TLS Server
 	* Benchmarking TPM algorithms and TLS
+* Parameter encryption support using AES-CFB or XOR. Supports salted unbound authenticated sessions.
 
 Note: See [examples/README.md](examples/README.md) for details on using the examples.
 
@@ -111,7 +112,7 @@ Mfg NTC (0), Vendor NPCT75x"!!4rls, Fw 7.2 (131072), FIPS 140-2 1, CC-EAL4 0
 git clone https://github.com/wolfSSL/wolfssl.git
 cd wolfssl
 ./autogen.sh
-./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptocb
+./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptocb --enable-aescfb
 make
 sudo make install
 sudo ldconfig
@@ -636,9 +637,11 @@ Connection: close
 
 ## Todo
 
-* Add support for SensitiveToPrivate inner and outer.
-* Add runtime support for detecting module type ST33, SLB9670 or ATTPM20.
 * Update to v1.59 of specification.
+* Add HMAC support for "authValue".
+* Add ECC encrypted salt.
+* Add bound auth session support.
+* Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support.
 
 ## Support
 

examples/README.md

@@ -6,6 +6,8 @@ The examples create RSA and ECC keys in NV for testing using handles defined in
 
 The PKCS #7 and TLS examples require generating CSR's and signing them using a test script. See CSR and Certificate Signing below.
 
+To enable parameter encryption use `-aes` for AES-CFB mode or `-xor` for XOR mode. Only some TPM commands / responses support parameter encryption. If the TPM2_ API has .flags `CMD_FLAG_ENC2` or `CMD_FLAG_DEC2` set then the command will use parameter encryption / decryption.
+
 ## Native API Test
 
 Demonstrates calling native TPM2_* API's.
@@ -110,8 +112,8 @@ To use symmetric AES/Hashing/HMAC with the TPM define `WOLFTPM_USE_SYMMETRIC`.
 Generation of the Client and Server Certificates requires running:
 
 
-1. `./examples/keygen/keygen rsa_test_blob.raw RSA T`
-2. `./examples/keygen/keygen ecc_test_blob.raw ECC T`
+1. `./examples/keygen/keygen rsa_test_blob.raw -rsa -t`
+2. `./examples/keygen/keygen ecc_test_blob.raw -ecc -t`
 3. `./examples/csr/csr`
 4. `./certs/certreq.sh`
 5. Copy the CA files from wolfTPM to wolfSSL certs directory.
@@ -134,9 +136,9 @@ or
 `./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V`
 
 Then run the wolfTPM TLS client example:
-`./examples/tls/tls_client RSA`
+`./examples/tls/tls_client -rsa`
 or
-`./examples/tls/tls_client ECC`
+`./examples/tls/tls_client -ecc`
 
 
 ### TLS Server
@@ -146,9 +148,9 @@ This example shows using a TPM key and certificate for a TLS server.
 By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
 
 Run the wolfTPM TLS server example:
-`./examples/tls/tls_server RSA`
+`./examples/tls/tls_server -rsa`
 or
-`./examples/tls/tls_server ECC`
+`./examples/tls/tls_server -ecc`
 
 Then run the wolfSSL example client this like:
 `./examples/client/client -h localhost -p 11111 -g -d`
@@ -179,7 +181,7 @@ This way the user can keep track of relative and current time using the TPM cloc
 
 Note: If the new time value makes a change bigger than the TPM clock update interval, then the TPM will first update its volatile register for time and then the non-volatile register for time. This may cause a narrow delay before the commands returns execution to the user. Depending on the TPM manufacturer, the delay can vary from us to few ms.
 
-Note: This example can take an optional argument, the time value in miliseconds used for incrementing the TPM clock. Default value is 50000ms (50 seconds).
+Note: This example can take an optional argument, the time value in milliseconds used for incrementing the TPM clock. Default value is 50000ms (50 seconds).
 
 `./examples/timestamp/clock_set`
 
@@ -194,7 +196,7 @@ Performance benchmarks.
 Examples for generating a TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
 
 ```
-$ ./examples/keygen/keygen keyblob.bin RSA
+$ ./examples/keygen/keygen keyblob.bin -rsa
 TPM2.0 Key generation example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Creating new RSA key...
@@ -208,7 +210,7 @@ Reading 840 bytes from keyblob.bin
 Loaded key to 0x80000001
 
 
-$ ./examples/keygen/keygen keyblob.bin ECC
+$ ./examples/keygen/keygen keyblob.bin -ecc
 TPM2.0 Key generation example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Creating new ECC key...
@@ -225,7 +227,7 @@ Loaded key to 0x80000001
 Example for importing a private key as TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
 
 ```
-$ ./examples/keygen/keyimport keyblob.bin RSA
+$ ./examples/keygen/keyimport keyblob.bin -rsa
 TPM2.0 Key import example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Imported key (pub 278, priv 222 bytes)
@@ -238,7 +240,7 @@ Reading 840 bytes from keyblob.bin
 Loaded key to 0x80000001
 
 
-$ ./examples/keygen/keyimport keyblob.bin ECC
+$ ./examples/keygen/keyimport keyblob.bin -ecc
 TPM2.0 Key Import example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Imported key (pub 86, priv 126 bytes)

examples/bench/bench.c

@@ -157,7 +157,7 @@ static int bench_sym_aes(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* storageKey,
 
     XMEMSET(&aesKey, 0, sizeof(aesKey));
     rc = wolfTPM2_GetKeyTemplate_Symmetric(&publicTemplate, keyBits, algo,
-        NO, YES);
+        YES, YES);
     if (rc != 0) goto exit;
     rc = wolfTPM2_CreateAndLoadKey(dev, &aesKey, &storageKey->handle,
         &publicTemplate, (byte*)gUsageAuth, sizeof(gUsageAuth)-1);
@@ -181,11 +181,22 @@ static int bench_sym_aes(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* storageKey,
     return rc;
 }
 
+static void usage(void)
+{
+    printf("Expected usage:\n");
+    printf("./examples/bench/bench [-aes/xor]\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");   
+}
+
 /******************************************************************************/
 /* --- BEGIN Bench Wrapper -- */
 /******************************************************************************/
-
 int TPM2_Wrapper_Bench(void* userCtx)
+{
+    return TPM2_Wrapper_BenchArgs(userCtx, 0, NULL);
+}
+
+int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
 {
     int rc;
     WOLFTPM2_DEV dev;
@@ -199,20 +210,58 @@ int TPM2_Wrapper_Bench(void* userCtx)
     TPM2B_ECC_POINT pubPoint;
     double start;
     int count;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
+    WOLFTPM2_SESSION tpmSession;
+
+    if (argc >= 2) {
+        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
+            XSTRNCMP(argv[1], "-h", 2) == 0 ||
+            XSTRNCMP(argv[1], "--help", 6) == 0) {
+            usage();
+            return 0;
+        }
+    }
+    while (argc > 1) {
+        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
+            paramEncAlg = TPM_ALG_CFB;
+        }
+        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
+            paramEncAlg = TPM_ALG_XOR;
+        }
+        argc--;
+    }
 
-    printf("TPM2 Benchmark using Wrapper API's\n");
+    XMEMSET(&storageKey, 0, sizeof(storageKey));
+    XMEMSET(&eccKey, 0, sizeof(eccKey));
+    XMEMSET(&rsaKey, 0, sizeof(rsaKey));
+    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
 
 
+    printf("TPM2 Benchmark using Wrapper API's\n");
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
+
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
     if (rc != 0) return rc;
 
     /* See if primary storage key already exists */
-    rc = getPrimaryStoragekey(&dev,
-                              &storageKey,
-                              &publicTemplate);
+    rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
+    if (paramEncAlg != TPM_ALG_NULL) {
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
+            TPM_SE_HMAC, paramEncAlg);
+        if (rc != 0) goto exit;
+        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+            (word32)tpmSession.handle.hndl);
+
+        /* set session for authorization of the storage key */
+        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+        if (rc != 0) goto exit;
+    }
+
     /* RNG Benchmark */
     bench_stats_start(&count, &start);
     do {
@@ -423,6 +472,7 @@ int TPM2_Wrapper_Bench(void* userCtx)
 
     wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
     wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
 
     wolfTPM2_Cleanup(&dev);
 
@@ -436,12 +486,12 @@ int TPM2_Wrapper_Bench(void* userCtx)
 #endif /* !WOLFTPM2_NO_WRAPPER && !NO_TPM_BENCH */
 
 #ifndef NO_MAIN_DRIVER
-int main(void)
+int main(int argc, char *argv[])
 {
     int rc = -1;
 
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(NO_TPM_BENCH)
-    rc = TPM2_Wrapper_Bench(NULL);
+    rc = TPM2_Wrapper_BenchArgs(NULL, argc, argv);
 #else
     printf("Wrapper code not compiled in\n");
 #endif

examples/bench/bench.h

@@ -26,6 +26,7 @@
     extern "C" {
 #endif
 
+int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]);
 int TPM2_Wrapper_Bench(void* userCtx);
 
 #ifdef __cplusplus

examples/csr/csr.c

@@ -138,6 +138,10 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
 }
 
 int TPM2_CSR_Example(void* userCtx)
+{
+    return TPM2_CSR_ExampleArgs(userCtx, 0, NULL);
+}
+int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
 {
     int rc;
     WOLFTPM2_DEV dev;
@@ -150,12 +154,14 @@ int TPM2_CSR_Example(void* userCtx)
     WOLFTPM2_KEY eccKey;
     ecc_key wolfEccKey;
 #endif
-    TPMT_PUBLIC publicTemplate;
     TpmCryptoDevCtx tpmCtx;
     int tpmDevId;
 
     printf("TPM2 CSR Example\n");
 
+    (void)argc;
+    (void)argv;
+
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
     if (rc != 0) return rc;
@@ -174,21 +180,16 @@ int TPM2_CSR_Example(void* userCtx)
     if (rc != 0) goto exit;
 
     /* See if primary storage key already exists */
-    rc = getPrimaryStoragekey(&dev,
-                              &storageKey,
-                              &publicTemplate);
+    rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
-    storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
-    XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
-            storageKey.handle.auth.size);
-
 #ifndef NO_RSA
     rc = getRSAkey(&dev,
                    &storageKey,
                    &rsaKey,
                    &wolfRsaKey,
-                   tpmDevId);
+                   tpmDevId,
+                   (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
     if (rc != 0) goto exit;
 
     rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &wolfRsaKey, gClientCertRsaFile);
@@ -201,7 +202,8 @@ int TPM2_CSR_Example(void* userCtx)
                     &storageKey,
                     &eccKey,
                     &wolfEccKey,
-                    tpmDevId);
+                    tpmDevId, 
+                    (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
     if (rc != 0) goto exit;
 
     rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &wolfEccKey, gClientCertEccFile);
@@ -238,15 +240,18 @@ int TPM2_CSR_Example(void* userCtx)
 #endif /* !WOLFTPM2_NO_WRAPPER && WOLFSSL_CERT_REQ && WOLF_CRYPTO_DEV */
 
 #ifndef NO_MAIN_DRIVER
-int main(void)
+int main(int argc, char *argv[])
 {
     int rc = -1;
 
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
     defined(WOLFSSL_CERT_REQ) && \
     (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
-    rc = TPM2_CSR_Example(NULL);
+    rc = TPM2_CSR_ExampleArgs(NULL, argc, argv);
 #else
+    (void)argc;
+    (void)argv;
+
     printf("Wrapper/CertReq/CryptoDev code not compiled in\n");
     printf("Build wolfssl with ./configure --enable-certgen --enable-certreq --enable-certext --enable-cryptocb\n");
 #endif

examples/csr/csr.h

@@ -27,6 +27,7 @@
 #endif
 
 int TPM2_CSR_Example(void* userCtx);
+int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]);
 
 #ifdef __cplusplus
     }  /* extern "C" */

examples/keygen/include.am

@@ -6,7 +6,7 @@ noinst_HEADERS += examples/keygen/keygen.h
 
 bin_PROGRAMS += examples/keygen/keyload
 examples_keygen_keyload_SOURCES      = examples/keygen/keyload.c \
-                                      examples/tpm_test_keys.c \
+                                       examples/tpm_test_keys.c \
                                        examples/tpm_io.c
 examples_keygen_keyload_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_keygen_keyload_DEPENDENCIES = src/libwolftpm.la
@@ -20,6 +20,7 @@ examples_keygen_keygen_DEPENDENCIES = src/libwolftpm.la
 
 bin_PROGRAMS += examples/keygen/keyimport
 examples_keygen_keyimport_SOURCES      = examples/keygen/keyimport.c \
+                                         examples/tpm_test_keys.c \
                                          examples/tpm_io.c
 examples_keygen_keyimport_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_keygen_keyimport_DEPENDENCIES = src/libwolftpm.la