1 2/* 3 * Licensed Materials - Property of IBM 4 * 5 * trousers - An open source TCG Software Stack 6 * 7 * (C) Copyright International Business Machines Corp. 2004-2007 8 * 9 */ 10 11 12#include <stdlib.h> 13#include <stdio.h> 14#include <string.h> 15#include <time.h> 16#include <errno.h> 17 18#include "trousers/tss.h" 19#include "trousers/trousers.h" 20#include "trousers_types.h" 21#include "spi_utils.h" 22#include "capabilities.h" 23#include "tsplog.h" 24#include "obj.h" 25 26 27TSS_RESULT 28secret_TakeOwnership(TSS_HKEY hEndorsementPubKey, 29 TSS_HTPM hTPM, 30 TSS_HKEY hKeySRK, 31 TPM_AUTH * auth, 32 UINT32 * encOwnerAuthLength, 33 BYTE * encOwnerAuth, UINT32 * encSRKAuthLength, BYTE * encSRKAuth) 34{ 35 TSS_RESULT result; 36 UINT32 endorsementKeySize; 37 BYTE *endorsementKey; 38 TSS_KEY dummyKey; 39 UINT64 offset; 40 TCPA_SECRET ownerSecret; 41 TCPA_SECRET srkSecret; 42 TCPA_DIGEST digest; 43 TSS_HPOLICY hSrkPolicy; 44 TSS_HPOLICY hOwnerPolicy; 45 UINT32 srkKeyBlobLength; 46 BYTE *srkKeyBlob; 47 TSS_HCONTEXT tspContext; 48 UINT32 ownerMode, srkMode; 49 Trspi_HashCtx hashCtx; 50 51 52 if ((result = obj_tpm_get_tsp_context(hTPM, &tspContext))) 53 return result; 54 55 /************************************************* 56 * First, get the policy objects and check them for how 57 * to handle the secrets. If they cannot be found 58 * or there is an error, then we must fail 59 **************************************************/ 60 61 /* First get the Owner Policy */ 62 if ((result = obj_tpm_get_policy(hTPM, TSS_POLICY_USAGE, &hOwnerPolicy))) 63 return result; 64 65 /* Now get the SRK Policy */ 66 if ((result = obj_rsakey_get_policy(hKeySRK, TSS_POLICY_USAGE, &hSrkPolicy, NULL))) 67 return result; 68 69 if ((result = obj_policy_get_mode(hOwnerPolicy, &ownerMode))) 70 return result; 71 72 if ((result = obj_policy_get_mode(hSrkPolicy, &srkMode))) 73 return result; 74 75 /* If the policy callback's aren't the same, that's an error if one is callback */ 76 if (srkMode == TSS_SECRET_MODE_CALLBACK || ownerMode == TSS_SECRET_MODE_CALLBACK) { 77 if (srkMode != TSS_SECRET_MODE_CALLBACK || ownerMode != TSS_SECRET_MODE_CALLBACK) { 78 LogError("Policy callback modes for SRK policy and Owner policy differ."); 79 return TSPERR(TSS_E_BAD_PARAMETER); 80 } 81 } 82 83 if (ownerMode != TSS_SECRET_MODE_CALLBACK) { 84 /* First, get the Endorsement Public Key for Encrypting */ 85 if ((result = obj_rsakey_get_blob(hEndorsementPubKey, &endorsementKeySize, 86 &endorsementKey))) 87 return result; 88 89 /* now stick it in a Key Structure */ 90 offset = 0; 91 if ((result = UnloadBlob_TSS_KEY(&offset, endorsementKey, &dummyKey))) { 92 free_tspi(tspContext, endorsementKey); 93 return result; 94 } 95 free_tspi(tspContext, endorsementKey); 96 97 if ((result = obj_policy_get_secret(hOwnerPolicy, TR_SECRET_CTX_NEW, 98 &ownerSecret))) { 99 free(dummyKey.pubKey.key); 100 free(dummyKey.algorithmParms.parms); 101 return result; 102 } 103 104 if ((result = obj_policy_get_secret(hSrkPolicy, TR_SECRET_CTX_NEW, &srkSecret))) { 105 free(dummyKey.pubKey.key); 106 free(dummyKey.algorithmParms.parms); 107 return result; 108 } 109 110 /* Encrypt the Owner, SRK Authorizations */ 111 if ((result = Trspi_RSA_Encrypt(ownerSecret.authdata, 20, encOwnerAuth, 112 encOwnerAuthLength, dummyKey.pubKey.key, 113 dummyKey.pubKey.keyLength))) { 114 free(dummyKey.pubKey.key); 115 free(dummyKey.algorithmParms.parms); 116 return result; 117 } 118 119 if ((result = Trspi_RSA_Encrypt(srkSecret.authdata, 20, encSRKAuth, 120 encSRKAuthLength, dummyKey.pubKey.key, 121 dummyKey.pubKey.keyLength))) { 122 free(dummyKey.pubKey.key); 123 free(dummyKey.algorithmParms.parms); 124 return result; 125 } 126 127 free(dummyKey.pubKey.key); 128 free(dummyKey.algorithmParms.parms); 129 } else { 130 *encOwnerAuthLength = 256; 131 *encSRKAuthLength = 256; 132 if ((result = obj_policy_do_takeowner(hOwnerPolicy, hTPM, hEndorsementPubKey, 133 *encOwnerAuthLength, encOwnerAuth))) 134 return result; 135 } 136 137 if ((result = obj_rsakey_get_blob(hKeySRK, &srkKeyBlobLength, &srkKeyBlob))) 138 return result; 139 140 /* Authorizatin Digest Calculation */ 141 result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1); 142 result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_TakeOwnership); 143 result |= Trspi_Hash_UINT16(&hashCtx, TCPA_PID_OWNER); 144 result |= Trspi_Hash_UINT32(&hashCtx, *encOwnerAuthLength); 145 result |= Trspi_HashUpdate(&hashCtx, *encOwnerAuthLength, encOwnerAuth); 146 result |= Trspi_Hash_UINT32(&hashCtx, *encSRKAuthLength); 147 result |= Trspi_HashUpdate(&hashCtx, *encSRKAuthLength, encSRKAuth); 148 result |= Trspi_HashUpdate(&hashCtx, srkKeyBlobLength, srkKeyBlob); 149 free_tspi(tspContext, srkKeyBlob); 150 if ((result |= Trspi_HashFinal(&hashCtx, digest.digest))) 151 return result; 152 153 /* HMAC for the final digest */ 154 if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_TakeOwnership, hOwnerPolicy, FALSE, 155 &digest, auth))) 156 return result; 157 158 return TSS_SUCCESS; 159} 160 161#ifdef TSS_BUILD_TRANSPORT 162TSS_RESULT 163Transport_OwnerClear(TSS_HCONTEXT tspContext, /* in */ 164 TPM_AUTH * ownerAuth) /* in, out */ 165{ 166 TSS_RESULT result; 167 UINT32 handlesLen = 0; 168 169 if ((result = obj_context_transport_init(tspContext))) 170 return result; 171 172 LogDebugFn("Executing in a transport session"); 173 174 return obj_context_transport_execute(tspContext, TPM_ORD_OwnerClear, 0, NULL, NULL, 175 &handlesLen, NULL, ownerAuth, NULL, NULL, NULL); 176} 177 178TSS_RESULT 179Transport_ForceClear(TSS_HCONTEXT tspContext) /* in */ 180{ 181 TSS_RESULT result; 182 UINT32 handlesLen = 0; 183 184 if ((result = obj_context_transport_init(tspContext))) 185 return result; 186 187 LogDebugFn("Executing in a transport session"); 188 189 return obj_context_transport_execute(tspContext, TPM_ORD_ForceClear, 0, NULL, NULL, 190 &handlesLen, NULL, NULL, NULL, NULL, NULL); 191} 192#endif 193 194