| /* SPDX-License-Identifier: BSD-2-Clause */ |
| /******************************************************************************* |
| * Copyright 2018-2019, Fraunhofer SIT sponsored by Infineon Technologies AG |
| * All rights reserved. |
| ******************************************************************************/ |
| #ifndef FAPI_INT_H |
| #define FAPI_INT_H |
| |
| #include "fapi_types.h" |
| #include "ifapi_policy_types.h" |
| #include "ifapi_policy_instantiate.h" |
| #include "ifapi_eventlog.h" |
| #include "ifapi_io.h" |
| #include "ifapi_profiles.h" |
| #include "ifapi_macros.h" |
| #include "ifapi_keystore.h" |
| #include "ifapi_policy_store.h" |
| #include "ifapi_config.h" |
| |
| #include <stdlib.h> |
| #include <stdint.h> |
| #include <unistd.h> |
| #include <string.h> |
| #include <inttypes.h> |
| #include <stdarg.h> |
| #include <stdbool.h> |
| #include <sys/stat.h> |
| #include <stdio.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <json-c/json.h> |
| #include <poll.h> |
| |
| #include "tss2_esys.h" |
| #include "tss2_fapi.h" |
| |
| #define DEFAULT_LOG_DIR "/run/tpm2_tss" |
| #define IFAPI_PCR_LOG_FILE "pcr.log" |
| #define IFAPI_OBJECT_TYPE ".json" |
| #define IFAPI_OBJECT_FILE "object.json" |
| #define IFAPI_SRK_KEY_PATH "HS/SRK" |
| |
| typedef UINT32 TSS2_KEY_TYPE; |
| #define TSS2_SRK 2 |
| #define TSS2_EK 3 |
| #define MIN_EK_CERT_HANDLE 0x1c00000 |
| #define MIN_PLATFORM_CERT_HANDLE 0x01C08000 |
| #define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF |
| |
| typedef UINT8 IFAPI_SESSION_TYPE; |
| #define IFAPI_SESSION_GENEK 0x01 |
| #define IFAPI_SESSION1 0x02 |
| #define IFAPI_SESSION2 0x04 |
| |
| #define IFAPI_POLICY_PATH "policy" |
| #define IFAPI_NV_PATH "nv" |
| #define IFAPI_EXT_PATH "ext" |
| #define IFAPI_FILE_DELIM "/" |
| #define IFAPI_LIST_DELIM ":" |
| #define IFAPI_FILE_DELIM_CHAR '/' |
| #define IFAPI_PUB_KEY_DIR "ext" |
| #define IFAPI_POLICY_DIR "policy" |
| #define IFAPI_PEM_PUBLIC_STRING "-----BEGIN PUBLIC KEY-----" |
| #define IFAPI_PEM_PRIVATE_KEY "-----PRIVATE KEY-----" |
| #define IFAPI_JSON_TAG_POLICY "policy" |
| #define IFAPI_JSON_TAG_DUPLICATE "public_parent" |
| |
| |
| #if TPM2_MAX_NV_BUFFER_SIZE > TPM2_MAX_DIGEST_BUFFER |
| #define IFAPI_MAX_BUFFER_SIZE TPM2_MAX_NV_BUFFER_SIZE |
| #else |
| #define IFAPI_MAX_BUFFER_SIZE TPM2_MAX_DIGEST_BUFFER |
| #endif |
| |
| #define IFAPI_FLUSH_PARENT true |
| #define IFAPI_NOT_FLUSH_PARENT false |
| |
| /* Definition of FAPI buffer for TPM2B transmission */ |
| typedef struct { |
| UINT16 size; |
| BYTE buffer[IFAPI_MAX_BUFFER_SIZE]; |
| } IFAPI_MAX_BUFFER; |
| |
| #define OSSL_FREE(S,TYPE) if((S) != NULL) {TYPE##_free((void*) (S)); (S)=NULL;} |
| |
| |
| #define FAPI_COPY_DIGEST(dest_buffer, dest_size, src, src_size) \ |
| if (src_size > sizeof(TPMU_HA)) { \ |
| return_error(TSS2_FAPI_RC_BAD_VALUE, "Digest size too large."); \ |
| } \ |
| memcpy(dest_buffer, (src), (src_size)); \ |
| dest_size = src_size |
| |
| #define HASH_UPDATE(CONTEXT, TYPE, OBJECT, R, LABEL) \ |
| { \ |
| uint8_t buffer[sizeof(TYPE)]; \ |
| size_t offset = 0; \ |
| R = Tss2_MU_ ## TYPE ## _Marshal(OBJECT, \ |
| &buffer[0], sizeof(TYPE), &offset); \ |
| goto_if_error(R, "Marshal for hash update", LABEL); \ |
| R = ifapi_crypto_hash_update(CONTEXT, \ |
| (const uint8_t *) &buffer[0], \ |
| offset); \ |
| goto_if_error(R, "crypto hash update", LABEL); } |
| |
| #define HASH_UPDATE_BUFFER(CONTEXT, BUFFER, SIZE, R, LABEL) \ |
| R = ifapi_crypto_hash_update(CONTEXT, \ |
| (const uint8_t *) BUFFER, SIZE) ; \ |
| goto_if_error(R, "crypto hash update", LABEL); |
| |
| #define FAPI_SYNC(r,msg,label, ...) \ |
| if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) \ |
| return TSS2_FAPI_RC_TRY_AGAIN; \ |
| if (r != TSS2_RC_SUCCESS) { \ |
| LOG_ERROR(TPM2_ERROR_FORMAT " " msg, TPM2_ERROR_TEXT(r), ## __VA_ARGS__); \ |
| goto label; \ |
| } |
| |
| /** The states for the FAPI's object authorization state*/ |
| enum IFAPI_GET_CERT_STATE { |
| GET_CERT_INIT = 0, |
| GET_CERT_WAIT_FOR_GET_CAP, |
| GET_CERT_GET_CERT_NV, |
| GET_CERT_GET_CERT_NV_FINISH, |
| GET_CERT_GET_CERT_READ_PUBLIC, |
| GET_CERT_READ_CERT |
| }; |
| |
| /** The states for the FAPI's cleanup after successful command execution*/ |
| enum IFAPI_CLEANUP_STATE { |
| CLEANUP_INIT = 0, |
| CLEANUP_SESSION1, |
| CLEANUP_SESSION2, |
| CLEANUP_SRK |
| }; |
| |
| #define IFAPI_MAX_CAP_INFO 17 |
| |
| typedef struct { |
| char *description; |
| TPMS_CAPABILITY_DATA *capability; |
| } IFAPI_CAP_INFO; |
| |
| typedef struct { |
| char *fapi_version; /**< The version string of FAPI */ |
| char *fapi_config; /**< The configuration information */ |
| IFAPI_CAP_INFO cap[IFAPI_MAX_CAP_INFO]; |
| } IFAPI_INFO; |
| |
| /** Type for representing FAPI template for keys |
| */ |
| typedef struct { |
| TPMI_YES_NO system; /**< Store the object in the system wide |
| directory */ |
| TPMI_YES_NO persistent; /**< Store key persistent in NV ram. */ |
| UINT32 persistent_handle; /**< < Persistent handle which should be used */ |
| TPM2B_PUBLIC public; /**< Template for public data */ |
| } IFAPI_KEY_TEMPLATE; |
| |
| /** Type for representing template for NV objects |
| */ |
| typedef struct { |
| TPMI_YES_NO system; /**< Store the object in the system wide |
| directory */ |
| TPMI_RH_HIERARCHY hierarchy; /**< Hierarchy for NV object. */ |
| char *description; /**< Description of template. */ |
| TPMS_NV_PUBLIC public; /**< Template for public data */ |
| } IFAPI_NV_TEMPLATE; |
| |
| /** Type for representing a external public key |
| */ |
| typedef struct { |
| TPMT_SIG_SCHEME sig_scheme; /**< Signature scheme used for quote. */ |
| TPMS_ATTEST attest; /**< Attestation data from Quote */ |
| } FAPI_QUOTE_INFO; |
| |
| |
| /** The states for the FAPI's NV read state */ |
| enum _FAPI_STATE_NV_READ { |
| NV_READ_INIT = 0, |
| NV_READ_AUTHORIZE, |
| NV_READ_AUTHORIZE2, |
| NV_READ_AUTH_SENT |
| }; |
| |
| /** The states for the FAPI's NV write state */ |
| enum _FAPI_STATE_NV_WRITE { |
| NV2_WRITE_INIT = 0, |
| NV2_WRITE_READ, |
| NV2_WRITE_WAIT_FOR_SESSSION, |
| NV2_WRITE_NULL_AUTH_SENT, |
| NV2_WRITE_AUTH_SENT, |
| NV2_WRITE_WRITE_PREPARE, |
| NV2_WRITE_WRITE, |
| NV2_WRITE_AUTHORIZE, |
| NV2_WRITE_AUTHORIZE2 |
| }; |
| |
| /** The data structure holding internal state of Fapi NV commands. |
| */ |
| typedef struct { |
| char *nvPath ; /**< The name of the file for object serialization */ |
| char *policyPath; /**< The name of the policy file */ |
| TPM2B_NV_PUBLIC public; /**< The public info of the NV object. */ |
| ESYS_TR esys_auth_handle; /**< The ESAPI handle for the NV auth object */ |
| ESYS_TR esys_handle; /**< The ESAPI handle for the NV object */ |
| size_t numBytes; /**< The number of bytes of a ESYS request */ |
| UINT16 bytesRequested; /**< Bytes currently requested from TPM */ |
| UINT16 offset; /**< Offset in TPM memory TPM */ |
| size_t data_idx; /**< Offset in the read buffer */ |
| const uint8_t *data; /**< Buffer for data to be written */ |
| uint8_t *rdata; /**< Buffer for data to be read */ |
| IFAPI_OBJECT auth_object; /**< Object used for authentication */ |
| IFAPI_OBJECT nv_object; /**< Deserialized NV object */ |
| TPM2B_AUTH auth; /**< The Password */ |
| IFAPI_NV nv_obj; /**< The NV Object */ |
| ESYS_TR auth_index; /**< The ESAPI handle of the authorization object */ |
| uint64_t bitmap; /**< The bitmask for the SetBits command */ |
| IFAPI_NV_TEMPLATE public_templ; /**< The template for nv creation, adjusted |
| appropriate by the passed flags */ |
| enum _FAPI_STATE_NV_READ nv_read_state; /**< The current state of NV read */ |
| enum _FAPI_STATE_NV_WRITE nv_write_state; /**< The current state of NV write*/ |
| uint8_t *write_data; |
| char const *logData; /**< The event log for NV objects of type pcr */ |
| json_object *jso_event_log; /**< logData in JSON format */ |
| TPMI_RH_NV_INDEX maxNvIndex; /**< Max index for search for free index */ |
| IFAPI_EVENT pcr_event; /**< Event to be added to log */ |
| TPML_DIGEST_VALUES digests; /**< Digest for the event data of an extend */ |
| bool skip_policy_computation; /**< switch whether policy needs to be computed */ |
| } IFAPI_NV_Cmds; |
| |
| /** The data structure holding internal state of Fapi_Initialize command. |
| */ |
| typedef struct { |
| TPMS_CAPABILITY_DATA *capability; /* TPM capability data to check available algs */ |
| } IFAPI_INITIALIZE; |
| |
| /** The data structure holding internal state of Fapi_PCR commands. |
| */ |
| typedef struct { |
| TPML_DIGEST_VALUES digest_list; /**< The digest list computed for the event */ |
| TPML_DIGEST_VALUES *event_digests; /**< The digest list computed by TPM2_Event */ |
| ESYS_TR PCR; /**< The handle of the PCR register to be extended */ |
| TPML_PCR_SELECTION pcr_selection; /**< Selection used for Read and Quote */ |
| TPML_PCR_SELECTION *pcr_selection_out; /**< Selection returned by PCR_Read */ |
| UINT32 update_count; |
| TPML_DIGEST *pcrValues; /* The values returned by PCR_Read */ |
| TPM2_HANDLE pcrIndex; |
| TPMI_ALG_HASH hashAlg; |
| const char *keyPath; /**< The implicit key path for PCR_Quote */ |
| ESYS_TR handle; /**< The ESYS handle of the signing key */ |
| IFAPI_OBJECT *key_object; /**< The IPAPI object of the signing key */ |
| TPMS_CAPABILITY_DATA *capabilityData; /* TPM capability data to check available algs */ |
| uint32_t *pcrList; /**< Array of PCR numbers */ |
| size_t pcrListSize; /**< Size of PCR array */ |
| TPM2B_DATA qualifyingData; /**< Nonce for quote command */ |
| uint8_t const *eventData; |
| TPM2B_EVENT event; |
| size_t eventDataSize; |
| uint32_t const *hashAlgs; |
| uint32_t *hashAlgs2; |
| size_t numHashAlgs; |
| char const *quoteInfo; |
| TPM2B_ATTEST *tpm_quoted; |
| TPMT_SIGNATURE *tpm_signature; |
| uint8_t const *signature; |
| size_t signatureSize; |
| char const *logData; |
| char *pcrLog; |
| IFAPI_EVENT pcr_event; |
| json_object *event_list; |
| FAPI_QUOTE_INFO fapi_quote_info; |
| } IFAPI_PCR; |
| |
| /** The data structure holding internal state of Fapi_SetDescription. |
| */ |
| typedef struct { |
| char *description; /**< The description of the object */ |
| UINT8_ARY appData; /**< Application data to be stored in object store. */ |
| IFAPI_OBJECT object; /**< The IPAPI object to store the info*/ |
| char *object_path; /**< The realative path to the object */ |
| json_object *jso; /**< JSON object for storing the AppData */ |
| char *jso_string; /**< JSON deserialized buffer */ |
| } IFAPI_Path_SetDescription; |
| |
| /** The data structure holding internal state of Fapi_GetRandom. |
| */ |
| typedef struct { |
| size_t numBytes; /**< The number of random bytes to be generated */ |
| size_t idx; /**< Current position in output buffer. */ |
| UINT16 bytesRequested; /**< Byted currently requested from TPM */ |
| uint8_t *data; /**< The buffer for the random data */ |
| } IFAPI_GetRandom; |
| |
| /** The data structure holding internal state of Fapi_Key_Setcertificate. |
| */ |
| typedef struct { |
| const char *pem_cert; /**< The certifificate in pem or format */ |
| char *pem_cert_dup; /**< The allocate certifificate */ |
| const char *key_path; /**< The absolute key path */ |
| NODE_STR_T *path_list; /**< The computed explicit path */ |
| IFAPI_OBJECT key_object; /**< The IPAPI object for the certified key */ |
| } IFAPI_Key_SetCertificate; |
| |
| /** The states for the FAPI's key creation */ |
| enum IFAPI_KEY_CREATE_STATE { |
| KEY_CREATE_INIT = 0, |
| KEY_CREATE_WAIT_FOR_SESSION, |
| KEY_CREATE_WAIT_FOR_PARENT, |
| KEY_CREATE_AUTH_SENT, |
| KEY_CREATE_WRITE_PREPARE, |
| KEY_CREATE_WRITE, |
| KEY_CREATE_FLUSH, |
| KEY_CREATE_CALCULATE_POLICY, |
| KEY_CREATE_WAIT_FOR_AUTHORIZATION, |
| KEY_CREATE_CLEANUP |
| }; |
| |
| /** The data structure holding internal state of Fapi_CreateKey. |
| */ |
| typedef struct { |
| enum IFAPI_KEY_CREATE_STATE state; |
| const char *keyPath; /**< The pathname from the application */ |
| NODE_STR_T *path_list; /**< The computed explicit path */ |
| IFAPI_OBJECT parent; /**< The parent of the key for used for creation. */ |
| IFAPI_OBJECT object; /**< The current object. */ |
| IFAPI_KEY_TEMPLATE public_templ; /**< The template for the keys public data */ |
| TPM2B_PUBLIC public; /**< The public data of the key */ |
| TPM2B_SENSITIVE_CREATE inSensitive; |
| TPM2B_DATA outsideInfo; |
| TPML_PCR_SELECTION creationPCR; |
| ESYS_TR handle; |
| const char *authValue; |
| const char *policyPath; |
| const IFAPI_PROFILE *profile; |
| } IFAPI_Key_Create; |
| |
| /** The data structure holding internal state of Fapi_EncryptDecrypt. |
| */ |
| typedef struct { |
| char const *keyPath; /**< The implicit key path */ |
| uint8_t const *in_data; |
| size_t in_dataSize; |
| IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */ |
| uint8_t *out_data; /**< The output of symmetric encrypt/decryption */ |
| ESYS_TR key_handle; /**< The ESYS handle of the encryption key */ |
| size_t numBytes; /**< The number of bytes of a ESYS request */ |
| size_t decrypt; /**< Switch whether to encrypt or decrypt */ |
| UINT16 bytesRequested; /**< Bytes currently requested from TPM */ |
| TPMT_RSA_DECRYPT rsa_scheme; |
| ESYS_TR object_handle; |
| char *policy_path; |
| ESYS_TR auth_session; |
| const IFAPI_PROFILE *profile; |
| } IFAPI_Data_EncryptDecrypt; |
| |
| /** The states for signing */ |
| enum FAPI_SIGN_STATE { |
| SIGN_INIT = 0, |
| SIGN_WAIT_FOR_SESSION, |
| SIGN_WAIT_FOR_KEY, |
| SIGN_AUTH_SENT, |
| SIGN_WAIT_FOR_FLUSH |
| }; |
| |
| /** The data structure holding internal state of Fapi_Sign. |
| */ |
| typedef struct { |
| enum FAPI_SIGN_STATE state; /**< The state of the signing operation */ |
| const char *keyPath; /**< The implicit key path */ |
| ESYS_TR handle; /**< The ESYS handle of the signing key */ |
| TPM2B_DIGEST digest; /**< The digest to be signed */ |
| TPMT_SIG_SCHEME scheme; /**< The signature scheme from profile */ |
| IFAPI_OBJECT *key_object; /**< The IPAPI object of the signing key */ |
| TPMT_SIGNATURE *tpm_signature; /**< The signature in TPM format */ |
| TPMI_YES_NO decrypt; /**< Switch for symmetric algs */ |
| TPMT_SIGNATURE *signature; /**< Produced TPM singature */ |
| char const *padding; /**< Optional padding parameter for key sign. */ |
| } IFAPI_Key_Sign; |
| |
| /** The data structure holding internal state of Fapi_Unseal. |
| */ |
| typedef struct { |
| const char *keyPath; /**< The implicit key path */ |
| IFAPI_OBJECT *object; /**< The IPAPI object storing the data to be unsealed */ |
| TPM2B_SENSITIVE_DATA *unseal_data; /** The result of the esys unseal operation */ |
| } IFAPI_Unseal; |
| |
| |
| /** The data structure holding internal state of Fapi_GetInfo. |
| */ |
| typedef struct { |
| TPMS_CAPABILITY_DATA *capability_data; /**< The TPM capability for one property */ |
| TPMS_CAPABILITY_DATA *fetched_data; /**< The data fetched in one TPM command */ |
| size_t idx_info_cap; |
| IFAPI_INFO info_obj; |
| UINT32 property_count; |
| UINT32 property; |
| } IFAPI_GetInfo; |
| |
| /** The states for the FAPI's hierarchy authorization state*/ |
| enum IFAPI_HIERACHY_AUTHORIZATION_STATE { |
| HIERARCHY_CHANGE_AUTH_INIT = 0, |
| HIERARCHY_CHANGE_AUTH_NULL_AUTH_SENT, |
| HIERARCHY_CHANGE_AUTH_AUTH_SENT |
| }; |
| |
| /** The states for the FAPI's change policy authorization state*/ |
| enum IFAPI_HIERACHY_POLICY_AUTHORIZATION_STATE { |
| HIERARCHY_CHANGE_POLICY_INIT = 0, |
| HIERARCHY_CHANGE_POLICY_NULL_AUTH_SENT, |
| HIERARCHY_CHANGE_POLICY_AUTH_SENT |
| }; |
| |
| /** The data structure holding internal state of Fapi_ChangeAuth. |
| */ |
| typedef struct { |
| const char *entityPath; /**< The implicit key path */ |
| ESYS_TR handle; /**< The ESYS handle of the key */ |
| IFAPI_OBJECT *key_object; /**< The IPAPI object of the key */ |
| const char *authValue; /**< The new auth value */ |
| TPM2B_AUTH newAuthValue; /**< The new auth value */ |
| TPM2B_PRIVATE *newPrivate; /**< New private data created by parend */ |
| IFAPI_OBJECT object; /**< Deserialized NV object or hierarchy */ |
| ESYS_TR nv_index; /**< NV handle of the object to be changed */ |
| ESYS_TR hierarchy_handle; /**< NV handle of the hierarchy to be changed */ |
| } IFAPI_Entity_ChangeAuth; |
| |
| /** The data structure holding internal state of Fapi_AuthorizePolicy. |
| */ |
| typedef struct { |
| const char *policyPath; /**< Policy with Policy to be authorized */ |
| const char *signingKeyPath; /**< Key for policy signing */ |
| TPM2B_DIGEST policyRef; |
| TPMS_POLICYAUTHORIZATION authorization; |
| } IFAPI_Fapi_AuthorizePolicy; |
| |
| /** The data structure holding internal state of Fapi_WriteAuthorizeNv. |
| */ |
| typedef struct { |
| const char *policyPath; /**< Policy with Policy to be authorized */ |
| TPMI_ALG_HASH *hash_alg; /**< The hash alg used for digest computation */ |
| size_t hash_size; /**< The digest size */ |
| size_t digest_idx; /**< The index of the digest in the policy */ |
| } IFAPI_api_WriteAuthorizeNv; |
| |
| /** The data structure holding internal state of Provisioning. |
| */ |
| typedef struct { |
| IFAPI_OBJECT hierarchy; /**< The current used hierarchy for CreatePrimary */ |
| IFAPI_KEY_TEMPLATE public_templ; /**< The basic template for the keys public data */ |
| TPM2B_PUBLIC public; /**< The public info of the created primary */ |
| TPM2B_SENSITIVE_CREATE inSensitive; |
| TPM2B_DATA outsideInfo; |
| TPML_PCR_SELECTION creationPCR; |
| ESYS_TR handle; |
| const char *authValueLockout; |
| const char *authValueEh; |
| const char *policyPathEh; |
| const char *authValueSh; |
| const char *policyPathSh; |
| size_t digest_idx; |
| size_t hash_size; |
| TPM2_HANDLE cert_nv_idx; |
| ESYS_TR esys_nv_cert_handle; |
| char *pem_cert; |
| TPM2_ALG_ID cert_key_type; |
| size_t cert_count; |
| size_t cert_idx; |
| TPMS_CAPABILITY_DATA *capabilityData; |
| IFAPI_OBJECT hierarchy_object; |
| TPM2B_AUTH hierarchy_auth; |
| TPM2B_DIGEST policy_digest; |
| char *intermed_crt; |
| char *root_crt; |
| } IFAPI_Provision; |
| |
| /** The data structure holding internal state of regenerate primary key. |
| */ |
| typedef struct { |
| char *path; /**< Path of the primary (starting with hierarchy) */ |
| IFAPI_OBJECT hierarchy; /**< The current used hierarchy for CreatePrimary */ |
| IFAPI_OBJECT pkey_object; |
| TPM2B_SENSITIVE_CREATE inSensitive; |
| TPM2B_DATA outsideInfo; |
| TPML_PCR_SELECTION creationPCR; |
| ESYS_TR handle; |
| TPMI_DH_PERSISTENT persistent_handle; |
| } IFAPI_CreatePrimary; |
| |
| /** The data structure holding internal state of key verify signature. |
| */ |
| typedef struct { |
| const char *keyPath; |
| uint8_t const *signature; |
| size_t signatureSize; |
| uint8_t const *digest; |
| size_t digestSize; |
| IFAPI_OBJECT key_object; |
| } IFAPI_Key_VerifySignature; |
| |
| /** The states for the FAPI's policy loading */ |
| enum IFAPI_STATE_POLICY { |
| POLICY_INIT = 0, |
| POLICY_READ, |
| POLICY_READ_FINISH, |
| POLICY_INSTANTIATE_PREPARE, |
| POLICY_INSTANTIATE, |
| POLICY_EXECUTE, |
| POLICY_FLUSH |
| }; |
| |
| typedef struct IFAPI_POLICY_EXEC_CTX IFAPI_POLICY_EXEC_CTX; |
| typedef struct IFAPI_POLICYUTIL_STACK IFAPI_POLICYUTIL_STACK; |
| |
| /** The states for session creation */ |
| enum FAPI_CREATE_SESSION_STATE { |
| CREATE_SESSION_INIT = 0, |
| CREATE_SESSION, |
| WAIT_FOR_CREATE_SESSION |
| }; |
| |
| /** The data structure holding internal policy state. |
| */ |
| typedef struct { |
| enum IFAPI_STATE_POLICY state; |
| struct TPMS_POLICY policy; |
| size_t digest_idx; |
| size_t hash_size; |
| char **pathlist; /**< The array of all objects in the search path */ |
| TPMI_ALG_HASH hash_alg; |
| IFAPI_POLICY_EXEC_CTX *policy_stack; /**< The stack used for storing current policy information. |
| e.g. for retry the current index of policy elements hash |
| to be stored. */ |
| IFAPI_POLICYUTIL_STACK *util_current_policy; |
| IFAPI_POLICYUTIL_STACK *policyutil_stack; |
| /**< The stack used for storing current policy information. |
| e.g. for retry the current index of policy elements hash |
| to be stored. */ |
| ESYS_TR session; /**< Auxiliary variable to store created policy session. |
| The value will also be stored in the policy stack */ |
| enum FAPI_CREATE_SESSION_STATE create_session_state; |
| char *path; |
| IFAPI_POLICY_EVAL_INST_CTX eval_ctx; |
| } IFAPI_POLICY_CTX; |
| |
| /** The states for the IFAPI's policy loading */ |
| enum IFAPI_STATE_FILE_SEARCH { |
| FSEARCH_INIT = 0, |
| FSEARCH_READ, |
| FSEARCH_OBJECT |
| }; |
| |
| /** The data structure holding internal policy state. |
| */ |
| typedef struct { |
| enum IFAPI_STATE_FILE_SEARCH state; |
| char **pathlist; /**< The array of all objects in the search path */ |
| size_t path_idx; /**< Index of array of objects to be searched */ |
| size_t numPaths; /**< Number of all objects in data store */ |
| char *current_path; |
| } IFAPI_FILE_SEARCH_CTX; |
| |
| /** The states for the FAPI's key loading */ |
| enum _FAPI_STATE_LOAD_KEY { |
| LOAD_KEY_GET_PATH = 0, |
| LOAD_KEY_READ_KEY, |
| LOAD_KEY_WAIT_FOR_PRIMARY, |
| LOAD_KEY_LOAD_KEY, |
| LOAD_KEY_AUTH, |
| LOAD_KEY_AUTHORIZE |
| }; |
| |
| /** The data structure holding internal state of export key. |
| */ |
| typedef struct { |
| char const *pathOfKeyToDuplicate; /**< The relative path of the key to be exported */ |
| char const *pathToPublicKeyOfNewParent; /**< The relative path of the new parent */ |
| TPM2B_PUBLIC public_parent; /**< The public key of the new parent */ |
| IFAPI_OBJECT *key_object; /**< The IPAPI object of the key to be duplicated */ |
| IFAPI_OBJECT export_tree; /**< The complete tree to be exported */ |
| IFAPI_OBJECT pub_key; /**< The public part of the new parent */ |
| IFAPI_OBJECT dup_key; /**< The key to be duplicated or exported */ |
| struct TPMS_POLICY policy; |
| ESYS_TR handle_ext_key; |
| } IFAPI_ExportKey; |
| |
| /** The data structure holding internal state of export policy. |
| */ |
| typedef struct { |
| char const *path; /**< Path of the object with the policy to be |
| exported */ |
| IFAPI_OBJECT object; /**< Object corresponding to path */ |
| } IFAPI_ExportPolicy; |
| |
| /** The data structure holding internal state of import key. |
| */ |
| typedef struct { |
| IFAPI_OBJECT object; |
| TPM2B_NAME parent_name; |
| IFAPI_OBJECT *parent_object; |
| IFAPI_OBJECT new_object; |
| char *parent_path; |
| char *out_path; |
| TPM2B_PRIVATE *private; |
| char *jso_string; |
| } IFAPI_ImportKey; |
| |
| |
| /** The data structure holding internal state of loading keys. |
| */ |
| typedef struct { |
| enum _FAPI_STATE_LOAD_KEY state; /**< The current state of key loading */ |
| NODE_STR_T *path_list; /**< The current used hierarchy for CreatePrimary */ |
| NODE_OBJECT_T *key_list; |
| IFAPI_OBJECT auth_object; |
| size_t position; |
| ESYS_TR handle; |
| ESYS_TR parent_handle; |
| bool parent_handle_persistent; |
| IFAPI_OBJECT *key_object; |
| char *key_path; |
| } IFAPI_LoadKey; |
| |
| /** The data structure holding internal state of entity delete. |
| */ |
| typedef struct { |
| bool is_key; /**< Entity to be deleted is a key */ |
| bool is_persistent_key; /**< Entity to be deleted is a key */ |
| ESYS_TR new_object_handle; |
| TPM2_HANDLE permanentHandle; /**< The TPM permanent handle */ |
| IFAPI_OBJECT auth_object; /**< Object used for authentication */ |
| ESYS_TR auth_index; /**< The ESAPI handle of the nv authorization object */ |
| char *path; /**< The name of the file to be deleted */ |
| IFAPI_OBJECT object; /**< Deserialized object */ |
| char **pathlist; /**< The array with the object files to be deleted */ |
| size_t numPaths; /**< Size of array with the object files to be deleted */ |
| size_t path_idx; /**< Index of array with the object files to be deleted */ |
| } IFAPI_Entity_Delete; |
| |
| /** The data structure holding internal state of list entities. |
| */ |
| typedef struct { |
| const char *searchPath; /**< The path to searched for objectws */ |
| } IFAPI_Entities_List; |
| |
| /** Union for all input parameters. |
| * |
| * The input parameters of a command need to be stored in order to enable |
| * resubmission. This type provides the corresponding facilities. |
| */ |
| typedef union { |
| IFAPI_Provision Provision; |
| IFAPI_Key_Create Key_Create; |
| IFAPI_Key_SetCertificate Key_SetCertificate; |
| IFAPI_Entity_ChangeAuth Entity_ChangeAuth; |
| IFAPI_Entity_Delete Entity_Delete; |
| IFAPI_Entities_List Entities_List; |
| IFAPI_Key_VerifySignature Key_VerifySignature; |
| IFAPI_Data_EncryptDecrypt Data_EncryptDecrypt; |
| IFAPI_PCR pcr; |
| IFAPI_INITIALIZE Initialize; |
| IFAPI_Path_SetDescription path_set_info; |
| IFAPI_Fapi_AuthorizePolicy Policy_AuthorizeNewPolicy; |
| IFAPI_api_WriteAuthorizeNv WriteAuthorizeNV; |
| IFAPI_ExportKey ExportKey; |
| IFAPI_ImportKey ImportKey; |
| IFAPI_Unseal Unseal; |
| IFAPI_GetInfo GetInfo; |
| IFAPI_ExportPolicy ExportPolicy; |
| } IFAPI_CMD_STATE; |
| |
| /** The states for the FAPI's primary key regeneration */ |
| enum _FAPI_STATE_PRIMARY { |
| PRIMARY_INIT = 0, |
| PRIMARY_READ_KEY, |
| PRIMARY_READ_HIERARCHY, |
| PRIMARY_READ_HIERARCHY_FINISH, |
| PRIMARY_AUTHORIZE_HIERARCHY, |
| PRIMARY_HAUTH_SENT, |
| PRIMARY_CREATED |
| }; |
| |
| /** The states for the FAPI's primary key regeneration */ |
| enum _FAPI_STATE_SESSION { |
| SESSION_INIT = 0, |
| SESSION_WAIT_FOR_PRIMARY, |
| SESSION_CREATE_SESSION, |
| SESSION_WAIT_FOR_SESSION1, |
| SESSION_WAIT_FOR_SESSION2 |
| }; |
| |
| /** The states for the FAPI's get random state */ |
| enum _FAPI_STATE_GET_RANDOM { |
| GET_RANDOM_INIT = 0, |
| GET_RANDOM_SENT |
| }; |
| |
| /** The states for flushing objects */ |
| enum _FAPI_FLUSH_STATE { |
| FLUSH_INIT = 0, |
| WAIT_FOR_FLUSH |
| }; |
| |
| /** The states for the FAPI's internal state machine */ |
| enum _FAPI_STATE { |
| _FAPI_STATE_INIT = 0, /**< The initial state after creation or after |
| finishing a command. A new command can only |
| be issued in this state. */ |
| _FAPI_STATE_INTERNALERROR, /**< A non-recoverable error occurred within the |
| ESAPI code. */ |
| INITIALIZE_READ, |
| INITIALIZE_INIT_TCTI, |
| INITIALIZE_GET_CAP, |
| INITIALIZE_WAIT_FOR_CAP, |
| INITIALIZE_READ_PROFILE, |
| INITIALIZE_READ_PROFILE_INIT, |
| |
| PROVISION_WAIT_FOR_GET_CAP1, |
| PROVISION_INIT_GET_CAP2, |
| PROVISION_WAIT_FOR_GET_CAP2, |
| PROVISION_GET_CERT_NV, |
| PROVISION_GET_CERT_NV_FINISH, |
| PROVISION_GET_CERT_READ_PUBLIC, |
| PROVISION_READ_CERT, |
| PROVISION_PREPARE_READ_ROOT_CERT, |
| PROVISION_READ_ROOT_CERT, |
| PROVISION_READ_PROFILE, |
| PROVISION_INIT_SRK, |
| PROVISION_AUTH_EK_NO_AUTH_SENT, |
| PROVISION_AUTH_EK_AUTH_SENT, |
| PROVISION_AUTH_SRK_NO_AUTH_SENT, |
| PROVISION_AUTH_SRK_AUTH_SENT, |
| PROVISION_EK_WRITE_PREPARE, |
| PROVISION_EK_WRITE, |
| PROVISION_EK_CHECK_CERT, |
| PROVISION_SRK_WRITE_PREPARE, |
| PROVISION_SRK_WRITE, |
| PROVISION_WAIT_FOR_EK_PERSISTENT, |
| PROVISION_WAIT_FOR_SRK_PERSISTENT, |
| PROVISION_CHANGE_LOCKOUT_AUTH, |
| PROVISION_CHANGE_EH_CHECK, |
| PROVISION_CHANGE_EH_AUTH, |
| PROVISION_CHANGE_SH_CHECK, |
| PROVISION_CHANGE_SH_AUTH, |
| PROVISION_EH_CHANGE_POLICY, |
| PROVISION_SH_CHANGE_POLICY, |
| PROVISION_LOCKOUT_CHANGE_POLICY, |
| PROVISION_FINISHED, |
| PROVISION_WRITE_SH, |
| PROVISION_WRITE_EH, |
| PROVISION_WRITE_LOCKOUT, |
| PROVISION_WRITE_LOCKOUT_PARAM, |
| PROVISION_FLUSH_SRK, |
| PROVISION_FLUSH_EK, |
| PROVISION_CHECK_FOR_VENDOR_CERT, |
| PROVISION_GET_VENDOR, |
| |
| KEY_CREATE, |
| |
| CREATE_SEAL, |
| |
| KEY_SET_CERTIFICATE_READ, |
| KEY_SET_CERTIFICATE_WRITE, |
| |
| KEY_GET_CERTIFICATE_READ, |
| |
| GET_RANDOM_WAIT_FOR_SESSION, |
| GET_RANDOM_WAIT_FOR_RANDOM, |
| GET_RANDOM_CLEANUP, |
| |
| NV_CREATE_READ_PROFILE, |
| NV_CREATE_READ_HIERARCHY, |
| NV_CREATE_AUTHORIZE_HIERARCHY, |
| NV_CREATE_GET_INDEX, |
| NV_CREATE_FIND_INDEX, |
| NV_CREATE_WAIT_FOR_SESSION, |
| |
| NV_CREATE_AUTH_SENT, |
| NV_CREATE_WRITE, |
| NV_CREATE_CALCULATE_POLICY, |
| |
| NV_WRITE_READ, |
| NV_WRITE_WRITE, |
| NV_WRITE_CLEANUP, |
| |
| NV_EXTEND_READ, |
| NV_EXTEND_WAIT_FOR_SESSION, |
| NV_EXTEND_AUTHORIZE, |
| NV_EXTEND_AUTH_SENT, |
| NV_EXTEND_WRITE, |
| NV_EXTEND_CLEANUP, |
| |
| NV_INCREMENT_READ, |
| NV_INCREMENT_WAIT_FOR_SESSION, |
| NV_INCREMENT_AUTHORIZE, |
| NV_INCREMENT_AUTH_SENT, |
| NV_INCREMENT_WRITE, |
| NV_INCREMENT_CLEANUP, |
| |
| NV_SET_BITS_READ, |
| NV_SET_BITS_WAIT_FOR_SESSION, |
| NV_SET_BITS_AUTHORIZE, |
| NV_SET_BITS_AUTH_SENT, |
| NV_SET_BITS_WRITE, |
| NV_SET_BITS_CLEANUP, |
| |
| NV_READ_READ, |
| NV_READ_WAIT, |
| NV_READ_WAIT_FOR_SESSION, |
| NV_READ_CLEANUP, |
| |
| ENTITY_DELETE_GET_FILE, |
| ENTITY_DELETE_READ, |
| ENTITY_DELETE_WAIT_FOR_SESSION, |
| ENTITY_DELETE_NULL_AUTH_SENT_FOR_KEY, |
| ENTITY_DELETE_AUTH_SENT_FOR_KEY, |
| ENTITY_DELETE_NULL_AUTH_SENT_FOR_NV, |
| ENTITY_DELETE_AUTH_SENT_FOR_NV, |
| ENTITY_DELETE_KEY, |
| ENTITY_DELETE_AUTHORIZE_NV, |
| ENTITY_DELETE_FILE, |
| ENTITY_DELETE_POLICY, |
| ENTITY_DELETE_REMOVE_DIRS, |
| |
| ENTITY_GET_TPM_BLOBS_READ, |
| |
| KEY_SIGN_WAIT_FOR_KEY, |
| KEY_SIGN_WAIT_FOR_SIGN, |
| KEY_SIGN_CLEANUP, |
| |
| ENTITY_CHANGE_AUTH_WAIT_FOR_SESSION, |
| ENTITY_CHANGE_AUTH_WAIT_FOR_KEY, |
| ENTITY_CHANGE_AUTH_AUTH_SENT, |
| ENTITY_CHANGE_AUTH_WAIT_FOR_FLUSH, |
| ENTITY_CHANGE_AUTH_WRITE_PREPARE, |
| ENTITY_CHANGE_AUTH_WRITE, |
| ENTITY_CHANGE_AUTH_WAIT_FOR_KEY_AUTH, |
| ENTITY_CHANGE_AUTH_WAIT_FOR_NV_READ, |
| ENTITY_CHANGE_AUTH_WAIT_FOR_NV_AUTH, |
| ENTITY_CHANGE_AUTH_WAIT_FOR_NV_CHANGE_AUTH, |
| ENTITY_CHANGE_AUTH_HIERARCHY_CHANGE_AUTH, |
| ENTITY_CHANGE_AUTH_HIERARCHY_READ, |
| ENTITY_CHANGE_AUTH_HIERARCHY_AUTHORIZE, |
| ENTITY_CHANGE_AUTH_CLEANUP, |
| |
| DATA_ENCRYPT_WAIT_FOR_PROFILE, |
| DATA_ENCRYPT_WAIT_FOR_SESSION, |
| DATA_ENCRYPT_WAIT_FOR_KEY, |
| DATA_ENCRYPT_WAIT_FOR_FLUSH, |
| DATA_ENCRYPT_WAIT_FOR_RSA_ENCRYPTION, |
| DATA_ENCRYPT_CLEAN, |
| |
| DATA_DECRYPT_WAIT_FOR_PROFILE, |
| DATA_DECRYPT_WAIT_FOR_SESSION, |
| DATA_DECRYPT_WAIT_FOR_KEY, |
| DATA_DECRYPT_WAIT_FOR_FLUSH, |
| DATA_DECRYPT_WAIT_FOR_RSA_DECRYPTION, |
| DATA_DECRYPT_AUTHORIZE_KEY, |
| DATA_DECRYPT_CLEANUP, |
| |
| PCR_EXTEND_WAIT_FOR_SESSION, |
| PCR_EXTEND_WAIT_FOR_GET_CAP, |
| PCR_EXTEND_APPEND_EVENT_LOG, |
| PCR_EXTEND_FINISH, |
| PCR_EXTEND_CLEANUP, |
| |
| PCR_READ_READ_PCR, |
| PCR_READ_READ_EVENT_LIST, |
| |
| PCR_QUOTE_WAIT_FOR_GET_CAP, |
| PCR_QUOTE_WAIT_FOR_SESSION, |
| PCR_QUOTE_WAIT_FOR_KEY, |
| PCR_QUOTE_AUTH_SENT, |
| PCR_QUOTE_AUTHORIZE, |
| PCR_QUOTE_WAIT_FOR_FLUSH, |
| PCR_QUOTE_READ_EVENT_LIST, |
| PCR_QUOTE_CLEANUP, |
| |
| PATH_SET_DESCRIPTION_READ, |
| PATH_SET_DESCRIPTION_WRITE, |
| |
| PATH_GET_DESCRIPTION_READ, |
| |
| APP_DATA_SET_READ, |
| APP_DATA_SET_WRITE, |
| |
| AUTHORIZE_NEW_CALCULATE_POLICY, |
| AUTHORIZE_NEW_LOAD_KEY, |
| AUTHORIZE_NEW_KEY_SIGN_POLICY, |
| AUTHORIZE_NEW_WRITE_POLICY_PREPARE, |
| AUTHORIZE_NEW_WRITE_POLICY, |
| AUTHORIZE_NEW_CLEANUP, |
| |
| WRITE_AUTHORIZE_NV_READ_NV, |
| WRITE_AUTHORIZE_NV_CALCULATE_POLICY, |
| WRITE_AUTHORIZE_NV_WRITE_NV_RAM_PREPARE, |
| WRITE_AUTHORIZE_NV_WRITE_NV_RAM, |
| WRITE_AUTHORIZE_NV_WRITE_OBJCECT, |
| WRITE_AUTHORIZE_NV_WRITE_POLICY_PREPARE, |
| WRITE_AUTHORIZE_NV_WRITE_POLICY, |
| WRITE_AUTHORIZE_NV_CLEANUP, |
| |
| EXPORT_KEY_READ_PUB_KEY, |
| EXPORT_KEY_READ_PUB_KEY_PARENT, |
| EXPORT_KEY_WAIT_FOR_KEY, |
| EXPORT_KEY_WAIT_FOR_DUPLICATE, |
| EXPORT_KEY_WAIT_FOR_EXT_KEY, |
| EXPORT_KEY_WAIT_FOR_AUTHORIZATON, |
| EXPORT_KEY_WAIT_FOR_FLUSH1, |
| EXPORT_KEY_WAIT_FOR_FLUSH2, |
| EXPORT_KEY_CLEANUP, |
| |
| IMPORT_KEY_WRITE_POLICY, |
| IMPORT_KEY_WRITE, |
| IMPORT_KEY_SEARCH, |
| IMPORT_KEY_LOAD_PARENT, |
| IMPORT_KEY_AUTHORIZE_PARENT, |
| IMPORT_KEY_IMPORT, |
| IMPORT_KEY_WAIT_FOR_FLUSH, |
| IMPORT_KEY_WRITE_OBJECT_PREPARE, |
| IMPORT_KEY_WRITE_OBJECT, |
| IMPORT_KEY_CLEANUP, |
| |
| UNSEAL_WAIT_FOR_KEY, |
| UNSEAL_AUTHORIZE_OBJECT, |
| UNSEAL_WAIT_FOR_UNSEAL, |
| UNSEAL_WAIT_FOR_FLUSH, |
| UNSEAL_CLEANUP, |
| |
| GET_PLATFORM_CERTIFICATE, |
| |
| POLICY_EXPORT_READ_OBJECT, |
| POLICY_EXPORT_READ_OBJECT_FINISH, |
| POLICY_EXPORT_READ_POLICY, |
| POLICY_EXPORT_READ_POLICY_FINISH, |
| |
| VERIFY_QUOTE_READ, |
| |
| GET_INFO_GET_CAP, |
| GET_INFO_GET_CAP_MORE, |
| GET_INFO_WAIT_FOR_CAP |
| }; |
| |
| /** Structure holding FAPI callbacks and userData |
| * |
| * This structure holds the callback pointers and corresponding userData pointers for each of the |
| * three callback types of FAPI. They are set using Fapi_SetAuthCB, Fapi_SetBranchCB and |
| * Fapi_SetSignCB. |
| */ |
| struct IFAPI_CALLBACKS { |
| Fapi_CB_Auth auth; |
| void *authData; |
| Fapi_CB_Branch branch; |
| void *branchData; |
| Fapi_CB_Sign sign; |
| void *signData; |
| Fapi_CB_PolicyAction action; |
| void *actionData; |
| }; |
| |
| /** The data structure holding internal state information. |
| * |
| * Each FAPI_CONTEXT respresents a logically independent connection to the TPM. |
| * It stores meta data information about object in order to calculate session |
| * auths and similar things. |
| */ |
| struct FAPI_CONTEXT { |
| ESYS_CONTEXT *esys; /**< The ESYS context used internally to talk to |
| the TPM. */ |
| struct IFAPI_CALLBACKS callbacks; /**< Callbacks for user interaction from FAPI */ |
| struct IFAPI_IO io; |
| struct IFAPI_EVENTLOG eventlog; |
| struct IFAPI_KEYSTORE keystore; |
| struct IFAPI_POLICY_STORE pstore; |
| struct IFAPI_PROFILES profiles; |
| |
| enum _FAPI_STATE state; /**< The current state of the command execution */ |
| enum _FAPI_STATE_PRIMARY primary_state; /**< The current state of the primary regeneration */ |
| enum _FAPI_STATE_SESSION session_state; /**< The current state of the session creation */ |
| enum _FAPI_STATE_GET_RANDOM get_random_state; /**< The current state of get random */ |
| enum IFAPI_HIERACHY_AUTHORIZATION_STATE hierarchy_state; |
| enum IFAPI_HIERACHY_POLICY_AUTHORIZATION_STATE hierarchy_policy_state; |
| enum IFAPI_GET_CERT_STATE get_cert_state; |
| enum _FAPI_FLUSH_STATE flush_object_state; /**< The current state of a flush operation */ |
| enum IFAPI_CLEANUP_STATE cleanup_state; /**< The state of cleanup after command execution */ |
| IFAPI_CONFIG config; /**< The profile independet configuration data */ |
| UINT32 nv_buffer_max; /**< The maximal size for transfer of nv buffer content */ |
| IFAPI_CMD_STATE cmd; /**< The state information of the currently executed |
| command */ |
| IFAPI_NV_Cmds nv_cmd; |
| IFAPI_GetRandom get_random; |
| IFAPI_CreatePrimary createPrimary; |
| IFAPI_LoadKey loadKey; |
| ESYS_TR session1; /**< The first session used by FAPI */ |
| ESYS_TR session2; /**< The second session used by FAPI */ |
| ESYS_TR policy_session; /**< The policy session used by FAPI */ |
| ESYS_TR ek_handle; |
| ESYS_TR srk_handle; |
| bool ek_persistent; |
| bool srk_persistent; |
| IFAPI_SESSION_TYPE session_flags; |
| TPMA_SESSION session1_attribute_flags; |
| TPMA_SESSION session2_attribute_flags; |
| IFAPI_MAX_BUFFER aux_data; /**< tpm2b data to be transferred */ |
| IFAPI_POLICY_CTX policy; /**< The context of current policy. */ |
| IFAPI_FILE_SEARCH_CTX fsearch; /**< The context for object search in key/policy store */ |
| IFAPI_Key_Sign Key_Sign; /**< State information for key signing */ |
| enum IFAPI_IO_STATE io_state; |
| NODE_OBJECT_T *object_list; |
| IFAPI_OBJECT *duplicate_key; /**< Will be needed for policy execution */ |
| }; |
| |
| #define VENDOR_IFX 0x49465800 |
| #define VENDOR_INTC 0x494E5443 |
| #define VEDNOR_IBM 0x49424D20 |
| |
| #endif /* FAPI_INT_H */ |