Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / tpm2-tss / refs/heads/int/12/fp4 / . / src / tss2-fapi / fapi_int.h
blob: 9cb0cf21faa5f676ec5780decde2715fe61c28ee [file] [log] [blame]
/* SPDX-License-Identifier: BSD-2-Clause */
/*******************************************************************************
* Copyright 2018-2019, Fraunhofer SIT sponsored by Infineon Technologies AG
* All rights reserved.
******************************************************************************/
#ifndef FAPI_INT_H
#define FAPI_INT_H
#include "fapi_types.h"
#include "ifapi_policy_types.h"
#include "ifapi_policy_instantiate.h"
#include "ifapi_eventlog.h"
#include "ifapi_io.h"
#include "ifapi_profiles.h"
#include "ifapi_macros.h"
#include "ifapi_keystore.h"
#include "ifapi_policy_store.h"
#include "ifapi_config.h"
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <inttypes.h>
#include <stdarg.h>
#include <stdbool.h>
#include <sys/stat.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <json-c/json.h>
#include <poll.h>
#include "tss2_esys.h"
#include "tss2_fapi.h"
#define DEFAULT_LOG_DIR "/run/tpm2_tss"
#define IFAPI_PCR_LOG_FILE "pcr.log"
#define IFAPI_OBJECT_TYPE ".json"
#define IFAPI_OBJECT_FILE "object.json"
#define IFAPI_SRK_KEY_PATH "HS/SRK"
typedef UINT32 TSS2_KEY_TYPE;
#define TSS2_SRK 2
#define TSS2_EK 3
#define MIN_EK_CERT_HANDLE 0x1c00000
#define MIN_PLATFORM_CERT_HANDLE 0x01C08000
#define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF
typedef UINT8 IFAPI_SESSION_TYPE;
#define IFAPI_SESSION_GENEK 0x01
#define IFAPI_SESSION1 0x02
#define IFAPI_SESSION2 0x04
#define IFAPI_POLICY_PATH "policy"
#define IFAPI_NV_PATH "nv"
#define IFAPI_EXT_PATH "ext"
#define IFAPI_FILE_DELIM "/"
#define IFAPI_LIST_DELIM ":"
#define IFAPI_FILE_DELIM_CHAR '/'
#define IFAPI_PUB_KEY_DIR "ext"
#define IFAPI_POLICY_DIR "policy"
#define IFAPI_PEM_PUBLIC_STRING "-----BEGIN PUBLIC KEY-----"
#define IFAPI_PEM_PRIVATE_KEY "-----PRIVATE KEY-----"
#define IFAPI_JSON_TAG_POLICY "policy"
#define IFAPI_JSON_TAG_DUPLICATE "public_parent"
#if TPM2_MAX_NV_BUFFER_SIZE > TPM2_MAX_DIGEST_BUFFER
#define IFAPI_MAX_BUFFER_SIZE TPM2_MAX_NV_BUFFER_SIZE
#else
#define IFAPI_MAX_BUFFER_SIZE TPM2_MAX_DIGEST_BUFFER
#endif
#define IFAPI_FLUSH_PARENT true
#define IFAPI_NOT_FLUSH_PARENT false
/* Definition of FAPI buffer for TPM2B transmission */
typedef struct {
UINT16 size;
BYTE buffer[IFAPI_MAX_BUFFER_SIZE];
} IFAPI_MAX_BUFFER;
#define OSSL_FREE(S,TYPE) if((S) != NULL) {TYPE##_free((void*) (S)); (S)=NULL;}
#define FAPI_COPY_DIGEST(dest_buffer, dest_size, src, src_size) \
if (src_size > sizeof(TPMU_HA)) { \
return_error(TSS2_FAPI_RC_BAD_VALUE, "Digest size too large."); \
} \
memcpy(dest_buffer, (src), (src_size)); \
dest_size = src_size
#define HASH_UPDATE(CONTEXT, TYPE, OBJECT, R, LABEL) \
{ \
uint8_t buffer[sizeof(TYPE)]; \
size_t offset = 0; \
R = Tss2_MU_ ## TYPE ## _Marshal(OBJECT, \
&buffer[0], sizeof(TYPE), &offset); \
goto_if_error(R, "Marshal for hash update", LABEL); \
R = ifapi_crypto_hash_update(CONTEXT, \
(const uint8_t *) &buffer[0], \
offset); \
goto_if_error(R, "crypto hash update", LABEL); }
#define HASH_UPDATE_BUFFER(CONTEXT, BUFFER, SIZE, R, LABEL) \
R = ifapi_crypto_hash_update(CONTEXT, \
(const uint8_t *) BUFFER, SIZE) ; \
goto_if_error(R, "crypto hash update", LABEL);
#define FAPI_SYNC(r,msg,label, ...) \
if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) \
return TSS2_FAPI_RC_TRY_AGAIN; \
if (r != TSS2_RC_SUCCESS) { \
LOG_ERROR(TPM2_ERROR_FORMAT " " msg, TPM2_ERROR_TEXT(r), ## __VA_ARGS__); \
goto label; \
}
/** The states for the FAPI's object authorization state*/
enum IFAPI_GET_CERT_STATE {
GET_CERT_INIT = 0,
GET_CERT_WAIT_FOR_GET_CAP,
GET_CERT_GET_CERT_NV,
GET_CERT_GET_CERT_NV_FINISH,
GET_CERT_GET_CERT_READ_PUBLIC,
GET_CERT_READ_CERT
};
/** The states for the FAPI's cleanup after successful command execution*/
enum IFAPI_CLEANUP_STATE {
CLEANUP_INIT = 0,
CLEANUP_SESSION1,
CLEANUP_SESSION2,
CLEANUP_SRK
};
#define IFAPI_MAX_CAP_INFO 17
typedef struct {
char *description;
TPMS_CAPABILITY_DATA *capability;
} IFAPI_CAP_INFO;
typedef struct {
char *fapi_version; /**< The version string of FAPI */
char *fapi_config; /**< The configuration information */
IFAPI_CAP_INFO cap[IFAPI_MAX_CAP_INFO];
} IFAPI_INFO;
/** Type for representing FAPI template for keys
*/
typedef struct {
TPMI_YES_NO system; /**< Store the object in the system wide
directory */
TPMI_YES_NO persistent; /**< Store key persistent in NV ram. */
UINT32 persistent_handle; /**< < Persistent handle which should be used */
TPM2B_PUBLIC public; /**< Template for public data */
} IFAPI_KEY_TEMPLATE;
/** Type for representing template for NV objects
*/
typedef struct {
TPMI_YES_NO system; /**< Store the object in the system wide
directory */
TPMI_RH_HIERARCHY hierarchy; /**< Hierarchy for NV object. */
char *description; /**< Description of template. */
TPMS_NV_PUBLIC public; /**< Template for public data */
} IFAPI_NV_TEMPLATE;
/** Type for representing a external public key
*/
typedef struct {
TPMT_SIG_SCHEME sig_scheme; /**< Signature scheme used for quote. */
TPMS_ATTEST attest; /**< Attestation data from Quote */
} FAPI_QUOTE_INFO;
/** The states for the FAPI's NV read state */
enum _FAPI_STATE_NV_READ {
NV_READ_INIT = 0,
NV_READ_AUTHORIZE,
NV_READ_AUTHORIZE2,
NV_READ_AUTH_SENT
};
/** The states for the FAPI's NV write state */
enum _FAPI_STATE_NV_WRITE {
NV2_WRITE_INIT = 0,
NV2_WRITE_READ,
NV2_WRITE_WAIT_FOR_SESSSION,
NV2_WRITE_NULL_AUTH_SENT,
NV2_WRITE_AUTH_SENT,
NV2_WRITE_WRITE_PREPARE,
NV2_WRITE_WRITE,
NV2_WRITE_AUTHORIZE,
NV2_WRITE_AUTHORIZE2
};
/** The data structure holding internal state of Fapi NV commands.
*/
typedef struct {
char *nvPath ; /**< The name of the file for object serialization */
char *policyPath; /**< The name of the policy file */
TPM2B_NV_PUBLIC public; /**< The public info of the NV object. */
ESYS_TR esys_auth_handle; /**< The ESAPI handle for the NV auth object */
ESYS_TR esys_handle; /**< The ESAPI handle for the NV object */
size_t numBytes; /**< The number of bytes of a ESYS request */
UINT16 bytesRequested; /**< Bytes currently requested from TPM */
UINT16 offset; /**< Offset in TPM memory TPM */
size_t data_idx; /**< Offset in the read buffer */
const uint8_t *data; /**< Buffer for data to be written */
uint8_t *rdata; /**< Buffer for data to be read */
IFAPI_OBJECT auth_object; /**< Object used for authentication */
IFAPI_OBJECT nv_object; /**< Deserialized NV object */
TPM2B_AUTH auth; /**< The Password */
IFAPI_NV nv_obj; /**< The NV Object */
ESYS_TR auth_index; /**< The ESAPI handle of the authorization object */
uint64_t bitmap; /**< The bitmask for the SetBits command */
IFAPI_NV_TEMPLATE public_templ; /**< The template for nv creation, adjusted
appropriate by the passed flags */
enum _FAPI_STATE_NV_READ nv_read_state; /**< The current state of NV read */
enum _FAPI_STATE_NV_WRITE nv_write_state; /**< The current state of NV write*/
uint8_t *write_data;
char const *logData; /**< The event log for NV objects of type pcr */
json_object *jso_event_log; /**< logData in JSON format */
TPMI_RH_NV_INDEX maxNvIndex; /**< Max index for search for free index */
IFAPI_EVENT pcr_event; /**< Event to be added to log */
TPML_DIGEST_VALUES digests; /**< Digest for the event data of an extend */
bool skip_policy_computation; /**< switch whether policy needs to be computed */
} IFAPI_NV_Cmds;
/** The data structure holding internal state of Fapi_Initialize command.
*/
typedef struct {
TPMS_CAPABILITY_DATA *capability; /* TPM capability data to check available algs */
} IFAPI_INITIALIZE;
/** The data structure holding internal state of Fapi_PCR commands.
*/
typedef struct {
TPML_DIGEST_VALUES digest_list; /**< The digest list computed for the event */
TPML_DIGEST_VALUES *event_digests; /**< The digest list computed by TPM2_Event */
ESYS_TR PCR; /**< The handle of the PCR register to be extended */
TPML_PCR_SELECTION pcr_selection; /**< Selection used for Read and Quote */
TPML_PCR_SELECTION *pcr_selection_out; /**< Selection returned by PCR_Read */
UINT32 update_count;
TPML_DIGEST *pcrValues; /* The values returned by PCR_Read */
TPM2_HANDLE pcrIndex;
TPMI_ALG_HASH hashAlg;
const char *keyPath; /**< The implicit key path for PCR_Quote */
ESYS_TR handle; /**< The ESYS handle of the signing key */
IFAPI_OBJECT *key_object; /**< The IPAPI object of the signing key */
TPMS_CAPABILITY_DATA *capabilityData; /* TPM capability data to check available algs */
uint32_t *pcrList; /**< Array of PCR numbers */
size_t pcrListSize; /**< Size of PCR array */
TPM2B_DATA qualifyingData; /**< Nonce for quote command */
uint8_t const *eventData;
TPM2B_EVENT event;
size_t eventDataSize;
uint32_t const *hashAlgs;
uint32_t *hashAlgs2;
size_t numHashAlgs;
char const *quoteInfo;
TPM2B_ATTEST *tpm_quoted;
TPMT_SIGNATURE *tpm_signature;
uint8_t const *signature;
size_t signatureSize;
char const *logData;
char *pcrLog;
IFAPI_EVENT pcr_event;
json_object *event_list;
FAPI_QUOTE_INFO fapi_quote_info;
} IFAPI_PCR;
/** The data structure holding internal state of Fapi_SetDescription.
*/
typedef struct {
char *description; /**< The description of the object */
UINT8_ARY appData; /**< Application data to be stored in object store. */
IFAPI_OBJECT object; /**< The IPAPI object to store the info*/
char *object_path; /**< The realative path to the object */
json_object *jso; /**< JSON object for storing the AppData */
char *jso_string; /**< JSON deserialized buffer */
} IFAPI_Path_SetDescription;
/** The data structure holding internal state of Fapi_GetRandom.
*/
typedef struct {
size_t numBytes; /**< The number of random bytes to be generated */
size_t idx; /**< Current position in output buffer. */
UINT16 bytesRequested; /**< Byted currently requested from TPM */
uint8_t *data; /**< The buffer for the random data */
} IFAPI_GetRandom;
/** The data structure holding internal state of Fapi_Key_Setcertificate.
*/
typedef struct {
const char *pem_cert; /**< The certifificate in pem or format */
char *pem_cert_dup; /**< The allocate certifificate */
const char *key_path; /**< The absolute key path */
NODE_STR_T *path_list; /**< The computed explicit path */
IFAPI_OBJECT key_object; /**< The IPAPI object for the certified key */
} IFAPI_Key_SetCertificate;
/** The states for the FAPI's key creation */
enum IFAPI_KEY_CREATE_STATE {
KEY_CREATE_INIT = 0,
KEY_CREATE_WAIT_FOR_SESSION,
KEY_CREATE_WAIT_FOR_PARENT,
KEY_CREATE_AUTH_SENT,
KEY_CREATE_WRITE_PREPARE,
KEY_CREATE_WRITE,
KEY_CREATE_FLUSH,
KEY_CREATE_CALCULATE_POLICY,
KEY_CREATE_WAIT_FOR_AUTHORIZATION,
KEY_CREATE_CLEANUP
};
/** The data structure holding internal state of Fapi_CreateKey.
*/
typedef struct {
enum IFAPI_KEY_CREATE_STATE state;
const char *keyPath; /**< The pathname from the application */
NODE_STR_T *path_list; /**< The computed explicit path */
IFAPI_OBJECT parent; /**< The parent of the key for used for creation. */
IFAPI_OBJECT object; /**< The current object. */
IFAPI_KEY_TEMPLATE public_templ; /**< The template for the keys public data */
TPM2B_PUBLIC public; /**< The public data of the key */
TPM2B_SENSITIVE_CREATE inSensitive;
TPM2B_DATA outsideInfo;
TPML_PCR_SELECTION creationPCR;
ESYS_TR handle;
const char *authValue;
const char *policyPath;
const IFAPI_PROFILE *profile;
} IFAPI_Key_Create;
/** The data structure holding internal state of Fapi_EncryptDecrypt.
*/
typedef struct {
char const *keyPath; /**< The implicit key path */
uint8_t const *in_data;
size_t in_dataSize;
IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */
uint8_t *out_data; /**< The output of symmetric encrypt/decryption */
ESYS_TR key_handle; /**< The ESYS handle of the encryption key */
size_t numBytes; /**< The number of bytes of a ESYS request */
size_t decrypt; /**< Switch whether to encrypt or decrypt */
UINT16 bytesRequested; /**< Bytes currently requested from TPM */
TPMT_RSA_DECRYPT rsa_scheme;
ESYS_TR object_handle;
char *policy_path;
ESYS_TR auth_session;
const IFAPI_PROFILE *profile;
} IFAPI_Data_EncryptDecrypt;
/** The states for signing */
enum FAPI_SIGN_STATE {
SIGN_INIT = 0,
SIGN_WAIT_FOR_SESSION,
SIGN_WAIT_FOR_KEY,
SIGN_AUTH_SENT,
SIGN_WAIT_FOR_FLUSH
};
/** The data structure holding internal state of Fapi_Sign.
*/
typedef struct {
enum FAPI_SIGN_STATE state; /**< The state of the signing operation */
const char *keyPath; /**< The implicit key path */
ESYS_TR handle; /**< The ESYS handle of the signing key */
TPM2B_DIGEST digest; /**< The digest to be signed */
TPMT_SIG_SCHEME scheme; /**< The signature scheme from profile */
IFAPI_OBJECT *key_object; /**< The IPAPI object of the signing key */
TPMT_SIGNATURE *tpm_signature; /**< The signature in TPM format */
TPMI_YES_NO decrypt; /**< Switch for symmetric algs */
TPMT_SIGNATURE *signature; /**< Produced TPM singature */
char const *padding; /**< Optional padding parameter for key sign. */
} IFAPI_Key_Sign;
/** The data structure holding internal state of Fapi_Unseal.
*/
typedef struct {
const char *keyPath; /**< The implicit key path */
IFAPI_OBJECT *object; /**< The IPAPI object storing the data to be unsealed */
TPM2B_SENSITIVE_DATA *unseal_data; /** The result of the esys unseal operation */
} IFAPI_Unseal;
/** The data structure holding internal state of Fapi_GetInfo.
*/
typedef struct {
TPMS_CAPABILITY_DATA *capability_data; /**< The TPM capability for one property */
TPMS_CAPABILITY_DATA *fetched_data; /**< The data fetched in one TPM command */
size_t idx_info_cap;
IFAPI_INFO info_obj;
UINT32 property_count;
UINT32 property;
} IFAPI_GetInfo;
/** The states for the FAPI's hierarchy authorization state*/
enum IFAPI_HIERACHY_AUTHORIZATION_STATE {
HIERARCHY_CHANGE_AUTH_INIT = 0,
HIERARCHY_CHANGE_AUTH_NULL_AUTH_SENT,
HIERARCHY_CHANGE_AUTH_AUTH_SENT
};
/** The states for the FAPI's change policy authorization state*/
enum IFAPI_HIERACHY_POLICY_AUTHORIZATION_STATE {
HIERARCHY_CHANGE_POLICY_INIT = 0,
HIERARCHY_CHANGE_POLICY_NULL_AUTH_SENT,
HIERARCHY_CHANGE_POLICY_AUTH_SENT
};
/** The data structure holding internal state of Fapi_ChangeAuth.
*/
typedef struct {
const char *entityPath; /**< The implicit key path */
ESYS_TR handle; /**< The ESYS handle of the key */
IFAPI_OBJECT *key_object; /**< The IPAPI object of the key */
const char *authValue; /**< The new auth value */
TPM2B_AUTH newAuthValue; /**< The new auth value */
TPM2B_PRIVATE *newPrivate; /**< New private data created by parend */
IFAPI_OBJECT object; /**< Deserialized NV object or hierarchy */
ESYS_TR nv_index; /**< NV handle of the object to be changed */
ESYS_TR hierarchy_handle; /**< NV handle of the hierarchy to be changed */
} IFAPI_Entity_ChangeAuth;
/** The data structure holding internal state of Fapi_AuthorizePolicy.
*/
typedef struct {
const char *policyPath; /**< Policy with Policy to be authorized */
const char *signingKeyPath; /**< Key for policy signing */
TPM2B_DIGEST policyRef;
TPMS_POLICYAUTHORIZATION authorization;
} IFAPI_Fapi_AuthorizePolicy;
/** The data structure holding internal state of Fapi_WriteAuthorizeNv.
*/
typedef struct {
const char *policyPath; /**< Policy with Policy to be authorized */
TPMI_ALG_HASH *hash_alg; /**< The hash alg used for digest computation */
size_t hash_size; /**< The digest size */
size_t digest_idx; /**< The index of the digest in the policy */
} IFAPI_api_WriteAuthorizeNv;
/** The data structure holding internal state of Provisioning.
*/
typedef struct {
IFAPI_OBJECT hierarchy; /**< The current used hierarchy for CreatePrimary */
IFAPI_KEY_TEMPLATE public_templ; /**< The basic template for the keys public data */
TPM2B_PUBLIC public; /**< The public info of the created primary */
TPM2B_SENSITIVE_CREATE inSensitive;
TPM2B_DATA outsideInfo;
TPML_PCR_SELECTION creationPCR;
ESYS_TR handle;
const char *authValueLockout;
const char *authValueEh;
const char *policyPathEh;
const char *authValueSh;
const char *policyPathSh;
size_t digest_idx;
size_t hash_size;
TPM2_HANDLE cert_nv_idx;
ESYS_TR esys_nv_cert_handle;
char *pem_cert;
TPM2_ALG_ID cert_key_type;
size_t cert_count;
size_t cert_idx;
TPMS_CAPABILITY_DATA *capabilityData;
IFAPI_OBJECT hierarchy_object;
TPM2B_AUTH hierarchy_auth;
TPM2B_DIGEST policy_digest;
char *intermed_crt;
char *root_crt;
} IFAPI_Provision;
/** The data structure holding internal state of regenerate primary key.
*/
typedef struct {
char *path; /**< Path of the primary (starting with hierarchy) */
IFAPI_OBJECT hierarchy; /**< The current used hierarchy for CreatePrimary */
IFAPI_OBJECT pkey_object;
TPM2B_SENSITIVE_CREATE inSensitive;
TPM2B_DATA outsideInfo;
TPML_PCR_SELECTION creationPCR;
ESYS_TR handle;
TPMI_DH_PERSISTENT persistent_handle;
} IFAPI_CreatePrimary;
/** The data structure holding internal state of key verify signature.
*/
typedef struct {
const char *keyPath;
uint8_t const *signature;
size_t signatureSize;
uint8_t const *digest;
size_t digestSize;
IFAPI_OBJECT key_object;
} IFAPI_Key_VerifySignature;
/** The states for the FAPI's policy loading */
enum IFAPI_STATE_POLICY {
POLICY_INIT = 0,
POLICY_READ,
POLICY_READ_FINISH,
POLICY_INSTANTIATE_PREPARE,
POLICY_INSTANTIATE,
POLICY_EXECUTE,
POLICY_FLUSH
};
typedef struct IFAPI_POLICY_EXEC_CTX IFAPI_POLICY_EXEC_CTX;
typedef struct IFAPI_POLICYUTIL_STACK IFAPI_POLICYUTIL_STACK;
/** The states for session creation */
enum FAPI_CREATE_SESSION_STATE {
CREATE_SESSION_INIT = 0,
CREATE_SESSION,
WAIT_FOR_CREATE_SESSION
};
/** The data structure holding internal policy state.
*/
typedef struct {
enum IFAPI_STATE_POLICY state;
struct TPMS_POLICY policy;
size_t digest_idx;
size_t hash_size;
char **pathlist; /**< The array of all objects in the search path */
TPMI_ALG_HASH hash_alg;
IFAPI_POLICY_EXEC_CTX *policy_stack; /**< The stack used for storing current policy information.
e.g. for retry the current index of policy elements hash
to be stored. */
IFAPI_POLICYUTIL_STACK *util_current_policy;
IFAPI_POLICYUTIL_STACK *policyutil_stack;
/**< The stack used for storing current policy information.
e.g. for retry the current index of policy elements hash
to be stored. */
ESYS_TR session; /**< Auxiliary variable to store created policy session.
The value will also be stored in the policy stack */
enum FAPI_CREATE_SESSION_STATE create_session_state;
char *path;
IFAPI_POLICY_EVAL_INST_CTX eval_ctx;
} IFAPI_POLICY_CTX;
/** The states for the IFAPI's policy loading */
enum IFAPI_STATE_FILE_SEARCH {
FSEARCH_INIT = 0,
FSEARCH_READ,
FSEARCH_OBJECT
};
/** The data structure holding internal policy state.
*/
typedef struct {
enum IFAPI_STATE_FILE_SEARCH state;
char **pathlist; /**< The array of all objects in the search path */
size_t path_idx; /**< Index of array of objects to be searched */
size_t numPaths; /**< Number of all objects in data store */
char *current_path;
} IFAPI_FILE_SEARCH_CTX;
/** The states for the FAPI's key loading */
enum _FAPI_STATE_LOAD_KEY {
LOAD_KEY_GET_PATH = 0,
LOAD_KEY_READ_KEY,
LOAD_KEY_WAIT_FOR_PRIMARY,
LOAD_KEY_LOAD_KEY,
LOAD_KEY_AUTH,
LOAD_KEY_AUTHORIZE
};
/** The data structure holding internal state of export key.
*/
typedef struct {
char const *pathOfKeyToDuplicate; /**< The relative path of the key to be exported */
char const *pathToPublicKeyOfNewParent; /**< The relative path of the new parent */
TPM2B_PUBLIC public_parent; /**< The public key of the new parent */
IFAPI_OBJECT *key_object; /**< The IPAPI object of the key to be duplicated */
IFAPI_OBJECT export_tree; /**< The complete tree to be exported */
IFAPI_OBJECT pub_key; /**< The public part of the new parent */
IFAPI_OBJECT dup_key; /**< The key to be duplicated or exported */
struct TPMS_POLICY policy;
ESYS_TR handle_ext_key;
} IFAPI_ExportKey;
/** The data structure holding internal state of export policy.
*/
typedef struct {
char const *path; /**< Path of the object with the policy to be
exported */
IFAPI_OBJECT object; /**< Object corresponding to path */
} IFAPI_ExportPolicy;
/** The data structure holding internal state of import key.
*/
typedef struct {
IFAPI_OBJECT object;
TPM2B_NAME parent_name;
IFAPI_OBJECT *parent_object;
IFAPI_OBJECT new_object;
char *parent_path;
char *out_path;
TPM2B_PRIVATE *private;
char *jso_string;
} IFAPI_ImportKey;
/** The data structure holding internal state of loading keys.
*/
typedef struct {
enum _FAPI_STATE_LOAD_KEY state; /**< The current state of key loading */
NODE_STR_T *path_list; /**< The current used hierarchy for CreatePrimary */
NODE_OBJECT_T *key_list;
IFAPI_OBJECT auth_object;
size_t position;
ESYS_TR handle;
ESYS_TR parent_handle;
bool parent_handle_persistent;
IFAPI_OBJECT *key_object;
char *key_path;
} IFAPI_LoadKey;
/** The data structure holding internal state of entity delete.
*/
typedef struct {
bool is_key; /**< Entity to be deleted is a key */
bool is_persistent_key; /**< Entity to be deleted is a key */
ESYS_TR new_object_handle;
TPM2_HANDLE permanentHandle; /**< The TPM permanent handle */
IFAPI_OBJECT auth_object; /**< Object used for authentication */
ESYS_TR auth_index; /**< The ESAPI handle of the nv authorization object */
char *path; /**< The name of the file to be deleted */
IFAPI_OBJECT object; /**< Deserialized object */
char **pathlist; /**< The array with the object files to be deleted */
size_t numPaths; /**< Size of array with the object files to be deleted */
size_t path_idx; /**< Index of array with the object files to be deleted */
} IFAPI_Entity_Delete;
/** The data structure holding internal state of list entities.
*/
typedef struct {
const char *searchPath; /**< The path to searched for objectws */
} IFAPI_Entities_List;
/** Union for all input parameters.
*
* The input parameters of a command need to be stored in order to enable
* resubmission. This type provides the corresponding facilities.
*/
typedef union {
IFAPI_Provision Provision;
IFAPI_Key_Create Key_Create;
IFAPI_Key_SetCertificate Key_SetCertificate;
IFAPI_Entity_ChangeAuth Entity_ChangeAuth;
IFAPI_Entity_Delete Entity_Delete;
IFAPI_Entities_List Entities_List;
IFAPI_Key_VerifySignature Key_VerifySignature;
IFAPI_Data_EncryptDecrypt Data_EncryptDecrypt;
IFAPI_PCR pcr;
IFAPI_INITIALIZE Initialize;
IFAPI_Path_SetDescription path_set_info;
IFAPI_Fapi_AuthorizePolicy Policy_AuthorizeNewPolicy;
IFAPI_api_WriteAuthorizeNv WriteAuthorizeNV;
IFAPI_ExportKey ExportKey;
IFAPI_ImportKey ImportKey;
IFAPI_Unseal Unseal;
IFAPI_GetInfo GetInfo;
IFAPI_ExportPolicy ExportPolicy;
} IFAPI_CMD_STATE;
/** The states for the FAPI's primary key regeneration */
enum _FAPI_STATE_PRIMARY {
PRIMARY_INIT = 0,
PRIMARY_READ_KEY,
PRIMARY_READ_HIERARCHY,
PRIMARY_READ_HIERARCHY_FINISH,
PRIMARY_AUTHORIZE_HIERARCHY,
PRIMARY_HAUTH_SENT,
PRIMARY_CREATED
};
/** The states for the FAPI's primary key regeneration */
enum _FAPI_STATE_SESSION {
SESSION_INIT = 0,
SESSION_WAIT_FOR_PRIMARY,
SESSION_CREATE_SESSION,
SESSION_WAIT_FOR_SESSION1,
SESSION_WAIT_FOR_SESSION2
};
/** The states for the FAPI's get random state */
enum _FAPI_STATE_GET_RANDOM {
GET_RANDOM_INIT = 0,
GET_RANDOM_SENT
};
/** The states for flushing objects */
enum _FAPI_FLUSH_STATE {
FLUSH_INIT = 0,
WAIT_FOR_FLUSH
};
/** The states for the FAPI's internal state machine */
enum _FAPI_STATE {
_FAPI_STATE_INIT = 0, /**< The initial state after creation or after
finishing a command. A new command can only
be issued in this state. */
_FAPI_STATE_INTERNALERROR, /**< A non-recoverable error occurred within the
ESAPI code. */
INITIALIZE_READ,
INITIALIZE_INIT_TCTI,
INITIALIZE_GET_CAP,
INITIALIZE_WAIT_FOR_CAP,
INITIALIZE_READ_PROFILE,
INITIALIZE_READ_PROFILE_INIT,
PROVISION_WAIT_FOR_GET_CAP1,
PROVISION_INIT_GET_CAP2,
PROVISION_WAIT_FOR_GET_CAP2,
PROVISION_GET_CERT_NV,
PROVISION_GET_CERT_NV_FINISH,
PROVISION_GET_CERT_READ_PUBLIC,
PROVISION_READ_CERT,
PROVISION_PREPARE_READ_ROOT_CERT,
PROVISION_READ_ROOT_CERT,
PROVISION_READ_PROFILE,
PROVISION_INIT_SRK,
PROVISION_AUTH_EK_NO_AUTH_SENT,
PROVISION_AUTH_EK_AUTH_SENT,
PROVISION_AUTH_SRK_NO_AUTH_SENT,
PROVISION_AUTH_SRK_AUTH_SENT,
PROVISION_EK_WRITE_PREPARE,
PROVISION_EK_WRITE,
PROVISION_EK_CHECK_CERT,
PROVISION_SRK_WRITE_PREPARE,
PROVISION_SRK_WRITE,
PROVISION_WAIT_FOR_EK_PERSISTENT,
PROVISION_WAIT_FOR_SRK_PERSISTENT,
PROVISION_CHANGE_LOCKOUT_AUTH,
PROVISION_CHANGE_EH_CHECK,
PROVISION_CHANGE_EH_AUTH,
PROVISION_CHANGE_SH_CHECK,
PROVISION_CHANGE_SH_AUTH,
PROVISION_EH_CHANGE_POLICY,
PROVISION_SH_CHANGE_POLICY,
PROVISION_LOCKOUT_CHANGE_POLICY,
PROVISION_FINISHED,
PROVISION_WRITE_SH,
PROVISION_WRITE_EH,
PROVISION_WRITE_LOCKOUT,
PROVISION_WRITE_LOCKOUT_PARAM,
PROVISION_FLUSH_SRK,
PROVISION_FLUSH_EK,
PROVISION_CHECK_FOR_VENDOR_CERT,
PROVISION_GET_VENDOR,
KEY_CREATE,
CREATE_SEAL,
KEY_SET_CERTIFICATE_READ,
KEY_SET_CERTIFICATE_WRITE,
KEY_GET_CERTIFICATE_READ,
GET_RANDOM_WAIT_FOR_SESSION,
GET_RANDOM_WAIT_FOR_RANDOM,
GET_RANDOM_CLEANUP,
NV_CREATE_READ_PROFILE,
NV_CREATE_READ_HIERARCHY,
NV_CREATE_AUTHORIZE_HIERARCHY,
NV_CREATE_GET_INDEX,
NV_CREATE_FIND_INDEX,
NV_CREATE_WAIT_FOR_SESSION,
NV_CREATE_AUTH_SENT,
NV_CREATE_WRITE,
NV_CREATE_CALCULATE_POLICY,
NV_WRITE_READ,
NV_WRITE_WRITE,
NV_WRITE_CLEANUP,
NV_EXTEND_READ,
NV_EXTEND_WAIT_FOR_SESSION,
NV_EXTEND_AUTHORIZE,
NV_EXTEND_AUTH_SENT,
NV_EXTEND_WRITE,
NV_EXTEND_CLEANUP,
NV_INCREMENT_READ,
NV_INCREMENT_WAIT_FOR_SESSION,
NV_INCREMENT_AUTHORIZE,
NV_INCREMENT_AUTH_SENT,
NV_INCREMENT_WRITE,
NV_INCREMENT_CLEANUP,
NV_SET_BITS_READ,
NV_SET_BITS_WAIT_FOR_SESSION,
NV_SET_BITS_AUTHORIZE,
NV_SET_BITS_AUTH_SENT,
NV_SET_BITS_WRITE,
NV_SET_BITS_CLEANUP,
NV_READ_READ,
NV_READ_WAIT,
NV_READ_WAIT_FOR_SESSION,
NV_READ_CLEANUP,
ENTITY_DELETE_GET_FILE,
ENTITY_DELETE_READ,
ENTITY_DELETE_WAIT_FOR_SESSION,
ENTITY_DELETE_NULL_AUTH_SENT_FOR_KEY,
ENTITY_DELETE_AUTH_SENT_FOR_KEY,
ENTITY_DELETE_NULL_AUTH_SENT_FOR_NV,
ENTITY_DELETE_AUTH_SENT_FOR_NV,
ENTITY_DELETE_KEY,
ENTITY_DELETE_AUTHORIZE_NV,
ENTITY_DELETE_FILE,
ENTITY_DELETE_POLICY,
ENTITY_DELETE_REMOVE_DIRS,
ENTITY_GET_TPM_BLOBS_READ,
KEY_SIGN_WAIT_FOR_KEY,
KEY_SIGN_WAIT_FOR_SIGN,
KEY_SIGN_CLEANUP,
ENTITY_CHANGE_AUTH_WAIT_FOR_SESSION,
ENTITY_CHANGE_AUTH_WAIT_FOR_KEY,
ENTITY_CHANGE_AUTH_AUTH_SENT,
ENTITY_CHANGE_AUTH_WAIT_FOR_FLUSH,
ENTITY_CHANGE_AUTH_WRITE_PREPARE,
ENTITY_CHANGE_AUTH_WRITE,
ENTITY_CHANGE_AUTH_WAIT_FOR_KEY_AUTH,
ENTITY_CHANGE_AUTH_WAIT_FOR_NV_READ,
ENTITY_CHANGE_AUTH_WAIT_FOR_NV_AUTH,
ENTITY_CHANGE_AUTH_WAIT_FOR_NV_CHANGE_AUTH,
ENTITY_CHANGE_AUTH_HIERARCHY_CHANGE_AUTH,
ENTITY_CHANGE_AUTH_HIERARCHY_READ,
ENTITY_CHANGE_AUTH_HIERARCHY_AUTHORIZE,
ENTITY_CHANGE_AUTH_CLEANUP,
DATA_ENCRYPT_WAIT_FOR_PROFILE,
DATA_ENCRYPT_WAIT_FOR_SESSION,
DATA_ENCRYPT_WAIT_FOR_KEY,
DATA_ENCRYPT_WAIT_FOR_FLUSH,
DATA_ENCRYPT_WAIT_FOR_RSA_ENCRYPTION,
DATA_ENCRYPT_CLEAN,
DATA_DECRYPT_WAIT_FOR_PROFILE,
DATA_DECRYPT_WAIT_FOR_SESSION,
DATA_DECRYPT_WAIT_FOR_KEY,
DATA_DECRYPT_WAIT_FOR_FLUSH,
DATA_DECRYPT_WAIT_FOR_RSA_DECRYPTION,
DATA_DECRYPT_AUTHORIZE_KEY,
DATA_DECRYPT_CLEANUP,
PCR_EXTEND_WAIT_FOR_SESSION,
PCR_EXTEND_WAIT_FOR_GET_CAP,
PCR_EXTEND_APPEND_EVENT_LOG,
PCR_EXTEND_FINISH,
PCR_EXTEND_CLEANUP,
PCR_READ_READ_PCR,
PCR_READ_READ_EVENT_LIST,
PCR_QUOTE_WAIT_FOR_GET_CAP,
PCR_QUOTE_WAIT_FOR_SESSION,
PCR_QUOTE_WAIT_FOR_KEY,
PCR_QUOTE_AUTH_SENT,
PCR_QUOTE_AUTHORIZE,
PCR_QUOTE_WAIT_FOR_FLUSH,
PCR_QUOTE_READ_EVENT_LIST,
PCR_QUOTE_CLEANUP,
PATH_SET_DESCRIPTION_READ,
PATH_SET_DESCRIPTION_WRITE,
PATH_GET_DESCRIPTION_READ,
APP_DATA_SET_READ,
APP_DATA_SET_WRITE,
AUTHORIZE_NEW_CALCULATE_POLICY,
AUTHORIZE_NEW_LOAD_KEY,
AUTHORIZE_NEW_KEY_SIGN_POLICY,
AUTHORIZE_NEW_WRITE_POLICY_PREPARE,
AUTHORIZE_NEW_WRITE_POLICY,
AUTHORIZE_NEW_CLEANUP,
WRITE_AUTHORIZE_NV_READ_NV,
WRITE_AUTHORIZE_NV_CALCULATE_POLICY,
WRITE_AUTHORIZE_NV_WRITE_NV_RAM_PREPARE,
WRITE_AUTHORIZE_NV_WRITE_NV_RAM,
WRITE_AUTHORIZE_NV_WRITE_OBJCECT,
WRITE_AUTHORIZE_NV_WRITE_POLICY_PREPARE,
WRITE_AUTHORIZE_NV_WRITE_POLICY,
WRITE_AUTHORIZE_NV_CLEANUP,
EXPORT_KEY_READ_PUB_KEY,
EXPORT_KEY_READ_PUB_KEY_PARENT,
EXPORT_KEY_WAIT_FOR_KEY,
EXPORT_KEY_WAIT_FOR_DUPLICATE,
EXPORT_KEY_WAIT_FOR_EXT_KEY,
EXPORT_KEY_WAIT_FOR_AUTHORIZATON,
EXPORT_KEY_WAIT_FOR_FLUSH1,
EXPORT_KEY_WAIT_FOR_FLUSH2,
EXPORT_KEY_CLEANUP,
IMPORT_KEY_WRITE_POLICY,
IMPORT_KEY_WRITE,
IMPORT_KEY_SEARCH,
IMPORT_KEY_LOAD_PARENT,
IMPORT_KEY_AUTHORIZE_PARENT,
IMPORT_KEY_IMPORT,
IMPORT_KEY_WAIT_FOR_FLUSH,
IMPORT_KEY_WRITE_OBJECT_PREPARE,
IMPORT_KEY_WRITE_OBJECT,
IMPORT_KEY_CLEANUP,
UNSEAL_WAIT_FOR_KEY,
UNSEAL_AUTHORIZE_OBJECT,
UNSEAL_WAIT_FOR_UNSEAL,
UNSEAL_WAIT_FOR_FLUSH,
UNSEAL_CLEANUP,
GET_PLATFORM_CERTIFICATE,
POLICY_EXPORT_READ_OBJECT,
POLICY_EXPORT_READ_OBJECT_FINISH,
POLICY_EXPORT_READ_POLICY,
POLICY_EXPORT_READ_POLICY_FINISH,
VERIFY_QUOTE_READ,
GET_INFO_GET_CAP,
GET_INFO_GET_CAP_MORE,
GET_INFO_WAIT_FOR_CAP
};
/** Structure holding FAPI callbacks and userData
*
* This structure holds the callback pointers and corresponding userData pointers for each of the
* three callback types of FAPI. They are set using Fapi_SetAuthCB, Fapi_SetBranchCB and
* Fapi_SetSignCB.
*/
struct IFAPI_CALLBACKS {
Fapi_CB_Auth auth;
void *authData;
Fapi_CB_Branch branch;
void *branchData;
Fapi_CB_Sign sign;
void *signData;
Fapi_CB_PolicyAction action;
void *actionData;
};
/** The data structure holding internal state information.
*
* Each FAPI_CONTEXT respresents a logically independent connection to the TPM.
* It stores meta data information about object in order to calculate session
* auths and similar things.
*/
struct FAPI_CONTEXT {
ESYS_CONTEXT *esys; /**< The ESYS context used internally to talk to
the TPM. */
struct IFAPI_CALLBACKS callbacks; /**< Callbacks for user interaction from FAPI */
struct IFAPI_IO io;
struct IFAPI_EVENTLOG eventlog;
struct IFAPI_KEYSTORE keystore;
struct IFAPI_POLICY_STORE pstore;
struct IFAPI_PROFILES profiles;
enum _FAPI_STATE state; /**< The current state of the command execution */
enum _FAPI_STATE_PRIMARY primary_state; /**< The current state of the primary regeneration */
enum _FAPI_STATE_SESSION session_state; /**< The current state of the session creation */
enum _FAPI_STATE_GET_RANDOM get_random_state; /**< The current state of get random */
enum IFAPI_HIERACHY_AUTHORIZATION_STATE hierarchy_state;
enum IFAPI_HIERACHY_POLICY_AUTHORIZATION_STATE hierarchy_policy_state;
enum IFAPI_GET_CERT_STATE get_cert_state;
enum _FAPI_FLUSH_STATE flush_object_state; /**< The current state of a flush operation */
enum IFAPI_CLEANUP_STATE cleanup_state; /**< The state of cleanup after command execution */
IFAPI_CONFIG config; /**< The profile independet configuration data */
UINT32 nv_buffer_max; /**< The maximal size for transfer of nv buffer content */
IFAPI_CMD_STATE cmd; /**< The state information of the currently executed
command */
IFAPI_NV_Cmds nv_cmd;
IFAPI_GetRandom get_random;
IFAPI_CreatePrimary createPrimary;
IFAPI_LoadKey loadKey;
ESYS_TR session1; /**< The first session used by FAPI */
ESYS_TR session2; /**< The second session used by FAPI */
ESYS_TR policy_session; /**< The policy session used by FAPI */
ESYS_TR ek_handle;
ESYS_TR srk_handle;
bool ek_persistent;
bool srk_persistent;
IFAPI_SESSION_TYPE session_flags;
TPMA_SESSION session1_attribute_flags;
TPMA_SESSION session2_attribute_flags;
IFAPI_MAX_BUFFER aux_data; /**< tpm2b data to be transferred */
IFAPI_POLICY_CTX policy; /**< The context of current policy. */
IFAPI_FILE_SEARCH_CTX fsearch; /**< The context for object search in key/policy store */
IFAPI_Key_Sign Key_Sign; /**< State information for key signing */
enum IFAPI_IO_STATE io_state;
NODE_OBJECT_T *object_list;
IFAPI_OBJECT *duplicate_key; /**< Will be needed for policy execution */
};
#define VENDOR_IFX 0x49465800
#define VENDOR_INTC 0x494E5443
#define VEDNOR_IBM 0x49424D20
#endif /* FAPI_INT_H */