2 files changed, 273 insertions, 0 deletions
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
new file mode 100644
index 0000000..a88148f
--- /dev/null
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -0,0 +1,254 @@
+From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
+From: Limeng <Meng.Li@windriver.com>
+Date: Fri, 23 Jun 2017 11:39:04 +0800
+Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password 
+ from env
+Before, we support reading SRK password from env TPM_SRK_PW,
+but it is a plain password and not secure.
+So, we improve it and support to get an encrypted (AES algorithm)
+SRK password from env, and then parse it. The default decrypting
+AES password and salt is set in bb file.
+When we initialize TPM, and set a SRK pw, and then we need to
+encrypt it with the same AES password and salt by AES algorithm.
+At last, we set a env as below:
+export TPM_SRK_ENC_PW=xxxxxxxx
+"xxxxxxxx" is the encrypted SRK password for libtpm.so.
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ e_tpm.c     | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ e_tpm.h     |   4 ++
+ e_tpm_err.c |   4 ++
+ 3 files changed, 164 insertions(+), 1 deletion(-)
+diff --git a/e_tpm.c b/e_tpm.c
+index 7dcb75a..11bf74b 100644
+--- a/e_tpm.c
+++ b/e_tpm.c
+@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
+        ERR_clear_error();
+ }
+ 
+static int tpm_decode_base64(unsigned char *indata,
+                               int in_len,
+                               unsigned char *outdata,
+                               int *out_len)
+{
+       int total_len, len, ret;
+       EVP_ENCODE_CTX dctx;
+
+       EVP_DecodeInit(&dctx);
+
+       total_len = 0;
+       ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
+       if (ret < 0) {
+               TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+               return 1;
+       }
+
+       total_len += len;
+       ret = EVP_DecodeFinal(&dctx, outdata, &len);
+       if (ret < 0) {
+               TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+               return 1;
+       }
+       total_len += len;
+
+       *out_len = total_len;
+
+       return 0;
+}
+
+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
+                               unsigned char *outdata,
+                               int *out_len)
+{
+       int dec_data_len, dec_data_lenfinal;
+       unsigned char dec_data[256];
+       unsigned char *aes_pw;
+       unsigned char aes_salt[PKCS5_SALT_LEN];
+       unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+       const EVP_CIPHER *cipher = NULL;
+       const EVP_MD *dgst = NULL;
+       EVP_CIPHER_CTX *ctx = NULL;
+
+       if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               return 1;
+       }
+
+       aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
+       if (aes_pw == NULL) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               return 1;
+       }
+
+       memset(aes_salt, 0x00, sizeof(aes_salt));
+       memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
+       memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
+
+       cipher = EVP_get_cipherbyname("aes-128-cbc");
+       if (cipher == NULL) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               return 1;
+       }
+       dgst = EVP_sha256();
+
+       EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
+
+       ctx = EVP_CIPHER_CTX_new();
+       /* Don't set key or IV right away; we want to check lengths */
+       if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               return 1;
+       }
+
+       OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
+       OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
+
+       if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               return 1;
+       }
+
+       if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
+               /* Error */
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               EVP_CIPHER_CTX_free(ctx);
+               return 1;
+       }
+
+       if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
+               /* Error */
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               EVP_CIPHER_CTX_free(ctx);
+               return 1;
+       }
+
+       dec_data_len = dec_data_len + dec_data_lenfinal;
+
+       memcpy(outdata, dec_data, dec_data_len);
+       *out_len = dec_data_len;
+
+       free(aes_pw);
+       EVP_CIPHER_CTX_free(ctx);
+
+       return 0;
+}
+
+ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ {
+        TSS_RESULT result;
+@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+                return 0;
+        }
+ 
+-       srkPasswd = getenv("TPM_SRK_PW");
+       srkPasswd = getenv("TPM_SRK_ENC_PW");
+        if (NULL != srkPasswd) {
+               int in_len = strlen(srkPasswd);
+               int out_len;
+               unsigned char *out_buf;
+
+               if (!in_len || in_len % 4) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+
+               out_len = in_len * 3 / 4;
+               out_buf = malloc(out_len);
+               if (NULL == out_buf) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+
+               if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
+                                       out_buf, &out_len)) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       free(out_buf);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+
+               if (tpm_decrypt_srk_pw(out_buf, out_len,
+                                                       auth, &authlen)) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       free(out_buf);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+               secretMode = TSS_SECRET_MODE_PLAIN;
+               free(out_buf);
+       }
+#ifdef TPM_SRK_PLAIN_PW
+       else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
+                if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
+                        memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
+                        secretMode = TSS_SECRET_MODE_SHA1;
+@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+                        authlen = strlen(auth);
+                }
+        }
+#endif
+        else {
+                if (!tpm_engine_get_auth(ui, (char *)auth, 128,
+                                "SRK authorization: ", cb_data)) {
+diff --git a/e_tpm.h b/e_tpm.h
+index 6316e0b..56ff202 100644
+--- a/e_tpm.h
+++ b/e_tpm.h
+@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_F_TPM_FILL_RSA_OBJECT              116
+ #define TPM_F_TPM_ENGINE_GET_AUTH              117
+ #define TPM_F_TPM_CREATE_SRK_POLICY            118
+#define TPM_F_TPM_DECODE_BASE64                        119
+#define TPM_F_TPM_DECRYPT_SRK_PW               120
+ 
+ /* Reason codes. */
+ #define TPM_R_ALREADY_LOADED                   100
+@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_R_ID_INVALID                       125
+ #define TPM_R_UI_METHOD_FAILED                 126
+ #define TPM_R_UNKNOWN_SECRET_MODE              127
+#define TPM_R_DECODE_BASE64_FAILED             128
+#define TPM_R_DECRYPT_SRK_PW_FAILED            129
+ 
+ /* structure pointed to by the RSA object's app_data pointer */
+ struct rsa_app_data
+diff --git a/e_tpm_err.c b/e_tpm_err.c
+index 25a5d0f..439e267 100644
+--- a/e_tpm_err.c
+++ b/e_tpm_err.c
+@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
+        {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
+        {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
+        {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
+       {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
+       {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
+        {0, NULL}
+ };
+ 
+@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
+        {TPM_R_FILE_READ_FAILED, "failed reading the key file"},
+        {TPM_R_ID_INVALID, "engine id doesn't match"},
+        {TPM_R_UI_METHOD_FAILED, "ui function failed"},
+       {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
+       {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
+        {0, NULL}
+ };
+ 
+-- 
+2.9.3
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
index acb79bd..419bb27 100644
--- a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
@@ -52,3 +52,22 @@ do_install_append() {
 INSANE_SKIP_${PN} = "libdir"
 INSANE_SKIP_${PN}-dbg = "libdir"
+# The definitions below are used to decrypt the srk password.
+# It is allowed to define the values in 3 forms: string, hex number and
+# the hybrid, e.g,
+# srk_dec_pw = "incendia"
+# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
+# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
+#
+# Due to the limit of escape character, the hybrid must be written in
+# above style. The actual values defined below in C code style are:
+# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
+# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
+srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
+srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
+CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+# Uncomment below line if using the plain srk password for development
+#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"

diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch new file mode 100644 index 0000000..a88148f --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -0,0 +1,254 @@
		1	From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
		2	From: Limeng <Meng.Li@windriver.com>
		3	Date: Fri, 23 Jun 2017 11:39:04 +0800
		4	Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password
		5	from env
		6
		7	Before, we support reading SRK password from env TPM_SRK_PW,
		8	but it is a plain password and not secure.
		9	So, we improve it and support to get an encrypted (AES algorithm)
		10	SRK password from env, and then parse it. The default decrypting
		11	AES password and salt is set in bb file.
		12	When we initialize TPM, and set a SRK pw, and then we need to
		13	encrypt it with the same AES password and salt by AES algorithm.
		14	At last, we set a env as below:
		15	export TPM_SRK_ENC_PW=xxxxxxxx
		16	"xxxxxxxx" is the encrypted SRK password for libtpm.so.
		17
		18	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		19	---
		20	e_tpm.c \| 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
		21	e_tpm.h \| 4 ++
		22	e_tpm_err.c \| 4 ++
		23	3 files changed, 164 insertions(+), 1 deletion(-)
		24
		25	diff --git a/e_tpm.c b/e_tpm.c
		26	index 7dcb75a..11bf74b 100644
		27	--- a/e_tpm.c
		28	+++ b/e_tpm.c
		29	@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
		30	ERR_clear_error();
		31	}
		32
		33	+static int tpm_decode_base64(unsigned char *indata,
		34	+ int in_len,
		35	+ unsigned char *outdata,
		36	+ int *out_len)
		37	+{
		38	+ int total_len, len, ret;
		39	+ EVP_ENCODE_CTX dctx;
		40	+
		41	+ EVP_DecodeInit(&dctx);
		42	+
		43	+ total_len = 0;
		44	+ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
		45	+ if (ret < 0) {
		46	+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
		47	+ return 1;
		48	+ }
		49	+
		50	+ total_len += len;
		51	+ ret = EVP_DecodeFinal(&dctx, outdata, &len);
		52	+ if (ret < 0) {
		53	+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
		54	+ return 1;
		55	+ }
		56	+ total_len += len;
		57	+
		58	+ *out_len = total_len;
		59	+
		60	+ return 0;
		61	+}
		62	+
		63	+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
		64	+ unsigned char *outdata,
		65	+ int *out_len)
		66	+{
		67	+ int dec_data_len, dec_data_lenfinal;
		68	+ unsigned char dec_data[256];
		69	+ unsigned char *aes_pw;
		70	+ unsigned char aes_salt[PKCS5_SALT_LEN];
		71	+ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
		72	+ const EVP_CIPHER *cipher = NULL;
		73	+ const EVP_MD *dgst = NULL;
		74	+ EVP_CIPHER_CTX *ctx = NULL;
		75	+
		76	+ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
		77	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
		78	+ return 1;
		79	+ }
		80	+
		81	+ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
		82	+ if (aes_pw == NULL) {
		83	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
		84	+ return 1;
		85	+ }
		86	+
		87	+ memset(aes_salt, 0x00, sizeof(aes_salt));
		88	+ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
		89	+ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
		90	+
		91	+ cipher = EVP_get_cipherbyname("aes-128-cbc");
		92	+ if (cipher == NULL) {
		93	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
		94	+ free(aes_pw);
		95	+ return 1;
		96	+ }
		97	+ dgst = EVP_sha256();
		98	+
		99	+ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
		100	+
		101	+ ctx = EVP_CIPHER_CTX_new();
		102	+ /* Don't set key or IV right away; we want to check lengths */
		103	+ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
		104	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
		105	+ free(aes_pw);
		106	+ return 1;
		107	+ }
		108	+
		109	+ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
		110	+ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
		111	+
		112	+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
		113	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
		114	+ free(aes_pw);
		115	+ return 1;
		116	+ }
		117	+
		118	+ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
		119	+ /* Error */
		120	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
		121	+ free(aes_pw);
		122	+ EVP_CIPHER_CTX_free(ctx);
		123	+ return 1;
		124	+ }
		125	+
		126	+ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
		127	+ /* Error */
		128	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
		129	+ free(aes_pw);
		130	+ EVP_CIPHER_CTX_free(ctx);
		131	+ return 1;
		132	+ }
		133	+
		134	+ dec_data_len = dec_data_len + dec_data_lenfinal;
		135	+
		136	+ memcpy(outdata, dec_data, dec_data_len);
		137	+ *out_len = dec_data_len;
		138	+
		139	+ free(aes_pw);
		140	+ EVP_CIPHER_CTX_free(ctx);
		141	+
		142	+ return 0;
		143	+}
		144	+
		145	int tpm_load_srk(UI_METHOD ui, void cb_data)
		146	{
		147	TSS_RESULT result;
		148	@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD ui, void cb_data)
		149	return 0;
		150	}
		151
		152	- srkPasswd = getenv("TPM_SRK_PW");
		153	+ srkPasswd = getenv("TPM_SRK_ENC_PW");
		154	if (NULL != srkPasswd) {
		155	+ int in_len = strlen(srkPasswd);
		156	+ int out_len;
		157	+ unsigned char *out_buf;
		158	+
		159	+ if (!in_len \|\| in_len % 4) {
		160	+ Tspi_Context_CloseObject(hContext, hSRK);
		161	+ free(auth);
		162	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
		163	+ return 0;
		164	+ }
		165	+
		166	+ out_len = in_len * 3 / 4;
		167	+ out_buf = malloc(out_len);
		168	+ if (NULL == out_buf) {
		169	+ Tspi_Context_CloseObject(hContext, hSRK);
		170	+ free(auth);
		171	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
		172	+ return 0;
		173	+ }
		174	+
		175	+ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
		176	+ out_buf, &out_len)) {
		177	+ Tspi_Context_CloseObject(hContext, hSRK);
		178	+ free(auth);
		179	+ free(out_buf);
		180	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
		181	+ return 0;
		182	+ }
		183	+
		184	+ if (tpm_decrypt_srk_pw(out_buf, out_len,
		185	+ auth, &authlen)) {
		186	+ Tspi_Context_CloseObject(hContext, hSRK);
		187	+ free(auth);
		188	+ free(out_buf);
		189	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
		190	+ return 0;
		191	+ }
		192	+ secretMode = TSS_SECRET_MODE_PLAIN;
		193	+ free(out_buf);
		194	+ }
		195	+#ifdef TPM_SRK_PLAIN_PW
		196	+ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
		197	if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
		198	memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
		199	secretMode = TSS_SECRET_MODE_SHA1;
		200	@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD ui, void cb_data)
		201	authlen = strlen(auth);
		202	}
		203	}
		204	+#endif
		205	else {
		206	if (!tpm_engine_get_auth(ui, (char *)auth, 128,
		207	"SRK authorization: ", cb_data)) {
		208	diff --git a/e_tpm.h b/e_tpm.h
		209	index 6316e0b..56ff202 100644
		210	--- a/e_tpm.h
		211	+++ b/e_tpm.h
		212	@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
		213	#define TPM_F_TPM_FILL_RSA_OBJECT 116
		214	#define TPM_F_TPM_ENGINE_GET_AUTH 117
		215	#define TPM_F_TPM_CREATE_SRK_POLICY 118
		216	+#define TPM_F_TPM_DECODE_BASE64 119
		217	+#define TPM_F_TPM_DECRYPT_SRK_PW 120
		218
		219	/* Reason codes. */
		220	#define TPM_R_ALREADY_LOADED 100
		221	@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
		222	#define TPM_R_ID_INVALID 125
		223	#define TPM_R_UI_METHOD_FAILED 126
		224	#define TPM_R_UNKNOWN_SECRET_MODE 127
		225	+#define TPM_R_DECODE_BASE64_FAILED 128
		226	+#define TPM_R_DECRYPT_SRK_PW_FAILED 129
		227
		228	/* structure pointed to by the RSA object's app_data pointer */
		229	struct rsa_app_data
		230	diff --git a/e_tpm_err.c b/e_tpm_err.c
		231	index 25a5d0f..439e267 100644
		232	--- a/e_tpm_err.c
		233	+++ b/e_tpm_err.c
		234	@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
		235	{ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
		236	{ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
		237	{ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
		238	+ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
		239	+ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
		240	{0, NULL}
		241	};
		242
		243	@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
		244	{TPM_R_FILE_READ_FAILED, "failed reading the key file"},
		245	{TPM_R_ID_INVALID, "engine id doesn't match"},
		246	{TPM_R_UI_METHOD_FAILED, "ui function failed"},
		247	+ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
		248	+ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
		249	{0, NULL}
		250	};
		251
		252	--
		253	2.9.3
		254


diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb index acb79bd..419bb27 100644 --- a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
@@ -52,3 +52,22 @@ do_install_append() {
52		52
53	INSANE_SKIP_${PN} = "libdir"	53	INSANE_SKIP_${PN} = "libdir"
54	INSANE_SKIP_${PN}-dbg = "libdir"	54	INSANE_SKIP_${PN}-dbg = "libdir"
		55
		56	# The definitions below are used to decrypt the srk password.
		57	# It is allowed to define the values in 3 forms: string, hex number and
		58	# the hybrid, e.g,
		59	# srk_dec_pw = "incendia"
		60	# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
		61	# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
		62	#
		63	# Due to the limit of escape character, the hybrid must be written in
		64	# above style. The actual values defined below in C code style are:
		65	# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
		66	# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
		67	srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
		68	srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
		69
		70	CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
		71
		72	# Uncomment below line if using the plain srk password for development
		73	#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"