diff options
Diffstat (limited to 'meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch')
-rw-r--r-- | meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch | 254 |
1 files changed, 254 insertions, 0 deletions
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch new file mode 100644 index 0000000..a88148f --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch | |||
@@ -0,0 +1,254 @@ | |||
1 | From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001 | ||
2 | From: Limeng <Meng.Li@windriver.com> | ||
3 | Date: Fri, 23 Jun 2017 11:39:04 +0800 | ||
4 | Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password | ||
5 | from env | ||
6 | |||
7 | Before, we support reading SRK password from env TPM_SRK_PW, | ||
8 | but it is a plain password and not secure. | ||
9 | So, we improve it and support to get an encrypted (AES algorithm) | ||
10 | SRK password from env, and then parse it. The default decrypting | ||
11 | AES password and salt is set in bb file. | ||
12 | When we initialize TPM, and set a SRK pw, and then we need to | ||
13 | encrypt it with the same AES password and salt by AES algorithm. | ||
14 | At last, we set a env as below: | ||
15 | export TPM_SRK_ENC_PW=xxxxxxxx | ||
16 | "xxxxxxxx" is the encrypted SRK password for libtpm.so. | ||
17 | |||
18 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
19 | --- | ||
20 | e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
21 | e_tpm.h | 4 ++ | ||
22 | e_tpm_err.c | 4 ++ | ||
23 | 3 files changed, 164 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/e_tpm.c b/e_tpm.c | ||
26 | index 7dcb75a..11bf74b 100644 | ||
27 | --- a/e_tpm.c | ||
28 | +++ b/e_tpm.c | ||
29 | @@ -245,6 +245,118 @@ void ENGINE_load_tpm(void) | ||
30 | ERR_clear_error(); | ||
31 | } | ||
32 | |||
33 | +static int tpm_decode_base64(unsigned char *indata, | ||
34 | + int in_len, | ||
35 | + unsigned char *outdata, | ||
36 | + int *out_len) | ||
37 | +{ | ||
38 | + int total_len, len, ret; | ||
39 | + EVP_ENCODE_CTX dctx; | ||
40 | + | ||
41 | + EVP_DecodeInit(&dctx); | ||
42 | + | ||
43 | + total_len = 0; | ||
44 | + ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); | ||
45 | + if (ret < 0) { | ||
46 | + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); | ||
47 | + return 1; | ||
48 | + } | ||
49 | + | ||
50 | + total_len += len; | ||
51 | + ret = EVP_DecodeFinal(&dctx, outdata, &len); | ||
52 | + if (ret < 0) { | ||
53 | + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); | ||
54 | + return 1; | ||
55 | + } | ||
56 | + total_len += len; | ||
57 | + | ||
58 | + *out_len = total_len; | ||
59 | + | ||
60 | + return 0; | ||
61 | +} | ||
62 | + | ||
63 | +static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len, | ||
64 | + unsigned char *outdata, | ||
65 | + int *out_len) | ||
66 | +{ | ||
67 | + int dec_data_len, dec_data_lenfinal; | ||
68 | + unsigned char dec_data[256]; | ||
69 | + unsigned char *aes_pw; | ||
70 | + unsigned char aes_salt[PKCS5_SALT_LEN]; | ||
71 | + unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; | ||
72 | + const EVP_CIPHER *cipher = NULL; | ||
73 | + const EVP_MD *dgst = NULL; | ||
74 | + EVP_CIPHER_CTX *ctx = NULL; | ||
75 | + | ||
76 | + if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) { | ||
77 | + TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); | ||
78 | + return 1; | ||
79 | + } | ||
80 | + | ||
81 | + aes_pw = malloc(sizeof(SRK_DEC_PW) - 1); | ||
82 | + if (aes_pw == NULL) { | ||
83 | + TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); | ||
84 | + return 1; | ||
85 | + } | ||
86 | + | ||
87 | + memset(aes_salt, 0x00, sizeof(aes_salt)); | ||
88 | + memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1); | ||
89 | + memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1); | ||
90 | + | ||
91 | + cipher = EVP_get_cipherbyname("aes-128-cbc"); | ||
92 | + if (cipher == NULL) { | ||
93 | + TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); | ||
94 | + free(aes_pw); | ||
95 | + return 1; | ||
96 | + } | ||
97 | + dgst = EVP_sha256(); | ||
98 | + | ||
99 | + EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv); | ||
100 | + | ||
101 | + ctx = EVP_CIPHER_CTX_new(); | ||
102 | + /* Don't set key or IV right away; we want to check lengths */ | ||
103 | + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) { | ||
104 | + TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); | ||
105 | + free(aes_pw); | ||
106 | + return 1; | ||
107 | + } | ||
108 | + | ||
109 | + OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); | ||
110 | + OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); | ||
111 | + | ||
112 | + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) { | ||
113 | + TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); | ||
114 | + free(aes_pw); | ||
115 | + return 1; | ||
116 | + } | ||
117 | + | ||
118 | + if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) { | ||
119 | + /* Error */ | ||
120 | + TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); | ||
121 | + free(aes_pw); | ||
122 | + EVP_CIPHER_CTX_free(ctx); | ||
123 | + return 1; | ||
124 | + } | ||
125 | + | ||
126 | + if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) { | ||
127 | + /* Error */ | ||
128 | + TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); | ||
129 | + free(aes_pw); | ||
130 | + EVP_CIPHER_CTX_free(ctx); | ||
131 | + return 1; | ||
132 | + } | ||
133 | + | ||
134 | + dec_data_len = dec_data_len + dec_data_lenfinal; | ||
135 | + | ||
136 | + memcpy(outdata, dec_data, dec_data_len); | ||
137 | + *out_len = dec_data_len; | ||
138 | + | ||
139 | + free(aes_pw); | ||
140 | + EVP_CIPHER_CTX_free(ctx); | ||
141 | + | ||
142 | + return 0; | ||
143 | +} | ||
144 | + | ||
145 | int tpm_load_srk(UI_METHOD *ui, void *cb_data) | ||
146 | { | ||
147 | TSS_RESULT result; | ||
148 | @@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) | ||
149 | return 0; | ||
150 | } | ||
151 | |||
152 | - srkPasswd = getenv("TPM_SRK_PW"); | ||
153 | + srkPasswd = getenv("TPM_SRK_ENC_PW"); | ||
154 | if (NULL != srkPasswd) { | ||
155 | + int in_len = strlen(srkPasswd); | ||
156 | + int out_len; | ||
157 | + unsigned char *out_buf; | ||
158 | + | ||
159 | + if (!in_len || in_len % 4) { | ||
160 | + Tspi_Context_CloseObject(hContext, hSRK); | ||
161 | + free(auth); | ||
162 | + TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); | ||
163 | + return 0; | ||
164 | + } | ||
165 | + | ||
166 | + out_len = in_len * 3 / 4; | ||
167 | + out_buf = malloc(out_len); | ||
168 | + if (NULL == out_buf) { | ||
169 | + Tspi_Context_CloseObject(hContext, hSRK); | ||
170 | + free(auth); | ||
171 | + TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); | ||
172 | + return 0; | ||
173 | + } | ||
174 | + | ||
175 | + if (tpm_decode_base64(srkPasswd, strlen(srkPasswd), | ||
176 | + out_buf, &out_len)) { | ||
177 | + Tspi_Context_CloseObject(hContext, hSRK); | ||
178 | + free(auth); | ||
179 | + free(out_buf); | ||
180 | + TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); | ||
181 | + return 0; | ||
182 | + } | ||
183 | + | ||
184 | + if (tpm_decrypt_srk_pw(out_buf, out_len, | ||
185 | + auth, &authlen)) { | ||
186 | + Tspi_Context_CloseObject(hContext, hSRK); | ||
187 | + free(auth); | ||
188 | + free(out_buf); | ||
189 | + TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); | ||
190 | + return 0; | ||
191 | + } | ||
192 | + secretMode = TSS_SECRET_MODE_PLAIN; | ||
193 | + free(out_buf); | ||
194 | + } | ||
195 | +#ifdef TPM_SRK_PLAIN_PW | ||
196 | + else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) { | ||
197 | if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { | ||
198 | memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); | ||
199 | secretMode = TSS_SECRET_MODE_SHA1; | ||
200 | @@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) | ||
201 | authlen = strlen(auth); | ||
202 | } | ||
203 | } | ||
204 | +#endif | ||
205 | else { | ||
206 | if (!tpm_engine_get_auth(ui, (char *)auth, 128, | ||
207 | "SRK authorization: ", cb_data)) { | ||
208 | diff --git a/e_tpm.h b/e_tpm.h | ||
209 | index 6316e0b..56ff202 100644 | ||
210 | --- a/e_tpm.h | ||
211 | +++ b/e_tpm.h | ||
212 | @@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); | ||
213 | #define TPM_F_TPM_FILL_RSA_OBJECT 116 | ||
214 | #define TPM_F_TPM_ENGINE_GET_AUTH 117 | ||
215 | #define TPM_F_TPM_CREATE_SRK_POLICY 118 | ||
216 | +#define TPM_F_TPM_DECODE_BASE64 119 | ||
217 | +#define TPM_F_TPM_DECRYPT_SRK_PW 120 | ||
218 | |||
219 | /* Reason codes. */ | ||
220 | #define TPM_R_ALREADY_LOADED 100 | ||
221 | @@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); | ||
222 | #define TPM_R_ID_INVALID 125 | ||
223 | #define TPM_R_UI_METHOD_FAILED 126 | ||
224 | #define TPM_R_UNKNOWN_SECRET_MODE 127 | ||
225 | +#define TPM_R_DECODE_BASE64_FAILED 128 | ||
226 | +#define TPM_R_DECRYPT_SRK_PW_FAILED 129 | ||
227 | |||
228 | /* structure pointed to by the RSA object's app_data pointer */ | ||
229 | struct rsa_app_data | ||
230 | diff --git a/e_tpm_err.c b/e_tpm_err.c | ||
231 | index 25a5d0f..439e267 100644 | ||
232 | --- a/e_tpm_err.c | ||
233 | +++ b/e_tpm_err.c | ||
234 | @@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = { | ||
235 | {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, | ||
236 | {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, | ||
237 | {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, | ||
238 | + {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"}, | ||
239 | + {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"}, | ||
240 | {0, NULL} | ||
241 | }; | ||
242 | |||
243 | @@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = { | ||
244 | {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, | ||
245 | {TPM_R_ID_INVALID, "engine id doesn't match"}, | ||
246 | {TPM_R_UI_METHOD_FAILED, "ui function failed"}, | ||
247 | + {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"}, | ||
248 | + {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"}, | ||
249 | {0, NULL} | ||
250 | }; | ||
251 | |||
252 | -- | ||
253 | 2.9.3 | ||
254 | |||