1 files changed, 196 insertions, 0 deletions
diff --git a/recipes-extended/xen/files/vtpm-parent-sign-ek.patch b/recipes-extended/xen/files/vtpm-parent-sign-ek.patch
new file mode 100644
index 00000000..14e66eee
--- /dev/null
+++ b/recipes-extended/xen/files/vtpm-parent-sign-ek.patch
@@ -0,0 +1,196 @@
+diff --git a/tpm/tpm_cmd_handler.c b/tpm/tpm_cmd_handler.c
+index 9e1cfb4..0fabf98 100644
+--- a/tpm/tpm_cmd_handler.c
+++ b/tpm/tpm_cmd_handler.c
+@@ -3312,6 +3312,37 @@ static TPM_RESULT execute_TPM_OwnerReadPubek(TPM_REQUEST *req, TPM_RESPONSE *rsp
+   return res;
+ }
+ 
+static TPM_RESULT execute_TPM_ParentSignEK(TPM_REQUEST *req, TPM_RESPONSE *rsp)
+{
+       TPM_NONCE nonce;
+       TPM_RESULT res;
+       UINT32 sigSize;
+       BYTE *sig;
+       BYTE *ptr;
+       UINT32 len;
+       TPM_PCR_SELECTION targetPCR;
+
+       tpm_compute_in_param_digest(req);
+
+       ptr = req->param;
+       len = req->paramSize;
+       if (tpm_unmarshal_TPM_NONCE(&ptr, &len, &nonce)
+               || tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &targetPCR)
+               || len != 0) return TPM_BAD_PARAMETER;
+
+       res = TPM_ParentSignEK(&nonce, &targetPCR, &req->auth1, &sigSize, &sig);
+       if (res != TPM_SUCCESS) return res;
+       rsp->paramSize = len = sigSize;
+       rsp->param = ptr = tpm_malloc(len);
+       if (ptr == NULL || tpm_marshal_BLOB(&ptr, &len, sig, sigSize)) {
+               tpm_free(rsp->param);
+               res = TPM_FAIL;
+       }
+       tpm_free(sig);
+
+       return res;
+}
+
+ static void tpm_setup_rsp_auth(TPM_COMMAND_CODE ordinal, TPM_RESPONSE *rsp) 
+ {
+   tpm_hmac_ctx_t hmac;
+@@ -4062,6 +4093,11 @@ void tpm_execute_command(TPM_REQUEST *req, TPM_RESPONSE *rsp)
+       res = execute_TPM_OwnerReadPubek(req, rsp);
+     break;
+ 
+    case TPM_ORD_ParentSignEK:
+      debug("[TPM_ORD_ParentSignEK]");
+      res = execute_TPM_ParentSignEK(req, rsp);
+    break;
+
+     default:
+ #ifdef MTM_EMULATOR
+       res = mtm_execute_command(req, rsp);
+diff --git a/tpm/tpm_commands.h b/tpm/tpm_commands.h
+index a7666f6..7fef934 100644
+--- a/tpm/tpm_commands.h
+++ b/tpm/tpm_commands.h
+@@ -3054,6 +3054,23 @@ TPM_RESULT TPM_OwnerReadPubek(
+   TPM_PUBKEY *pubEndorsementKey 
+ );
+ 
+/**
+ * TPM_ParentSignEK - gets a hardware TPM quote of a vTPM's EK
+ * @externalData: [in] AntiReplay nonce to prevent replay of messages
+ * @sel: [in] PCR selection for the hardware TPM's quote
+ * @auth1: [in, out] Authorization protocol parameters
+ * @sigSize: [out] The length of the returned digital signature
+ * @sig: [out] The resulting digital signature and PCR values
+ * Returns: TPM_SUCCESS on success, a TPM error code otherwise.
+ */
+TPM_RESULT TPM_ParentSignEK(
+  TPM_NONCE *externalData,
+  TPM_PCR_SELECTION *sel,
+  TPM_AUTH *auth1,
+  UINT32 *sigSize,
+  BYTE **sig
+);
+
+ /*
+  * Error handling
+  * [tpm_error.c]
+diff --git a/tpm/tpm_credentials.c b/tpm/tpm_credentials.c
+index 9cd64af..01f29e6 100644
+--- a/tpm/tpm_credentials.c
+++ b/tpm/tpm_credentials.c
+@@ -180,3 +180,34 @@ TPM_RESULT TPM_OwnerReadInternalPub(TPM_KEY_HANDLE keyHandle, TPM_AUTH *auth1,
+     return TPM_BAD_PARAMETER;
+   }
+ }
+
+int endorsementKeyFresh = 0;
+
+TPM_RESULT VTPM_GetParentQuote(TPM_DIGEST* data, TPM_PCR_SELECTION *sel, UINT32 *sigSize, BYTE **sig);
+
+TPM_RESULT TPM_ParentSignEK(TPM_NONCE *externalData, TPM_PCR_SELECTION *sel,
+                            TPM_AUTH *auth1, UINT32 *sigSize, BYTE **sig)
+{
+       TPM_PUBKEY pubKey;
+       TPM_RESULT res;
+       TPM_DIGEST hres;
+
+       info("TPM_ParentSignEK()");
+
+       res = tpm_verify_auth(auth1, tpmData.permanent.data.ownerAuth, TPM_KH_OWNER);
+       if (res != TPM_SUCCESS) return res;
+
+       if (!endorsementKeyFresh) return TPM_DISABLED_CMD;
+
+       res = tpm_get_pubek(&pubKey);
+       if (res != TPM_SUCCESS) return res;
+
+       if (tpm_compute_pubkey_checksum(externalData, &pubKey, &hres))
+               res = TPM_FAIL;
+
+       if (res == TPM_SUCCESS)
+               res = VTPM_GetParentQuote(&hres, sel, sigSize, sig);
+
+       free_TPM_PUBKEY(pubKey);
+       return res;
+}
+diff --git a/tpm/tpm_data.c b/tpm/tpm_data.c
+index 50c9697..6a0c499 100644
+--- a/tpm/tpm_data.c
+++ b/tpm/tpm_data.c
+@@ -76,6 +76,8 @@ static void init_timeouts(void)
+   tpmData.permanent.data.cmd_durations[2] = 1000;
+ }
+ 
+extern int endorsementKeyFresh;
+
+ void tpm_init_data(void)
+ {
+   /* endorsement key */
+@@ -157,6 +159,7 @@ void tpm_init_data(void)
+   if (tpmConf & TPM_CONF_GENERATE_EK) {
+     /* generate a new endorsement key */
+     tpm_rsa_generate_key(&tpmData.permanent.data.endorsementKey, 2048);
+    endorsementKeyFresh = 1;
+   } else {
+     /* setup endorsement key */
+     tpm_rsa_import_key(&tpmData.permanent.data.endorsementKey, 
+diff --git a/tpm/tpm_structures.h b/tpm/tpm_structures.h
+index f746c05..b0f4625 100644
+--- a/tpm/tpm_structures.h
+++ b/tpm/tpm_structures.h
+@@ -658,6 +658,49 @@ typedef struct tdTPM_CMK_MA_APPROVAL {
+ #define TPM_ORD_TickStampBlob                   242
+ #define TPM_ORD_MAX                             256
+ 
+/* VTPM-only commands: */
+/*
+ * ParentSignEK - Proof of fresh provisioning and EK value
+ *
+ * Input:
+ *   TPM_TAG             tag           TPM_TAG_RQU_AUTH1_COMMAND
+ *   UINT32              paramSize     Total size of request
+ *   TPM_COMMAND_CODE    ordinal       TPM_ORD_ParentSignEK
+ *   TPM_NONCE           externData    20 bytes of external data
+ *   TPM_PCR_SELECTION   ptSel         PCR selection for physical TPM
+ *   ---
+ *   UINT32              authHandle    Owner authorization session (OIAP)
+ *   TPM_NONCE           nonceOdd      Nonce for authHandle
+ *   BOOL                continueAuth  Continue flag for authHandle
+ *   TPM_AUTHDATA        privAuth      Authorization digest for command
+ *
+ * Output:
+ *   TPM_TAG             tag           TPM_TAG_RSP_AUTH1_COMMAND
+ *   UINT32              paramSize     Total size of response
+ *   TPM_RESULT          returnCode    Return code of the operation
+ *   BYTE[]              sig           Signature provided by physical TPM
+ *   TPM_PCRVALUE[]      pcrValue      Values of hardware PCRs used in the quote
+ *   ---
+ *   TPM_NONCE           nonceEven     Nonce for authHandle
+ *   BOOL                continueAuth  Continue flag for authHandle
+ *   TPM_AUTHDATA        resAuth       Authorization digest for response
+ *
+ * This command is only valid on the first boot of a vTPM; on any subsequent
+ * boot, the command returns TPM_DISABLED_CMD. It is intended to be used to
+ * provide evidence of proper platform configuration to the verifier/CA which is
+ * responsible for the creation of the vTPM's endorsement credential, which will
+ * be used on subsequent boots to certify AIKs via the usual Privacy CA protocol.
+ *
+ * The values of the virtual TPM's PCRs are not included in the response.
+ * The signature is a standard TPM_Quote response from the physical TPM; its
+ * externalData is the SHA1 hash of the following structure:
+ *   TPM_PUBKEY          pubEK         The vTPM's public EK
+ *   TPM_NONCE           externData    From input to the deep quote
+ *
+ * This structure was chosen to match the return of TPM_ReadPubek
+ */
+#define TPM_ORD_ParentSignEK                    (TPM_VENDOR_COMMAND | TPM_ORD_ReadPubek)
+
+ /*
+  * TCS Ordinals ([TPM_Part2], Section 17.1)
+  *

diff --git a/recipes-extended/xen/files/vtpm-parent-sign-ek.patch b/recipes-extended/xen/files/vtpm-parent-sign-ek.patch new file mode 100644 index 00000000..14e66eee --- /dev/null +++ b/recipes-extended/xen/files/vtpm-parent-sign-ek.patch
@@ -0,0 +1,196 @@
	1	diff --git a/tpm/tpm_cmd_handler.c b/tpm/tpm_cmd_handler.c
	2	index 9e1cfb4..0fabf98 100644
	3	--- a/tpm/tpm_cmd_handler.c
	4	+++ b/tpm/tpm_cmd_handler.c
	5	@@ -3312,6 +3312,37 @@ static TPM_RESULT execute_TPM_OwnerReadPubek(TPM_REQUEST req, TPM_RESPONSE rsp
	6	return res;
	7	}
	8
	9	+static TPM_RESULT execute_TPM_ParentSignEK(TPM_REQUEST req, TPM_RESPONSE rsp)
	10	+{
	11	+ TPM_NONCE nonce;
	12	+ TPM_RESULT res;
	13	+ UINT32 sigSize;
	14	+ BYTE *sig;
	15	+ BYTE *ptr;
	16	+ UINT32 len;
	17	+ TPM_PCR_SELECTION targetPCR;
	18	+
	19	+ tpm_compute_in_param_digest(req);
	20	+
	21	+ ptr = req->param;
	22	+ len = req->paramSize;
	23	+ if (tpm_unmarshal_TPM_NONCE(&ptr, &len, &nonce)
	24	+ \|\| tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &targetPCR)
	25	+ \|\| len != 0) return TPM_BAD_PARAMETER;
	26	+
	27	+ res = TPM_ParentSignEK(&nonce, &targetPCR, &req->auth1, &sigSize, &sig);
	28	+ if (res != TPM_SUCCESS) return res;
	29	+ rsp->paramSize = len = sigSize;
	30	+ rsp->param = ptr = tpm_malloc(len);
	31	+ if (ptr == NULL \|\| tpm_marshal_BLOB(&ptr, &len, sig, sigSize)) {
	32	+ tpm_free(rsp->param);
	33	+ res = TPM_FAIL;
	34	+ }
	35	+ tpm_free(sig);
	36	+
	37	+ return res;
	38	+}
	39	+
	40	static void tpm_setup_rsp_auth(TPM_COMMAND_CODE ordinal, TPM_RESPONSE *rsp)
	41	{
	42	tpm_hmac_ctx_t hmac;
	43	@@ -4062,6 +4093,11 @@ void tpm_execute_command(TPM_REQUEST req, TPM_RESPONSE rsp)
	44	res = execute_TPM_OwnerReadPubek(req, rsp);
	45	break;
	46
	47	+ case TPM_ORD_ParentSignEK:
	48	+ debug("[TPM_ORD_ParentSignEK]");
	49	+ res = execute_TPM_ParentSignEK(req, rsp);
	50	+ break;
	51	+
	52	default:
	53	#ifdef MTM_EMULATOR
	54	res = mtm_execute_command(req, rsp);
	55	diff --git a/tpm/tpm_commands.h b/tpm/tpm_commands.h
	56	index a7666f6..7fef934 100644
	57	--- a/tpm/tpm_commands.h
	58	+++ b/tpm/tpm_commands.h
	59	@@ -3054,6 +3054,23 @@ TPM_RESULT TPM_OwnerReadPubek(
	60	TPM_PUBKEY *pubEndorsementKey
	61	);
	62
	63	+/**
	64	+ * TPM_ParentSignEK - gets a hardware TPM quote of a vTPM's EK
	65	+ * @externalData: [in] AntiReplay nonce to prevent replay of messages
	66	+ * @sel: [in] PCR selection for the hardware TPM's quote
	67	+ * @auth1: [in, out] Authorization protocol parameters
	68	+ * @sigSize: [out] The length of the returned digital signature
	69	+ * @sig: [out] The resulting digital signature and PCR values
	70	+ * Returns: TPM_SUCCESS on success, a TPM error code otherwise.
	71	+ */
	72	+TPM_RESULT TPM_ParentSignEK(
	73	+ TPM_NONCE *externalData,
	74	+ TPM_PCR_SELECTION *sel,
	75	+ TPM_AUTH *auth1,
	76	+ UINT32 *sigSize,
	77	+ BYTE **sig
	78	+);
	79	+
	80	/*
	81	* Error handling
	82	* [tpm_error.c]
	83	diff --git a/tpm/tpm_credentials.c b/tpm/tpm_credentials.c
	84	index 9cd64af..01f29e6 100644
	85	--- a/tpm/tpm_credentials.c
	86	+++ b/tpm/tpm_credentials.c
	87	@@ -180,3 +180,34 @@ TPM_RESULT TPM_OwnerReadInternalPub(TPM_KEY_HANDLE keyHandle, TPM_AUTH *auth1,
	88	return TPM_BAD_PARAMETER;
	89	}
	90	}
	91	+
	92	+int endorsementKeyFresh = 0;
	93	+
	94	+TPM_RESULT VTPM_GetParentQuote(TPM_DIGEST* data, TPM_PCR_SELECTION sel, UINT32 sigSize, BYTE **sig);
	95	+
	96	+TPM_RESULT TPM_ParentSignEK(TPM_NONCE externalData, TPM_PCR_SELECTION sel,
	97	+ TPM_AUTH auth1, UINT32 sigSize, BYTE **sig)
	98	+{
	99	+ TPM_PUBKEY pubKey;
	100	+ TPM_RESULT res;
	101	+ TPM_DIGEST hres;
	102	+
	103	+ info("TPM_ParentSignEK()");
	104	+
	105	+ res = tpm_verify_auth(auth1, tpmData.permanent.data.ownerAuth, TPM_KH_OWNER);
	106	+ if (res != TPM_SUCCESS) return res;
	107	+
	108	+ if (!endorsementKeyFresh) return TPM_DISABLED_CMD;
	109	+
	110	+ res = tpm_get_pubek(&pubKey);
	111	+ if (res != TPM_SUCCESS) return res;
	112	+
	113	+ if (tpm_compute_pubkey_checksum(externalData, &pubKey, &hres))
	114	+ res = TPM_FAIL;
	115	+
	116	+ if (res == TPM_SUCCESS)
	117	+ res = VTPM_GetParentQuote(&hres, sel, sigSize, sig);
	118	+
	119	+ free_TPM_PUBKEY(pubKey);
	120	+ return res;
	121	+}
	122	diff --git a/tpm/tpm_data.c b/tpm/tpm_data.c
	123	index 50c9697..6a0c499 100644
	124	--- a/tpm/tpm_data.c
	125	+++ b/tpm/tpm_data.c
	126	@@ -76,6 +76,8 @@ static void init_timeouts(void)
	127	tpmData.permanent.data.cmd_durations[2] = 1000;
	128	}
	129
	130	+extern int endorsementKeyFresh;
	131	+
	132	void tpm_init_data(void)
	133	{
	134	/* endorsement key */
	135	@@ -157,6 +159,7 @@ void tpm_init_data(void)
	136	if (tpmConf & TPM_CONF_GENERATE_EK) {
	137	/* generate a new endorsement key */
	138	tpm_rsa_generate_key(&tpmData.permanent.data.endorsementKey, 2048);
	139	+ endorsementKeyFresh = 1;
	140	} else {
	141	/* setup endorsement key */
	142	tpm_rsa_import_key(&tpmData.permanent.data.endorsementKey,
	143	diff --git a/tpm/tpm_structures.h b/tpm/tpm_structures.h
	144	index f746c05..b0f4625 100644
	145	--- a/tpm/tpm_structures.h
	146	+++ b/tpm/tpm_structures.h
	147	@@ -658,6 +658,49 @@ typedef struct tdTPM_CMK_MA_APPROVAL {
	148	#define TPM_ORD_TickStampBlob 242
	149	#define TPM_ORD_MAX 256
	150
	151	+/* VTPM-only commands: */
	152	+/*
	153	+ * ParentSignEK - Proof of fresh provisioning and EK value
	154	+ *
	155	+ * Input:
	156	+ * TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND
	157	+ * UINT32 paramSize Total size of request
	158	+ * TPM_COMMAND_CODE ordinal TPM_ORD_ParentSignEK
	159	+ * TPM_NONCE externData 20 bytes of external data
	160	+ * TPM_PCR_SELECTION ptSel PCR selection for physical TPM
	161	+ * ---
	162	+ * UINT32 authHandle Owner authorization session (OIAP)
	163	+ * TPM_NONCE nonceOdd Nonce for authHandle
	164	+ * BOOL continueAuth Continue flag for authHandle
	165	+ * TPM_AUTHDATA privAuth Authorization digest for command
	166	+ *
	167	+ * Output:
	168	+ * TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND
	169	+ * UINT32 paramSize Total size of response
	170	+ * TPM_RESULT returnCode Return code of the operation
	171	+ * BYTE[] sig Signature provided by physical TPM
	172	+ * TPM_PCRVALUE[] pcrValue Values of hardware PCRs used in the quote
	173	+ * ---
	174	+ * TPM_NONCE nonceEven Nonce for authHandle
	175	+ * BOOL continueAuth Continue flag for authHandle
	176	+ * TPM_AUTHDATA resAuth Authorization digest for response
	177	+ *
	178	+ * This command is only valid on the first boot of a vTPM; on any subsequent
	179	+ * boot, the command returns TPM_DISABLED_CMD. It is intended to be used to
	180	+ * provide evidence of proper platform configuration to the verifier/CA which is
	181	+ * responsible for the creation of the vTPM's endorsement credential, which will
	182	+ * be used on subsequent boots to certify AIKs via the usual Privacy CA protocol.
	183	+ *
	184	+ * The values of the virtual TPM's PCRs are not included in the response.
	185	+ * The signature is a standard TPM_Quote response from the physical TPM; its
	186	+ * externalData is the SHA1 hash of the following structure:
	187	+ * TPM_PUBKEY pubEK The vTPM's public EK
	188	+ * TPM_NONCE externData From input to the deep quote
	189	+ *
	190	+ * This structure was chosen to match the return of TPM_ReadPubek
	191	+ */
	192	+#define TPM_ORD_ParentSignEK (TPM_VENDOR_COMMAND \| TPM_ORD_ReadPubek)
	193	+
	194	/*
	195	* TCS Ordinals ([TPM_Part2], Section 17.1)
	196	*