aboutsummaryrefslogtreecommitdiffstats
path: root/tools/vtpm_manager
diff options
context:
space:
mode:
authorkaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk>2005-12-16 18:54:57 +0100
committerkaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk>2005-12-16 18:54:57 +0100
commit41a6310c5ed97906d95875f69e9bff20aaa741fa (patch)
tree86e9592d198e2e9fd34e9104b7fa27fc5cd23123 /tools/vtpm_manager
parent6bcfa6dc8023102dbb5e624c5839b83ff4d13852 (diff)
downloadxen-41a6310c5ed97906d95875f69e9bff20aaa741fa.tar.gz
xen-41a6310c5ed97906d95875f69e9bff20aaa741fa.tar.bz2
xen-41a6310c5ed97906d95875f69e9bff20aaa741fa.zip
Move some useful cryptographic enveloping code into their own
functions so they can be used by other parts of the VTPM code. Signed-off-by: Vinnie Scarlata <vincent.r.scarlata@intel.com>
Diffstat (limited to 'tools/vtpm_manager')
-rw-r--r--tools/vtpm_manager/manager/securestorage.c197
1 files changed, 124 insertions, 73 deletions
diff --git a/tools/vtpm_manager/manager/securestorage.c b/tools/vtpm_manager/manager/securestorage.c
index 82dd70f514..5f19aa63ef 100644
--- a/tools/vtpm_manager/manager/securestorage.c
+++ b/tools/vtpm_manager/manager/securestorage.c
@@ -54,31 +54,28 @@
#include "buffer.h"
#include "log.h"
-TPM_RESULT VTPM_Handle_Save_NVM(VTPM_DMI_RESOURCE *myDMI,
- const buffer_t *inbuf,
- buffer_t *outbuf) {
-
+TPM_RESULT envelope_encrypt(const buffer_t *inbuf,
+ CRYPTO_INFO *asymkey,
+ buffer_t *sealed_data) {
TPM_RESULT status = TPM_SUCCESS;
symkey_t symkey;
- buffer_t state_cipher = NULL_BUF,
+ buffer_t data_cipher = NULL_BUF,
symkey_cipher = NULL_BUF;
- int fh;
- long bytes_written;
- BYTE *sealed_NVM=NULL;
- UINT32 sealed_NVM_size, i;
- struct pack_constbuf_t symkey_cipher32, state_cipher32;
- vtpmloginfo(VTPM_LOG_VTPM_DEEP, "Save_NVMing[%d]: 0x", buffer_len(inbuf));
+ UINT32 i;
+ struct pack_constbuf_t symkey_cipher32, data_cipher32;
+
+ vtpmloginfo(VTPM_LOG_VTPM_DEEP, "Enveloping[%d]: 0x", buffer_len(inbuf));
for (i=0; i< buffer_len(inbuf); i++)
vtpmloginfomore(VTPM_LOG_VTPM_DEEP, "%x ", inbuf->bytes[i]);
vtpmloginfomore(VTPM_LOG_VTPM_DEEP, "\n");
// Generate a sym key and encrypt state with it
TPMTRY(TPM_ENCRYPT_ERROR, Crypto_symcrypto_genkey (&symkey) );
- TPMTRY(TPM_ENCRYPT_ERROR, Crypto_symcrypto_encrypt (&symkey, inbuf, &state_cipher) );
+ TPMTRY(TPM_ENCRYPT_ERROR, Crypto_symcrypto_encrypt (&symkey, inbuf, &data_cipher) );
// Encrypt symmetric key
- TPMTRYRETURN( VTSP_Bind( &vtpm_globals->storageKey,
+ TPMTRYRETURN( VTSP_Bind( asymkey,
&symkey.key,
&symkey_cipher) );
@@ -87,15 +84,108 @@ TPM_RESULT VTPM_Handle_Save_NVM(VTPM_DMI_RESOURCE *myDMI,
symkey_cipher32.size = buffer_len(&symkey_cipher);
symkey_cipher32.data = symkey_cipher.bytes;
- state_cipher32.size = buffer_len(&state_cipher);
- state_cipher32.data = state_cipher.bytes;
+ data_cipher32.size = buffer_len(&data_cipher);
+ data_cipher32.data = data_cipher.bytes;
+
+ TPMTRYRETURN( buffer_init(sealed_data, 2 * sizeof(UINT32) + symkey_cipher32.size + data_cipher32.size, NULL));
+
+ BSG_PackList(sealed_data->bytes, 2,
+ BSG_TPM_SIZE32_DATA, &symkey_cipher32,
+ BSG_TPM_SIZE32_DATA, &data_cipher32);
+
+ vtpmloginfo(VTPM_LOG_VTPM, "Saved %d bytes of E(symkey) + %d bytes of E(data)\n", buffer_len(&symkey_cipher), buffer_len(&data_cipher));
+ goto egress;
+
+ abort_egress:
+ vtpmlogerror(VTPM_LOG_VTPM, "Failed to envelope encrypt\n.");
+
+ egress:
+
+ buffer_free ( &data_cipher);
+ buffer_free ( &symkey_cipher);
+ Crypto_symcrypto_freekey (&symkey);
+
+ return status;
+}
+
+TPM_RESULT envelope_decrypt(const long cipher_size,
+ const BYTE *cipher,
+ TCS_CONTEXT_HANDLE TCSContext,
+ TPM_HANDLE keyHandle,
+ const TPM_AUTHDATA *key_usage_auth,
+ buffer_t *unsealed_data) {
+
+ TPM_RESULT status = TPM_SUCCESS;
+ symkey_t symkey;
+ buffer_t data_cipher = NULL_BUF,
+ symkey_clear = NULL_BUF,
+ symkey_cipher = NULL_BUF;
+ struct pack_buf_t symkey_cipher32, data_cipher32;
+ int i;
+
+ memset(&symkey, 0, sizeof(symkey_t));
+
+ vtpmloginfo(VTPM_LOG_VTPM_DEEP, "envelope decrypting[%ld]: 0x", cipher_size);
+ for (i=0; i< cipher_size; i++)
+ vtpmloginfomore(VTPM_LOG_VTPM_DEEP, "%x ", cipher[i]);
+ vtpmloginfomore(VTPM_LOG_VTPM_DEEP, "\n");
+
+ BSG_UnpackList(cipher, 2,
+ BSG_TPM_SIZE32_DATA, &symkey_cipher32,
+ BSG_TPM_SIZE32_DATA, &data_cipher32);
+
+ TPMTRYRETURN( buffer_init_convert (&symkey_cipher,
+ symkey_cipher32.size,
+ symkey_cipher32.data) );
+
+ TPMTRYRETURN( buffer_init_convert (&data_cipher,
+ data_cipher32.size,
+ data_cipher32.data) );
+
+ // Decrypt Symmetric Key
+ TPMTRYRETURN( VTSP_Unbind( TCSContext,
+ keyHandle,
+ &symkey_cipher,
+ key_usage_auth,
+ &symkey_clear,
+ &(vtpm_globals->keyAuth) ) );
+
+ // create symmetric key using saved bits
+ Crypto_symcrypto_initkey (&symkey, &symkey_clear);
+
+ // Decrypt State
+ TPMTRY(TPM_DECRYPT_ERROR, Crypto_symcrypto_decrypt (&symkey, &data_cipher, unsealed_data) );
+
+ goto egress;
+
+ abort_egress:
+ vtpmlogerror(VTPM_LOG_VTPM, "Failed to envelope decrypt data\n.");
- sealed_NVM = (BYTE *) malloc( 2 * sizeof(UINT32) + symkey_cipher32.size + state_cipher32.size);
+ egress:
+ buffer_free ( &data_cipher);
+ buffer_free ( &symkey_clear);
+ buffer_free ( &symkey_cipher);
+ Crypto_symcrypto_freekey (&symkey);
- sealed_NVM_size = BSG_PackList(sealed_NVM, 2,
- BSG_TPM_SIZE32_DATA, &symkey_cipher32,
- BSG_TPM_SIZE32_DATA, &state_cipher32);
+ return status;
+}
+
+TPM_RESULT VTPM_Handle_Save_NVM(VTPM_DMI_RESOURCE *myDMI,
+ const buffer_t *inbuf,
+ buffer_t *outbuf) {
+ TPM_RESULT status = TPM_SUCCESS;
+ int fh;
+ long bytes_written;
+ buffer_t sealed_NVM;
+
+
+ vtpmloginfo(VTPM_LOG_VTPM_DEEP, "Save_NVMing[%d]: 0x\n", buffer_len(inbuf));
+
+ TPMTRYRETURN( envelope_encrypt(inbuf,
+ &vtpm_globals->storageKey,
+ &sealed_NVM) );
+
// Mark DMI Table so new save state info will get pushed to disk on return.
vtpm_globals->DMI_table_dirty = TRUE;
@@ -104,28 +194,22 @@ TPM_RESULT VTPM_Handle_Save_NVM(VTPM_DMI_RESOURCE *myDMI,
// after writing the file? We can't get the old one back.
// TODO: Backup old file and try and recover that way.
fh = open(myDMI->NVMLocation, O_WRONLY | O_CREAT, S_IREAD | S_IWRITE);
- if ( (bytes_written = write(fh, sealed_NVM, sealed_NVM_size) ) != (long) sealed_NVM_size) {
- vtpmlogerror(VTPM_LOG_VTPM, "We just overwrote a DMI_NVM and failed to finish. %ld/%ld bytes.\n", bytes_written, (long)sealed_NVM_size);
+ if ( (bytes_written = write(fh, sealed_NVM.bytes, buffer_len(&sealed_NVM) ) != (long) buffer_len(&sealed_NVM))) {
+ vtpmlogerror(VTPM_LOG_VTPM, "We just overwrote a DMI_NVM and failed to finish. %ld/%ld bytes.\n", bytes_written, (long)buffer_len(&sealed_NVM));
status = TPM_IOERROR;
goto abort_egress;
}
close(fh);
- Crypto_SHA1Full (sealed_NVM, sealed_NVM_size, (BYTE *) &myDMI->NVM_measurement);
+ Crypto_SHA1Full (sealed_NVM.bytes, buffer_len(&sealed_NVM), (BYTE *) &myDMI->NVM_measurement);
- vtpmloginfo(VTPM_LOG_VTPM, "Saved %d bytes of E(symkey) + %d bytes of E(NVM)\n", buffer_len(&symkey_cipher), buffer_len(&state_cipher));
goto egress;
abort_egress:
- vtpmlogerror(VTPM_LOG_VTPM, "Failed to load NVM\n.");
+ vtpmlogerror(VTPM_LOG_VTPM, "Failed to save NVM\n.");
egress:
-
- buffer_free ( &state_cipher);
- buffer_free ( &symkey_cipher);
- free(sealed_NVM);
- Crypto_symcrypto_freekey (&symkey);
-
+ buffer_free(&sealed_NVM);
return status;
}
@@ -136,11 +220,7 @@ TPM_RESULT VTPM_Handle_Load_NVM(VTPM_DMI_RESOURCE *myDMI,
buffer_t *outbuf) {
TPM_RESULT status = TPM_SUCCESS;
- symkey_t symkey;
- buffer_t state_cipher = NULL_BUF,
- symkey_clear = NULL_BUF,
- symkey_cipher = NULL_BUF;
- struct pack_buf_t symkey_cipher32, state_cipher32;
+
UINT32 sealed_NVM_size;
BYTE *sealed_NVM = NULL;
@@ -148,9 +228,7 @@ TPM_RESULT VTPM_Handle_Load_NVM(VTPM_DMI_RESOURCE *myDMI,
int fh, stat_ret, i;
struct stat file_stat;
TPM_DIGEST sealedNVMHash;
-
- memset(&symkey, 0, sizeof(symkey_t));
-
+
if (myDMI->NVMLocation == NULL) {
vtpmlogerror(VTPM_LOG_VTPM, "Unable to load NVM because the file name NULL.\n");
status = TPM_AUTHFAIL;
@@ -168,28 +246,14 @@ TPM_RESULT VTPM_Handle_Load_NVM(VTPM_DMI_RESOURCE *myDMI,
}
sealed_NVM = (BYTE *) malloc(fh_size);
+ sealed_NVM_size = (UINT32) fh_size;
if (read(fh, sealed_NVM, fh_size) != fh_size) {
status = TPM_IOERROR;
goto abort_egress;
}
close(fh);
- vtpmloginfo(VTPM_LOG_VTPM_DEEP, "Load_NVMing[%ld]: 0x", fh_size);
- for (i=0; i< fh_size; i++)
- vtpmloginfomore(VTPM_LOG_VTPM_DEEP, "%x ", sealed_NVM[i]);
- vtpmloginfomore(VTPM_LOG_VTPM_DEEP, "\n");
-
- sealed_NVM_size = BSG_UnpackList(sealed_NVM, 2,
- BSG_TPM_SIZE32_DATA, &symkey_cipher32,
- BSG_TPM_SIZE32_DATA, &state_cipher32);
-
- TPMTRYRETURN( buffer_init_convert (&symkey_cipher,
- symkey_cipher32.size,
- symkey_cipher32.data) );
-
- TPMTRYRETURN( buffer_init_convert (&state_cipher,
- state_cipher32.size,
- state_cipher32.data) );
+ vtpmloginfo(VTPM_LOG_VTPM_DEEP, "Load_NVMing[%ld],\n", fh_size);
Crypto_SHA1Full(sealed_NVM, sealed_NVM_size, (BYTE *) &sealedNVMHash);
@@ -210,32 +274,19 @@ TPM_RESULT VTPM_Handle_Load_NVM(VTPM_DMI_RESOURCE *myDMI,
goto abort_egress;
}
- // Decrypt Symmetric Key
- TPMTRYRETURN( VTSP_Unbind( myDMI->TCSContext,
- vtpm_globals->storageKeyHandle,
- &symkey_cipher,
- (const TPM_AUTHDATA*)&vtpm_globals->storage_key_usage_auth,
- &symkey_clear,
- &(vtpm_globals->keyAuth) ) );
-
- // create symmetric key using saved bits
- Crypto_symcrypto_initkey (&symkey, &symkey_clear);
-
- // Decrypt State
- TPMTRY(TPM_DECRYPT_ERROR, Crypto_symcrypto_decrypt (&symkey, &state_cipher, outbuf) );
-
+ TPMTRYRETURN( envelope_decrypt(fh_size,
+ sealed_NVM,
+ myDMI->TCSContext,
+ vtpm_globals->storageKeyHandle,
+ (const TPM_AUTHDATA*)&vtpm_globals->storage_key_usage_auth,
+ outbuf) );
goto egress;
abort_egress:
vtpmlogerror(VTPM_LOG_VTPM, "Failed to load NVM\n.");
egress:
-
- buffer_free ( &state_cipher);
- buffer_free ( &symkey_clear);
- buffer_free ( &symkey_cipher);
free( sealed_NVM );
- Crypto_symcrypto_freekey (&symkey);
return status;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-24 19:07:50 +0000