From f13d4ad630505074a5f4aaeb858dc91dbb86547d Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Mon, 12 Feb 2024 14:26:11 +0100 Subject: [PATCH] FAPI: Add new profiles P_RSA3072SHA256 P_ECCP384SHA384 * The new profiles are added to the dist directory. * The key size 3072 and 4092 is added to the json serialization and deserialization. Signed-off-by: Juergen Repp --- Makefile.am | 6 +- dist/fapi-profiles/P_ECCP384SHA384.json | 94 +++++++++++++++++++++ dist/fapi-profiles/P_RSA3072SHA384.json | 108 ++++++++++++++++++++++++ src/tss2-fapi/tpm_json_deserialize.c | 2 +- src/tss2-fapi/tpm_json_serialize.c | 2 +- 5 files changed, 209 insertions(+), 3 deletions(-) create mode 100644 dist/fapi-profiles/P_ECCP384SHA384.json create mode 100644 dist/fapi-profiles/P_RSA3072SHA384.json diff --git a/Makefile.am b/Makefile.am index 2327266f1..e556af01f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -707,7 +707,9 @@ tpm2-tss-fapi.conf: dist/tmpfiles.d/tpm2-tss-fapi.conf.in fapiprofilesdir = @sysconfdir@/tpm2-tss/fapi-profiles fapiprofiles_DATA = dist/fapi-profiles/P_RSA2048SHA256.json \ - dist/fapi-profiles/P_ECCP256SHA256.json + dist/fapi-profiles/P_ECCP256SHA256.json \ + dist/fapi-profiles/P_RSA3072SHA384.json \ + dist/fapi-profiles/P_ECCP384SHA384.json libtss2_fapi = src/tss2-fapi/libtss2-fapi.la tss2_HEADERS += $(srcdir)/include/tss2/tss2_fapi.h @@ -717,6 +719,8 @@ EXTRA_DIST += \ dist/fapi-config.json.in \ dist/fapi-profiles/P_RSA2048SHA256.json \ dist/fapi-profiles/P_ECCP256SHA256.json \ + dist/fapi-profiles/P_RSA3072SHA384.json \ + dist/fapi-profiles/P_ECCP384SHA384.json \ dist/sysusers.d/tpm2-tss.conf \ dist/tmpfiles.d/tpm2-tss-fapi.conf.in \ doc/fapi-config.md \ diff --git a/dist/fapi-profiles/P_ECCP384SHA384.json b/dist/fapi-profiles/P_ECCP384SHA384.json new file mode 100644 index 000000000..8d99e2b4f --- /dev/null +++ b/dist/fapi-profiles/P_ECCP384SHA384.json @@ -0,0 +1,94 @@ +{ + "type": "TPM2_ALG_ECC", + "nameAlg":"TPM2_ALG_SHA384", + "srk_template": "system,restricted,decrypt,0x81000001", + "srk_description": "Storage root key SRK", + "srk_persistent": 0, + "ek_template": "system,restricted,decrypt,user", + "ek_description": "Endorsement key EK", + "ecc_signing_scheme": { + "scheme":"TPM2_ALG_ECDSA", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + }, + }, + "sym_mode":"TPM2_ALG_CFB", + "sym_parameters": { + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "sym_block_size": 16, + "pcr_selection": [ + { "hash": "TPM2_ALG_SHA1", + "pcrSelect": [ ], + }, + { "hash": "TPM2_ALG_SHA256", + "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + } + ], + "curveID": "TPM2_ECC_NIST_P384", + "ek_policy": { + "description": "Endorsement hierarchy used for policy secret.", + "policy":[ + { + "type": "PolicyOR", + "branches": [ + { + "name": "A", + "description": "", + "policy": [ + { + "type":"POLICYSECRET", + "objectName": "4000000b" + } + ] + }, + { + "name": "B", + "description": "", + "policy": [ + { + "type":"AUTHORIZENV", + "nvPublic": { + "size": 60, + "nvPublic": { + "nvIndex": 29392642, + "nameAlg":"SHA384", + "attributes":{ + "PPWRITE":0, + "OWNERWRITE":0, + "AUTHWRITE":0, + "POLICYWRITE":1, + "POLICY_DELETE":0, + "WRITELOCKED":0, + "WRITEALL":1, + "WRITEDEFINE":0, + "WRITE_STCLEAR":0, + "GLOBALLOCK":0, + "PPREAD":1, + "OWNERREAD":1, + "AUTHREAD":1, + "POLICYREAD":1, + "NO_DA":1, + "ORDERLY":0, + "CLEAR_STCLEAR":0, + "READLOCKED":0, + "WRITTEN":1, + "PLATFORMCREATE":0, + "READ_STCLEAR":0, + "TPM2_NT":"ORDINARY" + }, + "authPolicy":"8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53", + "dataSize":50 + } + } + + } + ] + } + ] + } + ] + } +} diff --git a/dist/fapi-profiles/P_RSA3072SHA384.json b/dist/fapi-profiles/P_RSA3072SHA384.json new file mode 100644 index 000000000..d631a9927 --- /dev/null +++ b/dist/fapi-profiles/P_RSA3072SHA384.json @@ -0,0 +1,108 @@ +{ + "type": "TPM2_ALG_RSA", + "nameAlg":"TPM2_ALG_SHA384", + "srk_template": "system,restricted,decrypt,0x81000001", + "srk_description": "Storage root key SRK", + "srk_persistent": 1, + "ek_template": "system,restricted,decrypt,user", + "ek_description": "Endorsement key EK", + "rsa_signing_scheme": { + "scheme":"TPM2_ALG_RSAPSS", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "rsa_decrypt_scheme": { + "scheme":"TPM2_ALG_OAEP", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "sym_mode":"TPM2_ALG_CFB", + "sym_parameters": { + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "sym_block_size": 16, + "pcr_selection": [ + { "hash": "TPM2_ALG_SHA1", + "pcrSelect": [ ] + }, + { "hash": "TPM2_ALG_SHA256", + "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + } + ], + "exponent": 0, + "keyBits": 3072, + "session_hash_alg": "TPM2_ALG_SHA256", + "session_symmetric":{ + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "ek_policy": { + "description": "Endorsement hierarchy used for policy secret.", + "policy":[ + { + "type": "PolicyOR", + "branches": [ + { + "name": "A", + "description": "", + "policy": [ + { + "type":"POLICYSECRET", + "objectName": "4000000b" + } + ] + }, + { + "name": "B", + "description": "", + "policy": [ + { + "type":"AUTHORIZENV", + "nvPublic": { + "size": 60, + "nvPublic": { + "nvIndex": 29392642, + "nameAlg":"SHA384", + "attributes":{ + "PPWRITE":0, + "OWNERWRITE":0, + "AUTHWRITE":0, + "POLICYWRITE":1, + "POLICY_DELETE":0, + "WRITELOCKED":0, + "WRITEALL":1, + "WRITEDEFINE":0, + "WRITE_STCLEAR":0, + "GLOBALLOCK":0, + "PPREAD":1, + "OWNERREAD":1, + "AUTHREAD":1, + "POLICYREAD":1, + "NO_DA":1, + "ORDERLY":0, + "CLEAR_STCLEAR":0, + "READLOCKED":0, + "WRITTEN":1, + "PLATFORMCREATE":0, + "READ_STCLEAR":0, + "TPM2_NT":"ORDINARY" + }, + "authPolicy":"8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53", + "dataSize":50 + } + } + + } + ] + } + ] + } + ] + } + +} diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c index 97833c2e6..3edc4b717 100644 --- a/src/tss2-fapi/tpm_json_deserialize.c +++ b/src/tss2-fapi/tpm_json_deserialize.c @@ -3578,7 +3578,7 @@ ifapi_json_TPMI_RSA_KEY_BITS_deserialize(json_object *jso, TPMI_RSA_KEY_BITS *out) { SUBTYPE_FILTER(TPMI_RSA_KEY_BITS, UINT16, - 1024, 2048); + 1024, 2048, 3072, 4096); } /** Deserialize a TPM2B_ECC_PARAMETER json object. diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c index b87e39d4f..812c70d08 100644 --- a/src/tss2-fapi/tpm_json_serialize.c +++ b/src/tss2-fapi/tpm_json_serialize.c @@ -3452,7 +3452,7 @@ ifapi_json_TPM2B_PUBLIC_KEY_RSA_serialize(const TPM2B_PUBLIC_KEY_RSA *in, json_o TSS2_RC ifapi_json_TPMI_RSA_KEY_BITS_serialize(const TPMI_RSA_KEY_BITS in, json_object **jso) { - CHECK_IN_LIST(TPMI_RSA_KEY_BITS, in, 1024, 2048); + CHECK_IN_LIST(TPMI_RSA_KEY_BITS, in, 1024, 2048, 3072, 4096); return ifapi_json_UINT16_serialize(in, jso); }