From 2a99130fb040839efd017a340f2a0cddf6976ad1 Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Mon, 12 Feb 2024 14:26:11 +0100 Subject: [PATCH 1/5] FAPI: Add new profiles P_RSA3072SHA256 P_ECCP384SHA384 * The new profiles are added to the dist directory. * The key size 3072 and 4092 is added to the json serialization and deserialization. * The unused parameter session_hash_alg is removed from P_RSA2048SHA256. * Unnecessary commas have been removed from the profiles Signed-off-by: Juergen Repp --- Makefile.am | 6 +- dist/fapi-profiles/P_ECCP256SHA256.json | 4 +- dist/fapi-profiles/P_ECCP384SHA384.json | 99 ++++++++++++++++++++++ dist/fapi-profiles/P_RSA2048SHA256.json | 1 - dist/fapi-profiles/P_RSA3072SHA384.json | 107 ++++++++++++++++++++++++ src/tss2-fapi/tpm_json_deserialize.c | 2 +- src/tss2-fapi/tpm_json_serialize.c | 2 +- 7 files changed, 215 insertions(+), 6 deletions(-) create mode 100644 dist/fapi-profiles/P_ECCP384SHA384.json create mode 100644 dist/fapi-profiles/P_RSA3072SHA384.json diff --git a/Makefile.am b/Makefile.am index 2327266f1..e556af01f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -707,7 +707,9 @@ tpm2-tss-fapi.conf: dist/tmpfiles.d/tpm2-tss-fapi.conf.in fapiprofilesdir = @sysconfdir@/tpm2-tss/fapi-profiles fapiprofiles_DATA = dist/fapi-profiles/P_RSA2048SHA256.json \ - dist/fapi-profiles/P_ECCP256SHA256.json + dist/fapi-profiles/P_ECCP256SHA256.json \ + dist/fapi-profiles/P_RSA3072SHA384.json \ + dist/fapi-profiles/P_ECCP384SHA384.json libtss2_fapi = src/tss2-fapi/libtss2-fapi.la tss2_HEADERS += $(srcdir)/include/tss2/tss2_fapi.h @@ -717,6 +719,8 @@ EXTRA_DIST += \ dist/fapi-config.json.in \ dist/fapi-profiles/P_RSA2048SHA256.json \ dist/fapi-profiles/P_ECCP256SHA256.json \ + dist/fapi-profiles/P_RSA3072SHA384.json \ + dist/fapi-profiles/P_ECCP384SHA384.json \ dist/sysusers.d/tpm2-tss.conf \ dist/tmpfiles.d/tpm2-tss-fapi.conf.in \ doc/fapi-config.md \ diff --git a/dist/fapi-profiles/P_ECCP256SHA256.json b/dist/fapi-profiles/P_ECCP256SHA256.json index 348f92a0f..cd16508d7 100644 --- a/dist/fapi-profiles/P_ECCP256SHA256.json +++ b/dist/fapi-profiles/P_ECCP256SHA256.json @@ -10,7 +10,7 @@ "scheme":"TPM2_ALG_ECDSA", "details":{ "hashAlg":"TPM2_ALG_SHA256" - }, + } }, "sym_mode":"TPM2_ALG_CFB", "sym_parameters": { @@ -21,7 +21,7 @@ "sym_block_size": 16, "pcr_selection": [ { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ], + "pcrSelect": [ ] }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] diff --git a/dist/fapi-profiles/P_ECCP384SHA384.json b/dist/fapi-profiles/P_ECCP384SHA384.json new file mode 100644 index 000000000..b0612e2e5 --- /dev/null +++ b/dist/fapi-profiles/P_ECCP384SHA384.json @@ -0,0 +1,99 @@ +{ + "type": "TPM2_ALG_ECC", + "nameAlg":"TPM2_ALG_SHA384", + "srk_template": "system,restricted,decrypt,0x81000001", + "srk_description": "Storage root key SRK", + "srk_persistent": 0, + "ek_template": "system,restricted,decrypt,user", + "ek_description": "Endorsement key EK", + "ecc_signing_scheme": { + "scheme":"TPM2_ALG_ECDSA", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "sym_mode":"TPM2_ALG_CFB", + "sym_parameters": { + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "sym_block_size": 16, + "pcr_selection": [ + { "hash": "TPM2_ALG_SHA1", + "pcrSelect": [ ] + }, + { "hash": "TPM2_ALG_SHA256", + "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + } + ], + "curveID": "TPM2_ECC_NIST_P384", + "session_symmetric":{ + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "ek_policy": { + "description": "Endorsement hierarchy used for policy secret.", + "policy":[ + { + "type": "PolicyOR", + "branches": [ + { + "name": "A", + "description": "", + "policy": [ + { + "type":"POLICYSECRET", + "objectName": "4000000b" + } + ] + }, + { + "name": "B", + "description": "", + "policy": [ + { + "type":"AUTHORIZENV", + "nvPublic": { + "size": 60, + "nvPublic": { + "nvIndex": 29392642, + "nameAlg":"SHA384", + "attributes":{ + "PPWRITE":0, + "OWNERWRITE":0, + "AUTHWRITE":0, + "POLICYWRITE":1, + "POLICY_DELETE":0, + "WRITELOCKED":0, + "WRITEALL":1, + "WRITEDEFINE":0, + "WRITE_STCLEAR":0, + "GLOBALLOCK":0, + "PPREAD":1, + "OWNERREAD":1, + "AUTHREAD":1, + "POLICYREAD":1, + "NO_DA":1, + "ORDERLY":0, + "CLEAR_STCLEAR":0, + "READLOCKED":0, + "WRITTEN":1, + "PLATFORMCREATE":0, + "READ_STCLEAR":0, + "TPM2_NT":"ORDINARY" + }, + "authPolicy":"8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53", + "dataSize":50 + } + } + + } + ] + } + ] + } + ] + } +} diff --git a/dist/fapi-profiles/P_RSA2048SHA256.json b/dist/fapi-profiles/P_RSA2048SHA256.json index 47ac6881d..d64a13473 100644 --- a/dist/fapi-profiles/P_RSA2048SHA256.json +++ b/dist/fapi-profiles/P_RSA2048SHA256.json @@ -35,7 +35,6 @@ ], "exponent": 0, "keyBits": 2048, - "session_hash_alg": "TPM2_ALG_SHA256", "session_symmetric":{ "algorithm":"TPM2_ALG_AES", "keyBits":"128", diff --git a/dist/fapi-profiles/P_RSA3072SHA384.json b/dist/fapi-profiles/P_RSA3072SHA384.json new file mode 100644 index 000000000..50486c4c2 --- /dev/null +++ b/dist/fapi-profiles/P_RSA3072SHA384.json @@ -0,0 +1,107 @@ +{ + "type": "TPM2_ALG_RSA", + "nameAlg":"TPM2_ALG_SHA384", + "srk_template": "system,restricted,decrypt,0x81000001", + "srk_description": "Storage root key SRK", + "srk_persistent": 1, + "ek_template": "system,restricted,decrypt,user", + "ek_description": "Endorsement key EK", + "rsa_signing_scheme": { + "scheme":"TPM2_ALG_RSAPSS", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "rsa_decrypt_scheme": { + "scheme":"TPM2_ALG_OAEP", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "sym_mode":"TPM2_ALG_CFB", + "sym_parameters": { + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "sym_block_size": 16, + "pcr_selection": [ + { "hash": "TPM2_ALG_SHA1", + "pcrSelect": [ ] + }, + { "hash": "TPM2_ALG_SHA256", + "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + } + ], + "exponent": 0, + "keyBits": 3072, + "session_symmetric":{ + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "ek_policy": { + "description": "Endorsement hierarchy used for policy secret.", + "policy":[ + { + "type": "PolicyOR", + "branches": [ + { + "name": "A", + "description": "", + "policy": [ + { + "type":"POLICYSECRET", + "objectName": "4000000b" + } + ] + }, + { + "name": "B", + "description": "", + "policy": [ + { + "type":"AUTHORIZENV", + "nvPublic": { + "size": 60, + "nvPublic": { + "nvIndex": 29392642, + "nameAlg":"SHA384", + "attributes":{ + "PPWRITE":0, + "OWNERWRITE":0, + "AUTHWRITE":0, + "POLICYWRITE":1, + "POLICY_DELETE":0, + "WRITELOCKED":0, + "WRITEALL":1, + "WRITEDEFINE":0, + "WRITE_STCLEAR":0, + "GLOBALLOCK":0, + "PPREAD":1, + "OWNERREAD":1, + "AUTHREAD":1, + "POLICYREAD":1, + "NO_DA":1, + "ORDERLY":0, + "CLEAR_STCLEAR":0, + "READLOCKED":0, + "WRITTEN":1, + "PLATFORMCREATE":0, + "READ_STCLEAR":0, + "TPM2_NT":"ORDINARY" + }, + "authPolicy":"8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53", + "dataSize":50 + } + } + + } + ] + } + ] + } + ] + } + +} diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c index 97833c2e6..3edc4b717 100644 --- a/src/tss2-fapi/tpm_json_deserialize.c +++ b/src/tss2-fapi/tpm_json_deserialize.c @@ -3578,7 +3578,7 @@ ifapi_json_TPMI_RSA_KEY_BITS_deserialize(json_object *jso, TPMI_RSA_KEY_BITS *out) { SUBTYPE_FILTER(TPMI_RSA_KEY_BITS, UINT16, - 1024, 2048); + 1024, 2048, 3072, 4096); } /** Deserialize a TPM2B_ECC_PARAMETER json object. diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c index b87e39d4f..812c70d08 100644 --- a/src/tss2-fapi/tpm_json_serialize.c +++ b/src/tss2-fapi/tpm_json_serialize.c @@ -3452,7 +3452,7 @@ ifapi_json_TPM2B_PUBLIC_KEY_RSA_serialize(const TPM2B_PUBLIC_KEY_RSA *in, json_o TSS2_RC ifapi_json_TPMI_RSA_KEY_BITS_serialize(const TPMI_RSA_KEY_BITS in, json_object **jso) { - CHECK_IN_LIST(TPMI_RSA_KEY_BITS, in, 1024, 2048); + CHECK_IN_LIST(TPMI_RSA_KEY_BITS, in, 1024, 2048, 3072, 4096); return ifapi_json_UINT16_serialize(in, jso); } From 0a6e05d62db343d3f1e41f82b0b78b124955778c Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Mon, 12 Feb 2024 19:15:24 +0100 Subject: [PATCH 2/5] FAPI Test: fix maybe unused variable. The compiler errors maybe unused with gcc version 12.2.0 (Debian 12.2.0-14) are fixed. Signed-off-by: Juergen Repp --- .../fapi-key-create-policy-authorize-pem-sign.int.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c b/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c index 13d8f81dd..87238e073 100644 --- a/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c +++ b/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c @@ -53,8 +53,8 @@ test_fapi_key_create_policy_authorize_pem_sign(FAPI_CONTEXT *context) { TSS2_RC r; char *policy_pcr = "/policy/pol_pcr"; - char *policy_file_pcr; - char *policy_file_authorize; + char *policy_file_pcr = NULL; + char *policy_file_authorize = NULL; char *policy_name_authorize = "/policy/pol_authorize"; // uint8_t policyRef[] = { 1, 2, 3, 4, 5 }; FILE *stream = NULL; @@ -72,6 +72,9 @@ test_fapi_key_create_policy_authorize_pem_sign(FAPI_CONTEXT *context) } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json"; policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json"; + } else { + LOG_ERROR("Invalid profile for ECC test: %s", FAPI_PROFILE); + return EXIT_FAILURE; } #else policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json"; From d98ea00ae3b5c47d70d94ce41991efd4c23bc40e Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Mon, 12 Feb 2024 20:14:03 +0100 Subject: [PATCH 3/5] FAPI: Addapt tests to usage of P_RSA3072 profile without sha1 bank. * The test were a sha1 bank is needed are skippd. * Policy usuage is adapted. Signed-off-by: Juergen Repp --- test/data/fapi/P_RSA3072.json | 107 ++++++++++++++++++ test/integration/fapi-data-crypt.int.c | 6 +- test/integration/fapi-get-esys-blobs.int.c | 6 + ...-key-create-policy-authorize-nv-sign.int.c | 4 +- ...key-create-policy-authorize-pem-sign.int.c | 6 +- .../fapi-key-create-policy-pcr-sign.int.c | 6 +- ...i-key-create-policy-signed-keyedhash.int.c | 2 +- .../fapi-nv-authorizenv-cphash.int.c | 2 +- test/integration/fapi-nv-extend.int.c | 4 +- .../fapi-quote-destructive-eventlog.int.c | 8 ++ .../fapi-second-provisioning.int.c | 7 ++ test/integration/main-fapi.c | 43 +++++++ test/integration/test-fapi.h | 3 + 13 files changed, 190 insertions(+), 14 deletions(-) create mode 100644 test/data/fapi/P_RSA3072.json diff --git a/test/data/fapi/P_RSA3072.json b/test/data/fapi/P_RSA3072.json new file mode 100644 index 000000000..50486c4c2 --- /dev/null +++ b/test/data/fapi/P_RSA3072.json @@ -0,0 +1,107 @@ +{ + "type": "TPM2_ALG_RSA", + "nameAlg":"TPM2_ALG_SHA384", + "srk_template": "system,restricted,decrypt,0x81000001", + "srk_description": "Storage root key SRK", + "srk_persistent": 1, + "ek_template": "system,restricted,decrypt,user", + "ek_description": "Endorsement key EK", + "rsa_signing_scheme": { + "scheme":"TPM2_ALG_RSAPSS", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "rsa_decrypt_scheme": { + "scheme":"TPM2_ALG_OAEP", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "sym_mode":"TPM2_ALG_CFB", + "sym_parameters": { + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "sym_block_size": 16, + "pcr_selection": [ + { "hash": "TPM2_ALG_SHA1", + "pcrSelect": [ ] + }, + { "hash": "TPM2_ALG_SHA256", + "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + } + ], + "exponent": 0, + "keyBits": 3072, + "session_symmetric":{ + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "ek_policy": { + "description": "Endorsement hierarchy used for policy secret.", + "policy":[ + { + "type": "PolicyOR", + "branches": [ + { + "name": "A", + "description": "", + "policy": [ + { + "type":"POLICYSECRET", + "objectName": "4000000b" + } + ] + }, + { + "name": "B", + "description": "", + "policy": [ + { + "type":"AUTHORIZENV", + "nvPublic": { + "size": 60, + "nvPublic": { + "nvIndex": 29392642, + "nameAlg":"SHA384", + "attributes":{ + "PPWRITE":0, + "OWNERWRITE":0, + "AUTHWRITE":0, + "POLICYWRITE":1, + "POLICY_DELETE":0, + "WRITELOCKED":0, + "WRITEALL":1, + "WRITEDEFINE":0, + "WRITE_STCLEAR":0, + "GLOBALLOCK":0, + "PPREAD":1, + "OWNERREAD":1, + "AUTHREAD":1, + "POLICYREAD":1, + "NO_DA":1, + "ORDERLY":0, + "CLEAR_STCLEAR":0, + "READLOCKED":0, + "WRITTEN":1, + "PLATFORMCREATE":0, + "READ_STCLEAR":0, + "TPM2_NT":"ORDINARY" + }, + "authPolicy":"8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53", + "dataSize":50 + } + } + + } + ] + } + ] + } + ] + } + +} diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c index 439e3522a..07437b62d 100644 --- a/test/integration/fapi-data-crypt.int.c +++ b/test/integration/fapi-data-crypt.int.c @@ -96,9 +96,11 @@ signatureCallback( UNUSED(publicKey); UNUSED(publicKeyHint); uint8_t *aux_signature = NULL; + size_t profile_len = strlen(FAPI_PROFILE); - if (strcmp(objectPath, "P_RSA/HS/SRK/myRsaCryptKey") != 0) { - return_error(TSS2_FAPI_RC_BAD_VALUE, "Unexpected path"); + if (strcmp(objectPath + profile_len, "/HS/SRK/myRsaCryptKey") || + strncmp(objectPath, "P_RSA", 5)) + return_error(TSS2_FAPI_RC_BAD_VALUE, "Unexpected path") { } if (userData != userDataTest) { diff --git a/test/integration/fapi-get-esys-blobs.int.c b/test/integration/fapi-get-esys-blobs.int.c index 77903f8c6..ef7f12c1f 100644 --- a/test/integration/fapi-get-esys-blobs.int.c +++ b/test/integration/fapi-get-esys-blobs.int.c @@ -72,6 +72,7 @@ auth_callback( * @param[in,out] context The FAPI_CONTEXT. * @retval EXIT_FAILURE * @retval EXIT_SUCCESS + * @retval EXIT_SKIP */ int test_fapi_get_esys_blobs(FAPI_CONTEXT *context) @@ -90,6 +91,11 @@ test_fapi_get_esys_blobs(FAPI_CONTEXT *context) ESYS_TR esys_handle; uint8_t type; + if (strncmp(FAPI_PROFILE,"P_ECC", 5)) { + LOG_WARNING("Profile %s is no ECC profile.", FAPI_PROFILE); + return EXIT_SKIP; + } + /* We need to reset the passwords again, in order to not brick physical TPMs */ r = Fapi_Provision(context, NULL, NULL, NULL); goto_if_error(r, "Error Fapi_Provision", error); diff --git a/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c b/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c index d31e1190a..47a131646 100644 --- a/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c +++ b/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c @@ -141,7 +141,7 @@ test_fapi_key_create_policy_authorize_nv(FAPI_CONTEXT *context) return EXIT_SKIP; } - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { if (snprintf(&extended_name[0], 1023, "%s_sha384", POLICY_AUTHORIZE_NV) < 0) { LOG_ERROR("snprint failed"); return EXIT_FAILURE; @@ -158,7 +158,7 @@ test_fapi_key_create_policy_authorize_nv(FAPI_CONTEXT *context) if (strcmp(FAPI_PROFILE, "P_ECC") == 0) { policy_nv_auth_size = 34; - } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { policy_nv_auth_size = 50; } else { LOG_ERROR("No appropriate policy file exists!"); diff --git a/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c b/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c index 87238e073..b17bf8e8c 100644 --- a/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c +++ b/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c @@ -69,12 +69,12 @@ test_fapi_key_create_policy_authorize_pem_sign(FAPI_CONTEXT *context) if (strcmp(FAPI_PROFILE, "P_ECC") == 0) { policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize_ecc_pem.json"; policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_ecc_authorized.json"; - } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + } else if (strcmp(FAPI_PROFILE, "P_ECC384" ) == 0) { policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json"; policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json"; } else { - LOG_ERROR("Invalid profile for ECC test: %s", FAPI_PROFILE); - return EXIT_FAILURE; + LOG_ERROR("Profule can't be used for test: %s", FAPI_PROFILE); + return EXIT_SKIP; } #else policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json"; diff --git a/test/integration/fapi-key-create-policy-pcr-sign.int.c b/test/integration/fapi-key-create-policy-pcr-sign.int.c index a74fef120..74eae0297 100644 --- a/test/integration/fapi-key-create-policy-pcr-sign.int.c +++ b/test/integration/fapi-key-create-policy-pcr-sign.int.c @@ -281,7 +281,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context) ASSERT(policy != NULL); LOG_INFO("\nTEST_JSON\nPolicy_sha256:\n%s\nEND_JSON", policy); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON(policy, policy_sha384_check, error); } else { CHECK_JSON(policy, policy_sha256_check, error); @@ -296,7 +296,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context) goto_if_error(r, "Error Fapi_ExportPolicy", error); ASSERT(policy != NULL); LOG_INFO("\nTEST_JSON\nPolicy export1:\n%s\nEND_JSON", policy); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON(policy, policy_sha384_export_check, error) } else { CHECK_JSON(policy, policy_sha256_export_check, error) @@ -427,7 +427,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context) goto_if_error(r, "Error Fapi_ExportPolicy", error); ASSERT(policy != NULL); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0){ CHECK_JSON(policy, policy_sha384_check, error); } else { CHECK_JSON(policy, policy_sha256_check, error); diff --git a/test/integration/fapi-key-create-policy-signed-keyedhash.int.c b/test/integration/fapi-key-create-policy-signed-keyedhash.int.c index d38fed128..f9f4131d7 100644 --- a/test/integration/fapi-key-create-policy-signed-keyedhash.int.c +++ b/test/integration/fapi-key-create-policy-signed-keyedhash.int.c @@ -206,7 +206,7 @@ test_fapi_key_create_policy_signed(FAPI_CONTEXT *context) char *publicKey = NULL; char *certificate = NULL; - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { policy_name = "/policy/pol_signed_keyedhash_sha384"; policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_signed_keyedhash_sha384.json"; } else { diff --git a/test/integration/fapi-nv-authorizenv-cphash.int.c b/test/integration/fapi-nv-authorizenv-cphash.int.c index 4a297f34e..8ecb660b0 100644 --- a/test/integration/fapi-nv-authorizenv-cphash.int.c +++ b/test/integration/fapi-nv-authorizenv-cphash.int.c @@ -96,7 +96,7 @@ test_fapi_nv_authorizenv_cphash(FAPI_CONTEXT *context) r = Fapi_Provision(context, NULL, NULL, NULL); goto_if_error(r, "Error Fapi_Provision", error); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { policy2_name = "/policy/pol_cphash_sha384"; policy2_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_cphash_sha384.json"; policy_nv_auth_size = 50; diff --git a/test/integration/fapi-nv-extend.int.c b/test/integration/fapi-nv-extend.int.c index dfe864682..04488d245 100644 --- a/test/integration/fapi-nv-extend.int.c +++ b/test/integration/fapi-nv-extend.int.c @@ -91,7 +91,7 @@ test_fapi_nv_extend(FAPI_CONTEXT *context) LOG_INFO("\nTEST_JSON\nLog:\n%s\nEND_JSON", log); char *fields_log1[] = { "0", "digests", "0", "digest" }; - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON_FIELDS(log, fields_log1, "c8ffec7d7d70c61b16adaab88925a1759b94cf6b50669b04aef1a8427fabb131eafbf9a21e3b8bddd9c5d5e7", error); @@ -120,7 +120,7 @@ test_fapi_nv_extend(FAPI_CONTEXT *context) LOG_INFO("\nTEST_JSON\nLog:\n%s\nEND_JSON", log); char *fields_log2[] = { "1", "digests", "0", "digest" }; - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON_FIELDS(log, fields_log2, "c8ffec7d7d70c61b16adaab88925a1759b94cf6b50669b04aef1a8427fabb131eafbf9a21e3b8bddd9c5d5e7", error); diff --git a/test/integration/fapi-quote-destructive-eventlog.int.c b/test/integration/fapi-quote-destructive-eventlog.int.c index 172234227..8ecd12c15 100644 --- a/test/integration/fapi-quote-destructive-eventlog.int.c +++ b/test/integration/fapi-quote-destructive-eventlog.int.c @@ -1001,6 +1001,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) size_t i; json_object *jso_log = NULL; json_object *jso_log2 = NULL; + bool sha1_bank_exists; uint8_t data[EVENT_SIZE] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; size_t signatureSize = 0; @@ -1010,6 +1011,13 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) return EXIT_SKIP; #endif + r = pcr_bank_sha1_exists(context, &sha1_bank_exists); + goto_if_error(r, "Test sha1 bank", error); + + if (!sha1_bank_exists) { + return EXIT_SKIP; + } + r = Fapi_Provision(context, NULL, NULL, NULL); goto_if_error(r, "Error Fapi_Provision", error); diff --git a/test/integration/fapi-second-provisioning.int.c b/test/integration/fapi-second-provisioning.int.c index 8651a26d4..fbc7d2b43 100644 --- a/test/integration/fapi-second-provisioning.int.c +++ b/test/integration/fapi-second-provisioning.int.c @@ -63,6 +63,11 @@ test_fapi_test_second_provisioning(FAPI_CONTEXT *context) { TSS2_RC r; + if (strncmp(FAPI_PROFILE, "P_RSA", 5) == 0) { + LOG_WARNING("Default ECC profile needed for this test %s is used", FAPI_PROFILE); + return EXIT_SKIP; + } + /* We need to reset the passwords again, in order to not brick physical TPMs */ r = Fapi_Provision(context, PASSWORD, PASSWORD, NULL); goto_if_error(r, "Error Fapi_Provision", error); @@ -149,6 +154,8 @@ test_fapi_test_second_provisioning(FAPI_CONTEXT *context) rc = init_fapi("P_ECC", &context); } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { rc = init_fapi("P_ECC384", &context); + } else if (strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { + rc = init_fapi("P_ECC384", &context); } else { LOG_ERROR("Profile %s not supported for this test!", FAPI_PROFILE); } diff --git a/test/integration/main-fapi.c b/test/integration/main-fapi.c index a0926f631..59b1913cd 100644 --- a/test/integration/main-fapi.c +++ b/test/integration/main-fapi.c @@ -216,6 +216,49 @@ pcr_reset(FAPI_CONTEXT *context, UINT32 pcr) return r; } +TSS2_RC +pcr_bank_sha1_exists(FAPI_CONTEXT *context, bool *exists) +{ + TSS2_RC r; + TSS2_TCTI_CONTEXT *tcti; + ESYS_CONTEXT *esys; + TPML_PCR_SELECTION pcrSelectionIn = { + .count = 1, + .pcrSelections = { + { .hash = TPM2_ALG_SHA1, + .sizeofSelect = 3, + .pcrSelect = { 1, 0, 0} + }, + } + }; + UINT32 pcrUpdateCounter; + TPML_PCR_SELECTION *pcrSelectionOut = NULL; + TPML_DIGEST *pcrValues = NULL; + + r = Fapi_GetTcti(context, &tcti); + goto_if_error(r, "Error Fapi_GetTcti", error); + + r = Esys_Initialize(&esys, tcti, NULL); + goto_if_error(r, "Error Fapi_GetTcti", error); + + r = Esys_PCR_Read(esys, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + &pcrSelectionIn, &pcrUpdateCounter, &pcrSelectionOut, &pcrValues); + goto_if_error(r, "Error: PCR_Read", error); + if (!pcrSelectionOut->pcrSelections[0].pcrSelect[0]) { + *exists = false; + } else { + *exists = true; + } + Esys_Finalize(&esys); + goto_if_error(r, "Error Eys_PCR_Reset", error); + +error: + SAFE_FREE(pcrSelectionOut); + SAFE_FREE(pcrValues); + return r; +} + + TSS2_RC pcr_extend(FAPI_CONTEXT *context, UINT32 pcr, TPML_DIGEST_VALUES *digest_values) { diff --git a/test/integration/test-fapi.h b/test/integration/test-fapi.h index 64fd972a0..69253fba4 100644 --- a/test/integration/test-fapi.h +++ b/test/integration/test-fapi.h @@ -139,6 +139,9 @@ extern char *fapi_profile; TSS2_RC pcr_extend(FAPI_CONTEXT *context, UINT32 pcr, TPML_DIGEST_VALUES *digest_values); +TSS2_RC +pcr_bank_sha1_exists(FAPI_CONTEXT *context, bool *exists); + TSS2_RC pcr_reset(FAPI_CONTEXT *context, UINT32 pcr); From 0b19f25866a04abfc691cf16d08c4424b540602c Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Sat, 17 Feb 2024 02:52:49 +0100 Subject: [PATCH 4/5] FAPI: Add result check for json_object_object_add. json-c versions < 0.13 are not supported. In these versions it was not possible to check the result of json_object_object_add. The check is now added. Signed-off-by: Juergen Repp --- src/tss2-fapi/api/Fapi_NvExtend.c | 8 +++++-- src/tss2-fapi/ifapi_eventlog.c | 24 ++++++++++++++----- .../fapi-quote-destructive-eventlog.int.c | 4 +++- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/src/tss2-fapi/api/Fapi_NvExtend.c b/src/tss2-fapi/api/Fapi_NvExtend.c index 237125815..ca174c627 100644 --- a/src/tss2-fapi/api/Fapi_NvExtend.c +++ b/src/tss2-fapi/api/Fapi_NvExtend.c @@ -410,7 +410,9 @@ Fapi_NvExtend_Finish( /* libjson-c does not deliver an array if array has only one element */ if (jsoType != json_type_array) { json_object *jsonArray = json_object_new_array(); - json_object_array_add(jsonArray, command->jso_event_log); + if (json_object_array_add(jsonArray, command->jso_event_log)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } command->jso_event_log = jsonArray; } } else { @@ -423,7 +425,9 @@ Fapi_NvExtend_Finish( r = ifapi_json_IFAPI_EVENT_serialize(&command->pcr_event, &jso); goto_if_error(r, "Error serialize event", error_cleanup); - json_object_array_add(command->jso_event_log, jso); + if (json_object_array_add(command->jso_event_log, jso)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } SAFE_FREE(object->misc.nv.event_log); strdup_check(object->misc.nv.event_log, json_object_to_json_string_ext(command->jso_event_log, diff --git a/src/tss2-fapi/ifapi_eventlog.c b/src/tss2-fapi/ifapi_eventlog.c index c641ba4bf..51aae0f0a 100644 --- a/src/tss2-fapi/ifapi_eventlog.c +++ b/src/tss2-fapi/ifapi_eventlog.c @@ -123,7 +123,9 @@ ifapi_eventlog_get_async( r = ifapi_json_IFAPI_EVENT_serialize(&cel_event, &jso); goto_if_error(r, "Error serialize event", error); - json_object_array_add(eventlog->log, jso); + if (json_object_array_add(eventlog->log, jso)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } } } @@ -155,7 +157,9 @@ ifapi_eventlog_get_async( r = ifapi_json_IFAPI_EVENT_serialize(&cel_event, &jso); goto_if_error(r, "Error serialize event", error); - json_object_array_add(eventlog->log, jso); + if (json_object_array_add(eventlog->log, jso)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } } } if (eventlog->ima_log_file) { @@ -286,7 +290,9 @@ ifapi_eventlog_get_finish( json_type jso_type = json_object_get_type(logpart); if (jso_type != json_type_array) { /* libjson-c does not deliver an array if array has only one element */ - json_object_array_add(eventlog->log, logpart); + if (json_object_array_add(eventlog->log, logpart)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } } else { /* Iterate through the array of logpart and add each item to the eventlog */ /* The return type of json_object_array_length() was changed, thus the case */ @@ -294,7 +300,9 @@ ifapi_eventlog_get_finish( jso_event = json_object_array_get_idx(logpart, i); /* Increment the refcount of event so it does not get freed on put(logpart) below */ json_object_get(jso_event); - json_object_array_add(eventlog->log, jso_event); + if (json_object_array_add(eventlog->log, jso_event)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } } json_object_put(logpart); } @@ -365,7 +373,9 @@ ifapi_eventlog_append_check( json_type jso_type = json_object_get_type(eventlog->log); if (jso_type != json_type_array) { json_object *json_array = json_object_new_array(); - json_object_array_add(json_array, eventlog->log); + if (json_object_array_add(json_array, eventlog->log)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } eventlog->log = json_array; } } else { @@ -444,7 +454,9 @@ ifapi_eventlog_append_finish( goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Error serializing event data", error_cleanup); } - json_object_array_add(eventlog->log, event); + if (json_object_array_add(eventlog->log, event)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } logstr2 = json_object_to_json_string_ext(eventlog->log, JSON_C_TO_STRING_PRETTY); /* Construct the filename for the eventlog file */ diff --git a/test/integration/fapi-quote-destructive-eventlog.int.c b/test/integration/fapi-quote-destructive-eventlog.int.c index 8ecd12c15..060e21cbd 100644 --- a/test/integration/fapi-quote-destructive-eventlog.int.c +++ b/test/integration/fapi-quote-destructive-eventlog.int.c @@ -1091,7 +1091,9 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) jso_duplicate = json_object_get(jso_event); goto_if_null(jso_duplicate, "Out of memory.", TSS2_FAPI_RC_MEMORY, error); - json_object_array_add(jso_log2, jso_duplicate); + if (json_object_array_add(jso_log2, jso_duplicate)) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Could not add json object."); + } } pcrEventLog2 = strdup(json_object_to_json_string_ext(jso_log2, JSON_C_TO_STRING_PRETTY)); From f87820d1f665e2b50ab1dbcc4beccf39250b440b Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Tue, 13 Feb 2024 15:07:29 +0100 Subject: [PATCH 5/5] FAPI: Cleanup policy error handling. Various errors occurred during policy error handling. The flush for esys policy objects was sometimes executed several times. The policy error handling is now unified. Unneeded duplicate code is removed. Unneeded code is removed. The state was not initialized correctly in error cases in the policy utility state machines. Signed-off-by: Juergen Repp --- src/tss2-fapi/api/Fapi_Encrypt.c | 3 +- src/tss2-fapi/api/Fapi_ExportKey.c | 4 +++ src/tss2-fapi/api/Fapi_GetEsysBlob.c | 4 --- src/tss2-fapi/api/Fapi_Import.c | 2 ++ src/tss2-fapi/fapi_int.h | 1 + src/tss2-fapi/fapi_util.c | 46 ++++++------------------ src/tss2-fapi/fapi_util.h | 6 ---- src/tss2-fapi/ifapi_policy_execute.c | 14 +++++--- src/tss2-fapi/ifapi_policyutil_execute.c | 23 ++++++++++-- 9 files changed, 48 insertions(+), 55 deletions(-) diff --git a/src/tss2-fapi/api/Fapi_Encrypt.c b/src/tss2-fapi/api/Fapi_Encrypt.c index 187291157..e4e236a55 100644 --- a/src/tss2-fapi/api/Fapi_Encrypt.c +++ b/src/tss2-fapi/api/Fapi_Encrypt.c @@ -435,7 +435,8 @@ Fapi_Encrypt_Finish( error_cleanup: /* Cleanup any intermediate results and state stored in the context. */ - if (command->key_handle != ESYS_TR_NONE) + if (command->key_handle != ESYS_TR_NONE && + command->key_object && !command->key_object->misc.key.persistent_handle) Esys_FlushContext(context->esys, command->key_handle); if (r) SAFE_FREE(command->cipherText); diff --git a/src/tss2-fapi/api/Fapi_ExportKey.c b/src/tss2-fapi/api/Fapi_ExportKey.c index 86eb88d04..87bc5a9cd 100644 --- a/src/tss2-fapi/api/Fapi_ExportKey.c +++ b/src/tss2-fapi/api/Fapi_ExportKey.c @@ -430,6 +430,8 @@ Fapi_ExportKey_Finish( return_try_again(r); goto_if_error(r, "Flush key", cleanup); + command->key_object->public.handle = ESYS_TR_NONE; + fallthrough; statecase(context->state, EXPORT_KEY_WAIT_FOR_FLUSH2); @@ -438,6 +440,8 @@ Fapi_ExportKey_Finish( return_try_again(r); goto_if_error(r, "Flush key", cleanup); + command->handle_ext_key = ESYS_TR_NONE; + fallthrough; statecase(context->state, EXPORT_KEY_CLEANUP) diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c index 43f7d1114..2da663aca 100644 --- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c +++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c @@ -337,10 +337,6 @@ Fapi_GetEsysBlob_Finish( SAFE_FREE(key_context); goto_if_error(r, "Marshaling context", error_cleanup); - /* Cleanup policy session if an error did occur. */ - ifapi_flush_policy_session(context, context->policy.session, r); - goto_if_error(r, "Cleanup policy session", error_cleanup); - /* Flush current object used for blob computation. */ if (!key_object->misc.key.persistent_handle) { r = Esys_FlushContext_Async(context->esys, key_object->public.handle); diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c index ab6c34516..2aa5ed79f 100644 --- a/src/tss2-fapi/api/Fapi_Import.c +++ b/src/tss2-fapi/api/Fapi_Import.c @@ -652,6 +652,8 @@ Fapi_Import_Finish( if (!command->parent_object->misc.key.persistent_handle) { r = ifapi_flush_object(context, command->parent_object->public.handle); return_try_again(r); + + command->parent_object->public.handle = ESYS_TR_NONE; ifapi_cleanup_ifapi_object(command->parent_object); goto_if_error(r, "Flush key", error_cleanup); } else { diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h index 6201fd598..843526840 100644 --- a/src/tss2-fapi/fapi_int.h +++ b/src/tss2-fapi/fapi_int.h @@ -240,6 +240,7 @@ typedef struct { TPM2B_AUTH auth; /**< The Password */ IFAPI_NV nv_obj; /**< The NV Object */ ESYS_TR auth_index; /**< The ESAPI handle of the authorization object */ + ESYS_TR auth_session; /**< The autorization session for a nv object */ uint64_t bitmap; /**< The bitmask for the SetBits command */ IFAPI_NV_TEMPLATE public_templ; /**< The template for nv creation, adjusted appropriate by the passed flags */ diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c index f09d500e4..26be81708 100644 --- a/src/tss2-fapi/fapi_util.c +++ b/src/tss2-fapi/fapi_util.c @@ -1156,7 +1156,6 @@ ifapi_session_init(FAPI_CONTEXT *context) context->session1 = ESYS_TR_NONE; context->session2 = ESYS_TR_NONE; - context->policy.session = ESYS_TR_NONE; context->srk_handle = ESYS_TR_NONE; return TSS2_RC_SUCCESS; } @@ -1185,7 +1184,6 @@ ifapi_non_tpm_mode_init(FAPI_CONTEXT *context) context->session1 = ESYS_TR_NONE; context->session2 = ESYS_TR_NONE; - context->policy.session = ESYS_TR_NONE; context->srk_handle = ESYS_TR_NONE; return TSS2_RC_SUCCESS; } @@ -1200,9 +1198,6 @@ ifapi_non_tpm_mode_init(FAPI_CONTEXT *context) void ifapi_session_clean(FAPI_CONTEXT *context) { - if (context->policy_session && context->policy_session != ESYS_TR_NONE) { - Esys_FlushContext(context->esys, context->policy_session); - } if (context->session1 != ESYS_TR_NONE && context->session1 != ESYS_TR_PASSWORD) { if (context->session1 == context->session2) { context->session2 = ESYS_TR_NONE; @@ -1246,7 +1241,6 @@ ifapi_cleanup_session(FAPI_CONTEXT *context) TSS2_RC r; /* Policy sessions were closed after successful execution. */ - context->policy_session = ESYS_TR_NONE; switch (context->cleanup_state) { statecase(context->cleanup_state, CLEANUP_INIT); @@ -2096,27 +2090,6 @@ get_name_alg(FAPI_CONTEXT *context, IFAPI_OBJECT *object) } } -/** Check whether policy session has to be flushed. - * - * Policy sessions with cleared continue session flag are not flushed in error - * cases. Therefore the return code will be checked and if a policy session was - * used the session will be flushed if the command was not executed successfully. - * - * @param[in,out] context for storing all state information. - * @param[in] session the session to be checked whether flush is needed. - * @param[in] r The return code of the command using the session. - */ -void -ifapi_flush_policy_session(FAPI_CONTEXT *context, ESYS_TR session, TSS2_RC r) -{ - if (session != context->session1) { - /* A policy session was used instead auf the default session. */ - if (r != TSS2_RC_SUCCESS) { - Esys_FlushContext(context->esys, session); - } - } -} - /** State machine to authorize a key, a NV object of a hierarchy. * * @param[in,out] context for storing all state information. @@ -2229,6 +2202,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses error: /* No policy call was executed session can be flushed */ Esys_FlushContext(context->esys, *session); + *session = ESYS_TR_NONE; return r; } @@ -2370,6 +2344,8 @@ ifapi_nv_write( r = ifapi_authorize_object(context, auth_object, &auth_session); FAPI_SYNC(r, "Authorize NV object.", error_cleanup); + context->nv_cmd.auth_session = auth_session; + /* Prepare the writing to NV ram. */ r = Esys_NV_Write_Async(context->esys, context->nv_cmd.auth_index, @@ -2409,11 +2385,8 @@ ifapi_nv_write( r = Esys_NV_Write_Async(context->esys, context->nv_cmd.auth_index, nv_index, - (!context->policy.session - || context->policy.session == ESYS_TR_NONE) ? context->session1 : - context->policy.session, - (context->policy.session && context->policy.session != ESYS_TR_NONE) ? - context->session2 : ESYS_TR_NONE, + context->nv_cmd.auth_session, + ENC_SESSION_IF_POLICY(context->nv_cmd.auth_session), ESYS_TR_NONE, aux_data, context->nv_cmd.data_idx); @@ -2975,9 +2948,7 @@ ifapi_key_sign( context->Key_Sign.handle = sig_key_object->public.handle; r = ifapi_authorize_object(context, sig_key_object, &session); - FAPI_SYNC(r, "Authorize signature key.", cleanup); - - context->policy.session = session; + return_try_again(r); r = ifapi_get_sig_scheme(context, sig_key_object, padding, digest, &sig_scheme); goto_if_error(r, "Get signature scheme", cleanup); @@ -3000,7 +2971,6 @@ ifapi_key_sign( &context->Key_Sign.signature); return_try_again(r); context->session2 = ESYS_TR_NONE; - ifapi_flush_policy_session(context, context->policy.session, r); goto_if_error(r, "Error: Sign", cleanup); /* Prepare the flushing of the signing key. */ @@ -3717,6 +3687,8 @@ ifapi_key_create( r = ifapi_flush_object(context, context->loadKey.handle); return_try_again(r); goto_if_error(r, "Flush key", error_cleanup); + + context->loadKey.handle = ESYS_TR_NONE; } fallthrough; @@ -4892,6 +4864,8 @@ ifapi_create_primary( return_try_again(r); goto_if_error(r, "Flush key", error_cleanup); + context->cmd.Key_Create.handle = ESYS_TR_NONE; + fallthrough; statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WRITE_PREPARE); diff --git a/src/tss2-fapi/fapi_util.h b/src/tss2-fapi/fapi_util.h index f9974be96..871825109 100644 --- a/src/tss2-fapi/fapi_util.h +++ b/src/tss2-fapi/fapi_util.h @@ -125,12 +125,6 @@ ifapi_nv_read( uint8_t **data, size_t *size); -void -ifapi_flush_policy_session( - FAPI_CONTEXT *context, - ESYS_TR session, - TSS2_RC r); - TSS2_RC ifapi_nv_write( FAPI_CONTEXT *context, diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c index e2fb4c2c6..99ca51426 100644 --- a/src/tss2-fapi/ifapi_policy_execute.c +++ b/src/tss2-fapi/ifapi_policy_execute.c @@ -574,8 +574,10 @@ execute_policy_signed( SAFE_FREE(current_policy->buffer); SAFE_FREE(current_policy->pem_key); /* In error cases object might not have been flushed. */ - if (current_policy->object_handle != ESYS_TR_NONE) + if (current_policy->object_handle != ESYS_TR_NONE) { Esys_FlushContext(esys_ctx, current_policy->object_handle); + current_policy->object_handle = ESYS_TR_NONE; + } return r; } @@ -745,9 +747,10 @@ execute_policy_authorize( } cleanup: /* In error cases object might not have been flushed. */ - if (current_policy->object_handle != ESYS_TR_NONE) + if (current_policy->object_handle != ESYS_TR_NONE) { Esys_FlushContext(esys_ctx, current_policy->object_handle); - + current_policy->object_handle = ESYS_TR_NONE; + } return r; } @@ -955,6 +958,7 @@ execute_policy_secret( statecase(current_policy->state, POLICY_FLUSH_KEY); r = Esys_FlushContext_Finish(esys_ctx); try_again_or_error(r, "Flush key finish."); + current_policy->auth_handle = ESYS_TR_NONE; current_policy->state = POLICY_EXECUTE_INIT; break; @@ -964,8 +968,9 @@ execute_policy_secret( return r; cleanup: - if (current_policy->flush_handle) { + if (current_policy->flush_handle && current_policy->auth_handle != ESYS_TR_NONE) { Esys_FlushContext(esys_ctx, current_policy->auth_handle); + current_policy->auth_handle = ESYS_TR_NONE; } SAFE_FREE(current_policy->nonceTPM); return r; @@ -1907,7 +1912,6 @@ ifapi_policyeval_execute( if (r != TSS2_RC_SUCCESS) { if (do_flush) { Esys_FlushContext(esys_ctx, current_policy->session); - current_policy->session = ESYS_TR_NONE; } ifapi_free_node_list(current_policy->policy_elements); diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c index 450a1a2e6..b0925f0f5 100644 --- a/src/tss2-fapi/ifapi_policyutil_execute.c +++ b/src/tss2-fapi/ifapi_policyutil_execute.c @@ -122,8 +122,13 @@ create_session( case WAIT_FOR_CREATE_SESSION: r = Esys_StartAuthSession_Finish(context->esys, session); - if (r != TSS2_RC_SUCCESS) + if (r == TSS2_FAPI_RC_TRY_AGAIN) { return r; + } + if (r != TSS2_RC_SUCCESS) { + context->policy.create_session_state = CREATE_SESSION_INIT; + return r; + } context->policy.create_session_state = CREATE_SESSION_INIT; break; @@ -284,8 +289,6 @@ ifapi_policyutil_execute(FAPI_CONTEXT *context, ESYS_TR *session) goto_if_error(r, "Create policy session", error); pol_util_ctx->pol_exec_ctx->session = pol_util_ctx->policy_session; - /* Save policy session for cleanup in error case. */ - context->policy_session = pol_util_ctx->policy_session; } else { pol_util_ctx->pol_exec_ctx->session = *session; } @@ -299,6 +302,18 @@ ifapi_policyutil_execute(FAPI_CONTEXT *context, ESYS_TR *session) context->policy.util_current_policy = pol_util_ctx->prev; return TSS2_FAPI_RC_TRY_AGAIN; } + + if (r) { + /* Cleanup stack */ + IFAPI_POLICYUTIL_STACK *utl_ctx = pol_util_ctx->prev; + while (utl_ctx) { + if (utl_ctx->pol_exec_ctx->session == pol_util_ctx->pol_exec_ctx->session) { + utl_ctx->pol_exec_ctx->session = ESYS_TR_NONE; + } + utl_ctx = utl_ctx->prev; + } + pol_util_ctx->pol_exec_ctx->session = ESYS_TR_NONE; + } goto_if_error(r, "Execute policy.", error); break; @@ -306,6 +321,7 @@ ifapi_policyutil_execute(FAPI_CONTEXT *context, ESYS_TR *session) statecasedefault(pol_util_ctx->state); } *session = pol_util_ctx->policy_session; + pol_util_ctx->state = POLICY_UTIL_INIT; pol_util_ctx = pol_util_ctx->prev; @@ -318,6 +334,7 @@ ifapi_policyutil_execute(FAPI_CONTEXT *context, ESYS_TR *session) return r; error: + pol_util_ctx->state = POLICY_UTIL_INIT; pol_util_ctx = pol_util_ctx->prev; if (context->policy.util_current_policy) clear_current_policy(context);