Skip to content

Commit

Permalink
Fix to use the new unset auth session API, that captures the last TPM…
Browse files Browse the repository at this point in the history 
… nonce, so the session auth can be properly set again. Requires wolfTPM PR wolfSSL/wolfTPM#299
  • Loading branch information
@dgarske
dgarske committed Sep 15, 2023
1 parent e3f97f4 commit d5dd04b
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 5 deletions.
2 changes: 1 addition & 1 deletion lib/wolfTPM
Submodule wolfTPM updated 13 files
+1 −0 .gitignore
+1 −0 examples/boot/secure_rot.c
+3 −1 examples/gpio/gpio_config.c
+3 −1 examples/nvram/counter.c
+10 −2 examples/nvram/include.am
+1 −0 examples/nvram/nvram.h
+307 −0 examples/nvram/policy_nv.c
+5 −1 examples/nvram/read.c
+4 −2 examples/nvram/store.c
+7 −0 examples/run_examples.sh
+2 −0 examples/wrap/wrap_test.c
+32 −13 src/tpm2_wrap.c
+19 −0 wolftpm/tpm2_wrap.h
14 changes: 10 additions & 4 deletions src/tpm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,7 @@ int wolfBoot_store_blob(TPMI_RH_NV_AUTH authHandle, uint32_t nvIndex,
}
/* write sealed blob to NV */
if (rc == 0) {
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
pos = 0;
/* write pub size */
rc = wolfTPM2_NVWriteAuth(&wolftpm_dev, &nv, nv.handle.hndl,
Expand Down Expand Up @@ -664,6 +665,7 @@ int wolfBoot_read_blob(uint32_t nvIndex, WOLFTPM2_KEYBLOB* blob,
nv.handle.hndl = nvIndex;
nv.handle.auth.size = authSz;
memcpy(nv.handle.auth.buffer, auth, authSz);
wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &nv.handle);

pos = 0;
readSz = sizeof(blob->pub.size);
Expand Down Expand Up @@ -769,7 +771,7 @@ int wolfBoot_seal_blob(uint8_t* pubkey_hint, uint8_t* policy, uint16_t policySz,
}

wolfTPM2_UnloadHandle(&wolftpm_dev, &policy_session.handle);
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);

return rc;
}
Expand Down Expand Up @@ -949,7 +951,7 @@ int wolfBoot_unseal_blob(uint8_t* pubkey_hint,

wolfTPM2_UnloadHandle(&wolftpm_dev, &seal_blob->handle);
wolfTPM2_UnloadHandle(&wolftpm_dev, &policy_session.handle);
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);

return rc;
}
Expand Down Expand Up @@ -996,6 +998,7 @@ static int wolfRNG_GetSeedCB(OS_Seed* os, uint8_t* seed, uint32_t sz)
if (rc == 0) {
rc = wolfTPM2_GetRandom(&wolftpm_dev, seed, sz);
}
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 0, &wolftpm_session);
return rc;
}
#endif
Expand Down Expand Up @@ -1141,7 +1144,8 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_BASE + key_slot;
#ifdef WOLFBOOT_TPM_KEYSTORE_AUTH
nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH);
memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH, nv.handle.auth.size);
memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH,
nv.handle.auth.size);
#endif
wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &nv.handle);

Expand All @@ -1150,6 +1154,8 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
TPMA_SESSION_continueSession));
if (rc == 0) {
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);

/* read index */
rc = wolfTPM2_NVReadAuth(&wolftpm_dev, &nv, nv.handle.hndl,
digest, &digestSz, 0);
Expand All @@ -1170,7 +1176,7 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
wolfBoot_print_hexstr(pubkey_hint, digestSz, 0);
}
}
wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);

return rc;
}
Expand Down

0 comments on commit d5dd04b

Please sign in to comment.