Skip to content

Commit

Permalink
Fix for unseal not properly using auth.
Browse files Browse the repository at this point in the history
  • Loading branch information
dgarske authored and danielinux committed Oct 25, 2023
1 parent 0666ffe commit 96d55c8
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 10 deletions.
4 changes: 2 additions & 2 deletions include/tpm.h
Original file line number Diff line number Diff line change
Expand Up @@ -75,13 +75,13 @@ int wolfBoot_seal(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t po
int wolfBoot_seal_auth(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz,
int index, const uint8_t* secret, int secret_sz, const uint8_t* auth, int authSz);
int wolfBoot_seal_blob(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz,
WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz);
WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz, const uint8_t* auth, int authSz);
int wolfBoot_unseal(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz,
int index, uint8_t* secret, int* secret_sz);
int wolfBoot_unseal_auth(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz,
int index, uint8_t* secret, int* secret_sz, const uint8_t* auth, int authSz);
int wolfBoot_unseal_blob(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz,
WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz);
WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz, const uint8_t* auth, int authSz);

int wolfBoot_read_blob(uint32_t nvIndex, WOLFTPM2_KEYBLOB* blob,
const uint8_t* auth, uint32_t authSz);
Expand Down
17 changes: 9 additions & 8 deletions src/tpm.c
Original file line number Diff line number Diff line change
Expand Up @@ -741,7 +741,8 @@ int wolfBoot_delete_blob(TPMI_RH_NV_AUTH authHandle, uint32_t nvIndex,
/* The secret is sealed based on a policy authorization from a public key. */
int wolfBoot_seal_blob(const uint8_t* pubkey_hint,
const uint8_t* policy, uint16_t policySz,
WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz)
WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz,
const uint8_t* auth, int authSz)
{
int rc;
WOLFTPM2_SESSION policy_session;
Expand Down Expand Up @@ -802,8 +803,7 @@ int wolfBoot_seal_blob(const uint8_t* pubkey_hint,
/* Create a new key for sealing using external signing auth */
wolfTPM2_GetKeyTemplate_KeySeal(&template, pcrAlg);
rc = wolfTPM2_CreateKeySeal_ex(&wolftpm_dev, seal_blob,
&wolftpm_srk.handle, &template,
seal_blob->handle.auth.buffer, seal_blob->handle.auth.size,
&wolftpm_srk.handle, &template, auth, authSz,
pcrAlg, NULL, 0, secret, secret_sz);
}

Expand Down Expand Up @@ -831,7 +831,7 @@ int wolfBoot_seal_auth(const uint8_t* pubkey_hint,

/* creates a sealed keyed hash object (not loaded to TPM) */
rc = wolfBoot_seal_blob(pubkey_hint, policy, policySz, &seal_blob,
secret, secret_sz);
secret, secret_sz, auth, authSz);
if (rc == 0) {
#ifdef WOLFBOOT_DEBUG_TPM
wolfBoot_printf("Sealed keyed hash (pub %d, priv %d bytes):\n",
Expand Down Expand Up @@ -878,7 +878,8 @@ int wolfBoot_seal(const uint8_t* pubkey_hint,
/* The unseal requires a signed policy from HDR_POLICY_SIGNATURE */
int wolfBoot_unseal_blob(const uint8_t* pubkey_hint,
const uint8_t* policy, uint16_t policySz,
WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz)
WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz,
const uint8_t* auth, int authSz)
{
int rc, i;
WOLFTPM2_SESSION policy_session;
Expand Down Expand Up @@ -1004,6 +1005,8 @@ int wolfBoot_unseal_blob(const uint8_t* pubkey_hint,
wolfBoot_printf("Loaded seal blob to 0x%x\n",
(uint32_t)seal_blob->handle.hndl);
#endif
seal_blob->handle.auth.size = authSz;
memcpy(seal_blob->handle.auth.buffer, auth, authSz);
wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &seal_blob->handle);

/* unseal */
Expand Down Expand Up @@ -1038,10 +1041,8 @@ int wolfBoot_unseal_auth(const uint8_t* pubkey_hint,
rc = wolfBoot_read_blob(WOLFBOOT_TPM_SEAL_NV_BASE + index, &seal_blob,
NULL, 0);
if (rc == 0) {
seal_blob.handle.auth.size = authSz;
memcpy(seal_blob.handle.auth.buffer, auth, authSz);
rc = wolfBoot_unseal_blob(pubkey_hint, policy, policySz, &seal_blob,
secret, secret_sz);
secret, secret_sz, auth, authSz);
#ifdef WOLFBOOT_DEBUG_TPM
if (rc == 0) {
wolfBoot_printf("Unsealed keyed hash (pub %d, priv %d bytes):\n",
Expand Down

0 comments on commit 96d55c8

Please sign in to comment.