From ac7f43624b6817322115c35270ab1200066d654c Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 24 Oct 2023 13:12:35 -0700 Subject: [PATCH] Fix for unseal not properly using auth. --- include/tpm.h | 4 ++-- src/tpm.c | 17 +++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/include/tpm.h b/include/tpm.h index a1fc89bcb..a70c7902d 100644 --- a/include/tpm.h +++ b/include/tpm.h @@ -75,13 +75,13 @@ int wolfBoot_seal(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t po int wolfBoot_seal_auth(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz, int index, const uint8_t* secret, int secret_sz, const uint8_t* auth, int authSz); int wolfBoot_seal_blob(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz, - WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz); + WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz, const uint8_t* auth, int authSz); int wolfBoot_unseal(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz, int index, uint8_t* secret, int* secret_sz); int wolfBoot_unseal_auth(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz, int index, uint8_t* secret, int* secret_sz, const uint8_t* auth, int authSz); int wolfBoot_unseal_blob(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz, - WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz); + WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz, const uint8_t* auth, int authSz); int wolfBoot_read_blob(uint32_t nvIndex, WOLFTPM2_KEYBLOB* blob, const uint8_t* auth, uint32_t authSz); diff --git a/src/tpm.c b/src/tpm.c index 8990dd463..d6c7049f0 100644 --- a/src/tpm.c +++ b/src/tpm.c @@ -741,7 +741,8 @@ int wolfBoot_delete_blob(TPMI_RH_NV_AUTH authHandle, uint32_t nvIndex, /* The secret is sealed based on a policy authorization from a public key. */ int wolfBoot_seal_blob(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz, - WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz) + WOLFTPM2_KEYBLOB* seal_blob, const uint8_t* secret, int secret_sz, + const uint8_t* auth, int authSz) { int rc; WOLFTPM2_SESSION policy_session; @@ -802,8 +803,7 @@ int wolfBoot_seal_blob(const uint8_t* pubkey_hint, /* Create a new key for sealing using external signing auth */ wolfTPM2_GetKeyTemplate_KeySeal(&template, pcrAlg); rc = wolfTPM2_CreateKeySeal_ex(&wolftpm_dev, seal_blob, - &wolftpm_srk.handle, &template, - seal_blob->handle.auth.buffer, seal_blob->handle.auth.size, + &wolftpm_srk.handle, &template, auth, authSz, pcrAlg, NULL, 0, secret, secret_sz); } @@ -831,7 +831,7 @@ int wolfBoot_seal_auth(const uint8_t* pubkey_hint, /* creates a sealed keyed hash object (not loaded to TPM) */ rc = wolfBoot_seal_blob(pubkey_hint, policy, policySz, &seal_blob, - secret, secret_sz); + secret, secret_sz, auth, authSz); if (rc == 0) { #ifdef WOLFBOOT_DEBUG_TPM wolfBoot_printf("Sealed keyed hash (pub %d, priv %d bytes):\n", @@ -878,7 +878,8 @@ int wolfBoot_seal(const uint8_t* pubkey_hint, /* The unseal requires a signed policy from HDR_POLICY_SIGNATURE */ int wolfBoot_unseal_blob(const uint8_t* pubkey_hint, const uint8_t* policy, uint16_t policySz, - WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz) + WOLFTPM2_KEYBLOB* seal_blob, uint8_t* secret, int* secret_sz, + const uint8_t* auth, int authSz) { int rc, i; WOLFTPM2_SESSION policy_session; @@ -1004,6 +1005,8 @@ int wolfBoot_unseal_blob(const uint8_t* pubkey_hint, wolfBoot_printf("Loaded seal blob to 0x%x\n", (uint32_t)seal_blob->handle.hndl); #endif + seal_blob->handle.auth.size = authSz; + memcpy(seal_blob->handle.auth.buffer, auth, authSz); wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &seal_blob->handle); /* unseal */ @@ -1038,10 +1041,8 @@ int wolfBoot_unseal_auth(const uint8_t* pubkey_hint, rc = wolfBoot_read_blob(WOLFBOOT_TPM_SEAL_NV_BASE + index, &seal_blob, NULL, 0); if (rc == 0) { - seal_blob.handle.auth.size = authSz; - memcpy(seal_blob.handle.auth.buffer, auth, authSz); rc = wolfBoot_unseal_blob(pubkey_hint, policy, policySz, &seal_blob, - secret, secret_sz); + secret, secret_sz, auth, authSz); #ifdef WOLFBOOT_DEBUG_TPM if (rc == 0) { wolfBoot_printf("Unsealed keyed hash (pub %d, priv %d bytes):\n",