Fixes and improvements for secret sealing/unsealing:

* Do not set userWithAuth by default when creating sealed objects. That flag allows password auth for the sealed object. Without the flag it only allows policy auth. * Allow setting policy auth with flags. * Fix secret_unseal to use policy session and valid sealed name. * Added expected failure test cases for seal/unseal with policy. * Improve the run_examples.sh script
wolfSSL · Feb 2, 2024 · c34a0c2 · c34a0c2
1 parent 0adf473
commit c34a0c2
Show file tree

Hide file tree

Showing 5 changed files with 167 additions and 106 deletions.
diff --git a/examples/boot/secret_unseal.c b/examples/boot/secret_unseal.c
@@ -325,7 +325,14 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
         goto exit;
     }
     printf("Loaded sealBlob to 0x%x\n", (word32)sealBlob.handle.hndl);
-    wolfTPM2_SetAuthHandle(&dev, 0, &sealBlob.handle);
+
+    /* use the policy session for unseal */
+    rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
+        (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
+        TPMA_SESSION_continueSession));
+    if (rc != 0) goto exit;
+    /* set the sealed object name 0 (required) */
+    wolfTPM2_SetAuthHandleName(&dev, 0, &sealBlob.handle);
 
     /* unseal */
     unsealIn.itemHandle = sealBlob.handle.hndl;