/* SPDX-License-Identifier: BSD-3-Clause */ #include #include #include #include "log.h" #include "object.h" #include "tool_rc.h" #include "tpm2.h" #include "tpm2_alg_util.h" #include "tpm2_auth_util.h" #include "tpm2_openssl.h" #include "tpm2_session.h" #include "tpm2_tool.h" #include "config.h" #define TPM2_ERROR_TSS2_RC_ERROR_MASK 0xFFFF static inline UINT16 tpm2_error_get(TSS2_RC rc) { return ((rc & TPM2_ERROR_TSS2_RC_ERROR_MASK)); } tool_rc tpm2_readpublic(ESYS_CONTEXT *esys_context, ESYS_TR object_handle, TPM2B_PUBLIC **out_public, TPM2B_NAME **name, TPM2B_NAME **qualified_name) { TSS2_RC rval = Esys_ReadPublic(esys_context, object_handle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, out_public, name, qualified_name); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ReadPublic, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_from_tpm_public(ESYS_CONTEXT *esys_context, TPM2_HANDLE tpm_handle, ESYS_TR optional_session1, ESYS_TR optional_session2, ESYS_TR optional_session3, ESYS_TR *object) { TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, tpm_handle, optional_session1, optional_session2, optional_session3, object); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_tr_deserialize(ESYS_CONTEXT *esys_context, uint8_t const *buffer, size_t buffer_size, ESYS_TR *esys_handle) { TSS2_RC rval = Esys_TR_Deserialize(esys_context, buffer, buffer_size, esys_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TR_Deserialize, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_tr_serialize(ESYS_CONTEXT *esys_context, ESYS_TR object, uint8_t **buffer, size_t *buffer_size) { TSS2_RC rval = Esys_TR_Serialize(esys_context, object, buffer, buffer_size); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TR_Serialize, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_tr_get_name(ESYS_CONTEXT *esys_context, ESYS_TR handle, TPM2B_NAME **name) { TSS2_RC rval = Esys_TR_GetName(esys_context, handle, name); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TR_GetName, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_close(ESYS_CONTEXT *esys_context, ESYS_TR *rsrc_handle) { TSS2_RC rval = Esys_TR_Close(esys_context, rsrc_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TR_Close, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_nv_readpublic(ESYS_CONTEXT *esys_context, ESYS_TR nv_index, TPM2B_NV_PUBLIC **nv_public, TPM2B_NAME **nv_name) { TSS2_RC rval = Esys_NV_ReadPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nv_public, nv_name); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_NV_ReadPublic, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_getcap(ESYS_CONTEXT *esys_context, TPM2_CAP capability, UINT32 property, UINT32 property_count, TPMI_YES_NO *more_data, TPMS_CAPABILITY_DATA **capability_data) { TSS2_RC rval = Esys_GetCapability(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, capability, property, property_count, more_data, capability_data); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_NV_ReadPublic, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_nv_read(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, UINT16 size, UINT16 offset, TPM2B_MAX_NV_BUFFER **data, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_handle; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_Read_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index, size, offset); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_Read_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvread_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvread_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvread_free_name1_name2: Esys_Free(name2); tpm2_nvread_free_name1: Esys_Free(name1); goto tpm2_nvread_skip_esapi_call; } rval = Esys_NV_Read(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_handle, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, size, offset, data); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_NV_Read, rval); return tool_rc_from_tpm(rval); } tpm2_nvread_skip_esapi_call: return rc; } tool_rc tpm2_context_save(ESYS_CONTEXT *esys_context, ESYS_TR save_handle, TPMS_CONTEXT **context) { TSS2_RC rval = Esys_ContextSave(esys_context, save_handle, context); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_ContextSave, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_context_load(ESYS_CONTEXT *esys_context, const TPMS_CONTEXT *context, ESYS_TR *loaded_handle) { TSS2_RC rval = Esys_ContextLoad(esys_context, context, loaded_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_ContextLoad, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_flush_context(ESYS_CONTEXT *esys_context, ESYS_TR flush_handle) { TSS2_RC rval = Esys_FlushContext(esys_context, flush_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_FlushContext, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_start_auth_session(ESYS_CONTEXT *esys_context, ESYS_TR tpm_key, ESYS_TR bind, const TPM2B_NONCE *nonce_caller, TPM2_SE session_type, const TPMT_SYM_DEF *symmetric, TPMI_ALG_HASH auth_hash, ESYS_TR *session_handle) { TSS2_RC rval = Esys_StartAuthSession(esys_context, tpm_key, bind, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nonce_caller, session_type, symmetric, auth_hash, session_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_StartAuthSession, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_sess_set_attributes(ESYS_CONTEXT *esys_context, ESYS_TR session, TPMA_SESSION flags, TPMA_SESSION mask) { TSS2_RC rval = Esys_TRSess_SetAttributes(esys_context, session, flags, mask); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TRSess_SetAttributes, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_sess_get_attributes(ESYS_CONTEXT *esys_context, ESYS_TR session, TPMA_SESSION *flags) { TSS2_RC rval = Esys_TRSess_GetAttributes(esys_context, session, flags); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TRSess_GetAttributes, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_sess_get_noncetpm(ESYS_CONTEXT *esys_context, ESYS_TR session_handle, TPM2B_NONCE **nonce_tpm) { TSS2_RC rval = Esys_TRSess_GetNonceTPM(esys_context, session_handle, nonce_tpm); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_TRSess_GetNonceTPM, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_restart(ESYS_CONTEXT *esys_context, ESYS_TR session_handle, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_RC rval = Esys_PolicyRestart(esys_context, session_handle, shandle1, shandle2, shandle3); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyRestart, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_get_capability(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, TPM2_CAP capability, UINT32 property, UINT32 property_count, TPMI_YES_NO *more_data, TPMS_CAPABILITY_DATA **capability_data) { TSS2_RC rval = Esys_GetCapability(esys_context, shandle1, shandle2, shandle3, capability, property, property_count, more_data, capability_data); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_GetCapability, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_create_primary(ESYS_CONTEXT *esys_context, ESYS_TR primary_handle, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_SENSITIVE_CREATE *in_sensitive, const TPM2B_PUBLIC *in_public, const TPM2B_DATA *outside_info, const TPML_PCR_SELECTION *creation_pcr, ESYS_TR *object_handle, TPM2B_PUBLIC **out_public, TPM2B_CREATION_DATA **creation_data, TPM2B_DIGEST **creation_hash, TPMT_TK_CREATION **creation_ticket) { TSS2_RC rval = Esys_CreatePrimary(esys_context, primary_handle, shandle1, shandle2, shandle3, in_sensitive, in_public, outside_info, creation_pcr, object_handle, out_public, creation_data, creation_hash, creation_ticket); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_CreatePrimary, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_pcr_read(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPML_PCR_SELECTION *pcr_selection_in, UINT32 *pcr_update_counter, TPML_PCR_SELECTION **pcr_selection_out, TPML_DIGEST **pcr_values) { TSS2_RC rval = Esys_PCR_Read(esys_context, shandle1, shandle2, shandle3, pcr_selection_in, pcr_update_counter, pcr_selection_out, pcr_values); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PCR_Read, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_authorize(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_DIGEST *approved_policy, const TPM2B_NONCE *policy_ref, const TPM2B_NAME *key_sign, const TPMT_TK_VERIFIED *check_ticket) { TSS2_RC rval = Esys_PolicyAuthorize(esys_context, policy_session, shandle1, shandle2, shandle3, approved_policy, policy_ref, key_sign, check_ticket); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyAuthorize, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_or(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPML_DIGEST *p_hash_list) { TSS2_RC rval = Esys_PolicyOR(esys_context, policy_session, shandle1, shandle2, shandle3, p_hash_list); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyAuthorize, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_namehash(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, const TPM2B_DIGEST *name_hash) { TSS2_RC rval = Esys_PolicyNameHash(esys_context, policy_session, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, name_hash); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyNameHash, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_template(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, const TPM2B_DIGEST *template_hash) { TSS2_RC rval = Esys_PolicyTemplate(esys_context, policy_session, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, template_hash); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyTemplate, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_cphash(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, const TPM2B_DIGEST *cphash) { TSS2_RC rval = Esys_PolicyCpHash(esys_context, policy_session, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, cphash); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyCpHash, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_pcr(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_DIGEST *pcr_digest, const TPML_PCR_SELECTION *pcrs) { TSS2_RC rval = Esys_PolicyPCR(esys_context, policy_session, shandle1, shandle2, shandle3, pcr_digest, pcrs); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyPCR, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_password(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_RC rval = Esys_PolicyPassword(esys_context, policy_session, shandle1, shandle2, shandle3); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyPassword, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_signed(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_entity_obj, ESYS_TR policy_session, const TPMT_SIGNATURE *signature, INT32 expiration, TPM2B_TIMEOUT **timeout, TPMT_TK_AUTH **policy_ticket, TPM2B_NONCE *policy_qualifier, TPM2B_NONCE *nonce_tpm, TPM2B_DIGEST *cphash) { TSS2_RC rval = Esys_PolicySigned(esys_context, auth_entity_obj->tr_handle, policy_session, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nonce_tpm, cphash, policy_qualifier, expiration, signature, timeout, policy_ticket); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicySigned, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_ticket(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, const TPM2B_TIMEOUT *timeout, const TPM2B_NONCE *policyref, const TPM2B_NAME *authname, const TPMT_TK_AUTH *ticket) { TSS2_RC rval = Esys_PolicyTicket(esys_context, policy_session, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, timeout, NULL, policyref, authname, ticket); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicySigned, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_authvalue(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_RC rval = Esys_PolicyAuthValue(esys_context, policy_session, shandle1, shandle2, shandle3); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyAuthValue, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_authorize_nv(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, ESYS_TR policy_session, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_index; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_PolicyAuthorizeNV_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index, policy_session); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_PolicyAuthorizeNV_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_policyauthorizenv_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_index, &name2); if (rc != tool_rc_success) { goto tpm2_policyauthorizenv_free_name1_name2; } TPM2B_NAME *name3 = NULL; rc = tpm2_tr_get_name(esys_context, policy_session, &name3); if (rc != tool_rc_success) { goto tpm2_policyauthorizenv_free_name1_name2_name3; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, name3, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_policyauthorizenv_free_name1_name2_name3: Esys_Free(name3); tpm2_policyauthorizenv_free_name1_name2: Esys_Free(name2); tpm2_policyauthorizenv_free_name1: Esys_Free(name1); goto tpm2_policyauthorizenv_skip_esapi_call; } rval = Esys_PolicyAuthorizeNV(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_index, policy_session, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyAuthorizeNV, rval); return tool_rc_from_tpm(rval); } tpm2_policyauthorizenv_skip_esapi_call: return rc; } tool_rc tpm2_policy_nv(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, ESYS_TR policy_session, const TPM2B_OPERAND *operand_b, UINT16 offset, TPM2_EO operation, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_index; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_entity_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_entity_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_PolicyNV_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index, policy_session, operand_b, offset, operation); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_PolicyNV_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_policynv_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_index, &name2); if (rc != tool_rc_success) { goto tpm2_policynv_free_name1_name2; } TPM2B_NAME *name3 = NULL; rc = tpm2_tr_get_name(esys_context, policy_session, &name3); if (rc != tool_rc_success) { goto tpm2_policynv_free_name1_name2_name3; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, name3, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_policynv_free_name1_name2_name3: Esys_Free(name3); tpm2_policynv_free_name1_name2: Esys_Free(name2); tpm2_policynv_free_name1: Esys_Free(name1); goto tpm2_policynv_skip_esapi_out; } rval = Esys_PolicyNV(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_index, policy_session, auth_entity_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, operand_b, offset, operation); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyNV, rval); return tool_rc_from_tpm(rval); } tpm2_policynv_skip_esapi_out: return rc; } tool_rc tpm2_policy_countertimer(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, const TPM2B_OPERAND *operand_b, UINT16 offset, TPM2_EO operation) { TSS2_RC rval = Esys_PolicyCounterTimer(esys_context, policy_session, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, operand_b, offset, operation); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyCounterTimer, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_secret(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_entity_obj, ESYS_TR policy_session, INT32 expiration, TPMT_TK_AUTH **policy_ticket, TPM2B_TIMEOUT **timeout, TPM2B_NONCE *nonce_tpm, TPM2B_NONCE *policy_qualifier, TPM2B_DIGEST *cp_hash) { const TPM2B_DIGEST *cphash = NULL; ESYS_TR auth_entity_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_entity_obj->tr_handle, auth_entity_obj->session, &auth_entity_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_PolicySecret_Prepare(sys_context, auth_entity_obj->handle, policy_session, nonce_tpm, cphash, policy_qualifier, expiration); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_PolicySecret_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_entity_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_policysecret_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, policy_session, &name2); if (rc != tool_rc_success) { goto tpm2_policysecret_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_entity_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_entity_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_policysecret_free_name1_name2: Esys_Free(name2); tpm2_policysecret_free_name1: Esys_Free(name1); goto tpm2_policysecret_skip_esapi_call; } TSS2_RC rval = Esys_PolicySecret(esys_context, auth_entity_obj->tr_handle, policy_session, auth_entity_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, nonce_tpm, cphash, policy_qualifier, expiration, timeout, policy_ticket); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicySecret, rval); return tool_rc_from_tpm(rval); } tpm2_policysecret_skip_esapi_call: return rc; } tool_rc tpm2_policy_getdigest(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, TPM2B_DIGEST **policy_digest) { TSS2_RC rval = Esys_PolicyGetDigest(esys_context, policy_session, shandle1, shandle2, shandle3, policy_digest); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyGetDigest, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_command_code(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, TPM2_CC code) { TSS2_RC rval = Esys_PolicyCommandCode(esys_context, policy_session, shandle1, shandle2, shandle3, code); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyCommandCode, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_setcommandcodeaudit(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_entity_obj, TPMI_ALG_HASH hash_algorithm, const TPML_CC *setlist, const TPML_CC *clearlist) { ESYS_TR auth_entity_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_entity_obj->tr_handle, auth_entity_obj->session, &auth_entity_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } TSS2_RC rval = Esys_SetCommandCodeAuditStatus(esys_context, auth_entity_obj->tr_handle, auth_entity_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, hash_algorithm, setlist, clearlist); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_SetCommandCodeAuditStatus, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_getcommandauditdigest(ESYS_CONTEXT *esys_context, tpm2_loaded_object *privacy_object, tpm2_loaded_object *sign_object, TPMT_SIG_SCHEME *in_scheme, TPM2B_DATA *qualifying_data, TPM2B_ATTEST **audit_info, TPMT_SIGNATURE **signature) { ESYS_TR privacy_object_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, privacy_object->tr_handle, privacy_object->session, &privacy_object_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } ESYS_TR sign_object_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, sign_object->tr_handle, sign_object->session, &sign_object_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } TSS2_RC rval = Esys_GetCommandAuditDigest(esys_context, privacy_object->tr_handle, sign_object->tr_handle, privacy_object_session_handle, sign_object_session_handle, ESYS_TR_NONE, qualifying_data, in_scheme, audit_info, signature); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_GetCommandAuditDigest, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } static tool_rc evaluate_sessions_for_audit(ESYS_CONTEXT *ectx, ESYS_TR audit_session_handle) { //Check if session is an audit session from the attributes TPMA_SESSION attrs; tool_rc rc = tpm2_sess_get_attributes(ectx, audit_session_handle, &attrs); if (rc != tool_rc_success) { return rc; } if (!(attrs & TPMA_SESSION_AUDIT)) { LOG_ERR("Session does not have audit attributes setup."); return tool_rc_general_error; } return tool_rc_success; } tool_rc tpm2_getsessionauditdigest(ESYS_CONTEXT *esys_context, tpm2_loaded_object *privacy_object, tpm2_loaded_object *sign_object, TPMT_SIG_SCHEME *in_scheme, TPM2B_DATA *qualifying_data, TPM2B_ATTEST **audit_info, TPMT_SIGNATURE **signature, ESYS_TR audit_session_handle) { tool_rc rc = audit_session_handle == ESYS_TR_NONE ? tool_rc_general_error : evaluate_sessions_for_audit(esys_context, audit_session_handle); if (rc != tool_rc_success) { return rc; } ESYS_TR privacy_object_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, privacy_object->tr_handle, privacy_object->session, &privacy_object_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } ESYS_TR sign_object_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, sign_object->tr_handle, sign_object->session, &sign_object_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get auth entity obj session"); return rc; } TSS2_RC rval = Esys_GetSessionAuditDigest(esys_context, privacy_object->tr_handle, sign_object->tr_handle, audit_session_handle, privacy_object_session_handle, sign_object_session_handle, ESYS_TR_NONE, qualifying_data, in_scheme, audit_info, signature); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_GetCommandAuditDigest, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_nv_written(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, TPMI_YES_NO written_set) { TSS2_RC rval = Esys_PolicyNvWritten(esys_context, policy_session, shandle1, shandle2, shandle3, written_set); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyNVWritten, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_locality(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, TPMA_LOCALITY locality) { TSS2_RC rval = Esys_PolicyLocality(esys_context, policy_session, shandle1, shandle2, shandle3, locality); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyLocality, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_policy_duplication_select(ESYS_CONTEXT *esys_context, ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_NAME *object_name, const TPM2B_NAME *new_parent_name, TPMI_YES_NO include_object) { TSS2_RC rval = Esys_PolicyDuplicationSelect(esys_context, policy_session, shandle1, shandle2, shandle3, object_name, new_parent_name, include_object); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PolicyDuplicationSelect, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_mu_tpm2_handle_unmarshal(uint8_t const buffer[], size_t size, size_t *offset, TPM2_HANDLE *out) { TSS2_RC rval = Tss2_MU_TPM2_HANDLE_Unmarshal(buffer, size, offset, out); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Tss2_MU_TPM2_HANDLE_Unmarshal, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_mu_tpmt_public_marshal(TPMT_PUBLIC const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) { TSS2_RC rval = Tss2_MU_TPMT_PUBLIC_Marshal(src, buffer, buffer_size, offset); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Tss2_MU_TPMT_PUBLIC_Marshal, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_evictcontrol(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, tpm2_loaded_object *to_persist_key_obj, TPMI_DH_PERSISTENT persistent_handle, ESYS_TR *new_object_handle, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &shandle1); if (rc != tool_rc_success) { return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_EvictControl_Prepare(sys_context, auth_hierarchy_obj->handle, to_persist_key_obj->handle, persistent_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_EvictControl_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_evictcontrol_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, to_persist_key_obj->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_evictcontrol_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_evictcontrol_free_name1_name2: Esys_Free(name2); tpm2_evictcontrol_free_name1: Esys_Free(name1); goto tpm2_evictcontrol_skip_esapi_call; } TSS2_RC rval = Esys_EvictControl(esys_context, auth_hierarchy_obj->tr_handle, to_persist_key_obj->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, persistent_handle, new_object_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_EvictControl, rval); return tool_rc_from_tpm(rval); } tpm2_evictcontrol_skip_esapi_call: return rc; } /* This function addresses ESAPI change that changes parameter type from * Esys_TR to TPMI_RH_HIERARCHY or TPMI_RH_ENABLES and breaks backwards * compatibility. * To keep the tools parameters consistent after v4.0 release we need to * map the values to appropriate type based on the version of the ESYS API. * Note: the mapping is based on the ESYS version recognized at compile time. * The TSS change can be found here: * https://github.com/tpm2-software/tpm2-tss/pull/1531 */ TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out) { #if defined(ESYS_3_0) switch (in) { case ESYS_TR_RH_NULL: /* FALLTHRU */ case ESYS_TR_RH_OWNER: /* FALLTHRU */ case ESYS_TR_RH_ENDORSEMENT: /* FALLTHRU */ case ESYS_TR_RH_PLATFORM: /* FALLTHRU */ case ESYS_TR_RH_PLATFORM_NV: *out = in; return TSS2_RC_SUCCESS; case TPM2_RH_NULL: *out = ESYS_TR_RH_NULL; return TSS2_RC_SUCCESS; case TPM2_RH_OWNER: *out = ESYS_TR_RH_OWNER; return TSS2_RC_SUCCESS; case TPM2_RH_ENDORSEMENT: *out = ESYS_TR_RH_ENDORSEMENT; return TSS2_RC_SUCCESS; case TPM2_RH_PLATFORM: *out = ESYS_TR_RH_PLATFORM; return TSS2_RC_SUCCESS; case TPM2_RH_PLATFORM_NV: *out = ESYS_TR_RH_PLATFORM_NV; return TSS2_RC_SUCCESS; default: LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", in); return TSS2_ESYS_RC_BAD_VALUE; } #elif defined(ESYS_2_3) *out = in; return TSS2_RC_SUCCESS; #else #error "Need to define either ESYS_3_0 or ESYS_2_3" #endif } tool_rc tpm2_hash(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3, const TPM2B_MAX_BUFFER *data, TPMI_ALG_HASH hash_alg, TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **out_hash, TPMT_TK_HASHCHECK **validation) { TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); if (rval != TSS2_RC_SUCCESS) { LOG_ERR("Unknown hierarchy"); return tool_rc_from_tpm(rval); } rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data, hash_alg, hierarchy, out_hash, validation); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_Hash, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_hash_sequence_start(ESYS_CONTEXT *esys_context, const TPM2B_AUTH *auth, TPMI_ALG_HASH hash_alg, ESYS_TR *sequence_handle) { TSS2_RC rval = Esys_HashSequenceStart(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, auth, hash_alg, sequence_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_HashSequenceStart, rval); return tool_rc_from_tpm(rval); } return tpm2_tr_set_auth(esys_context, *sequence_handle, auth); } tool_rc tpm2_sequence_update(ESYS_CONTEXT *esys_context, ESYS_TR sequence_handle, const TPM2B_MAX_BUFFER *buffer) { TSS2_RC rval = Esys_SequenceUpdate(esys_context, sequence_handle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_SequenceUpdate, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_sequence_complete(ESYS_CONTEXT *esys_context, ESYS_TR sequence_handle, const TPM2B_MAX_BUFFER *buffer, TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); if (rval != TSS2_RC_SUCCESS) { LOG_ERR("Unknown hierarchy"); return tool_rc_from_tpm(rval); } rval = Esys_SequenceComplete(esys_context, sequence_handle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer, hierarchy, result, validation); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_SequenceComplete, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_event_sequence_complete(ESYS_CONTEXT *ectx, ESYS_TR pcr, ESYS_TR sequence_handle, tpm2_session *session, const TPM2B_MAX_BUFFER *buffer, TPML_DIGEST_VALUES **results) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(ectx, pcr, session, &shandle1); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_EventSequenceComplete(ectx, pcr, sequence_handle, shandle1, ESYS_TR_PASSWORD, ESYS_TR_NONE, buffer, results); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_EventSequenceComplete, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_tr_set_auth(ESYS_CONTEXT *esys_context, ESYS_TR handle, TPM2B_AUTH const *auth_value) { TSS2_RC rval = Esys_TR_SetAuth(esys_context, handle, auth_value); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_SequenceComplete, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_activatecredential(ESYS_CONTEXT *esys_context, tpm2_loaded_object *activatehandleobj, tpm2_loaded_object *keyhandleobj, const TPM2B_ID_OBJECT *credential_blob, const TPM2B_ENCRYPTED_SECRET *secret, TPM2B_DIGEST **cert_info, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_ActivateCredential_Prepare(sys_context, activatehandleobj->handle, keyhandleobj->handle, credential_blob, secret); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_ActivateCredential_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, activatehandleobj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_activatecredential_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, keyhandleobj->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_activatecredential_free_name1_name2; } rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, parameter_hash_algorithm, cp_hash); tpm2_activatecredential_free_name1_name2: Esys_Free(name2); tpm2_activatecredential_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size) { goto tpm2_activatecredential_skip_esapi_call; } } ESYS_TR keyobj_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, keyhandleobj->tr_handle, keyhandleobj->session, &keyobj_session_handle); //shandle1 if (rc != tool_rc_success) { return rc; } ESYS_TR activateobj_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, activatehandleobj->tr_handle, activatehandleobj->session, &activateobj_session_handle); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_ActivateCredential(esys_context, activatehandleobj->tr_handle, keyhandleobj->tr_handle, activateobj_session_handle, keyobj_session_handle, shandle3, credential_blob, secret, cert_info); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ActivateCredential, rval); rc = tool_rc_from_tpm(rval); return rc; } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_activatecredential_skip_esapi_call: return rc; } tool_rc tpm2_create(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parent_obj, const TPM2B_SENSITIVE_CREATE *in_sensitive, const TPM2B_PUBLIC *in_public, const TPM2B_DATA *outside_info, const TPML_PCR_SELECTION *creation_pcr, TPM2B_PRIVATE **out_private, TPM2B_PUBLIC **out_public, TPM2B_CREATION_DATA **creation_data, TPM2B_DIGEST **creation_hash, TPMT_TK_CREATION **creation_ticket, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_Create_Prepare(sys_context, parent_obj->handle, in_sensitive, in_public, outside_info, creation_pcr); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Create_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, parent_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_create_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_create_free_name1: Esys_Free(name1); if (rc != tool_rc_success) { return rc; } /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size) { goto tpm2_create_skip_esapi_call; } } ESYS_TR shandle1 = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, parent_obj->tr_handle, parent_obj->session, &shandle1); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_Create(esys_context, parent_obj->tr_handle, shandle1, shandle2, shandle3, in_sensitive, in_public, outside_info, creation_pcr, out_private, out_public, creation_data, creation_hash, creation_ticket); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_Create, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_create_skip_esapi_call: return rc; } tool_rc tpm2_create_loaded(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parent_obj, const TPM2B_SENSITIVE_CREATE *in_sensitive, const TPM2B_TEMPLATE *in_public, ESYS_TR *object_handle, TPM2B_PRIVATE **out_private, TPM2B_PUBLIC **out_public, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_CreateLoaded_Prepare(sys_context, parent_obj->handle, in_sensitive, in_public); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_CreateLoaded_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, parent_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_createloaded_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_createloaded_free_name1: Esys_Free(name1); if (rc != tool_rc_success) { return rc; } /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size) { goto tpm2_createloaded_skip_esapi_call; } } ESYS_TR shandle1 = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, parent_obj->tr_handle, parent_obj->session, &shandle1); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_CreateLoaded(esys_context, parent_obj->tr_handle, shandle1, shandle2, shandle3, in_sensitive, in_public, object_handle, out_private, out_public); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_CreateLoaded, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_createloaded_skip_esapi_call: return rc; } tool_rc tpm2_object_change_auth(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parent_object, tpm2_loaded_object *object, const TPM2B_AUTH *new_auth, TPM2B_PRIVATE **out_private, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_ObjectChangeAuth_Prepare(sys_context, object->handle, parent_object->handle, new_auth); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_ObjectChangeAuth_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, object->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_objectchangeauth_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, parent_object->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_objectchangeauth_free_name1_name2; } rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, parameter_hash_algorithm, cp_hash); tpm2_objectchangeauth_free_name1_name2: Esys_Free(name2); tpm2_objectchangeauth_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_objectchangeauth_skip_esapi_call; } } ESYS_TR shandle1 = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, object->tr_handle, object->session, &shandle1); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_ObjectChangeAuth(esys_context, object->tr_handle, parent_object->tr_handle, shandle1, shandle2, shandle3, new_auth, out_private); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ObjectChangeAuth, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_objectchangeauth_skip_esapi_call: return rc; } tool_rc tpm2_nv_change_auth(ESYS_CONTEXT *esys_context, tpm2_loaded_object *nv, const TPM2B_AUTH *new_auth, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = (cp_hash->size || rp_hash->size) ? tpm2_getsapicontext(esys_context, &sys_context) : tool_rc_success; if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_NV_ChangeAuth_Prepare(sys_context, nv->handle, new_auth); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_ChangeAuth_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, nv->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvchangeauth_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_nvchangeauth_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_nvchangeauth_skip_esapi_call; } } ESYS_TR shandle1 = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, nv->tr_handle, nv->session, &shandle1); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_NV_ChangeAuth(esys_context, nv->tr_handle, shandle1, shandle2, shandle3, new_auth); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_NV_ChangeAuth, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_nvchangeauth_skip_esapi_call: return rc; } tool_rc tpm2_hierarchy_change_auth(ESYS_CONTEXT *esys_context, tpm2_loaded_object *hierarchy, const TPM2B_AUTH *new_auth, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = (cp_hash->size || rp_hash->size) ? tpm2_getsapicontext(esys_context, &sys_context) : tool_rc_success; if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_HierarchyChangeAuth_Prepare(sys_context, hierarchy->handle, new_auth); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_HierarchyChangeAuth_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, hierarchy->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_hierarchychangeauth_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_hierarchychangeauth_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_hierarchychangeauth_skip_esapi_call; } } ESYS_TR shandle1 = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, hierarchy->tr_handle, hierarchy->session, &shandle1); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_HierarchyChangeAuth(esys_context, hierarchy->tr_handle, shandle1, shandle2, shandle3, new_auth); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_HierarchyChangeAuth, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_hierarchychangeauth_skip_esapi_call: return rc; } tool_rc tpm2_certify(ESYS_CONTEXT *ectx, tpm2_loaded_object *certifiedkey_obj, tpm2_loaded_object *signingkey_obj, TPM2B_DATA *qualifying_data, TPMT_SIG_SCHEME *scheme, TPM2B_ATTEST **certify_info, TPMT_SIGNATURE **signature, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(ectx, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_Certify_Prepare(sys_context, certifiedkey_obj->handle, signingkey_obj->handle, qualifying_data, scheme); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Certify_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(ectx, certifiedkey_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_certify_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(ectx, signingkey_obj->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_certify_free_name1_name2; } rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, parameter_hash_algorithm, cp_hash); tpm2_certify_free_name1_name2: Esys_Free(name2); tpm2_certify_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_certify_skip_esapi_call; } } ESYS_TR certifiedkey_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(ectx, certifiedkey_obj->tr_handle, certifiedkey_obj->session, &certifiedkey_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get session handle for TPM object"); return rc; } ESYS_TR signingkey_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(ectx, signingkey_obj->tr_handle, signingkey_obj->session, &signingkey_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get session handle for key"); return rc; } TSS2_RC rval = Esys_Certify(ectx, certifiedkey_obj->tr_handle, signingkey_obj->tr_handle, certifiedkey_session_handle, signingkey_session_handle, shandle3, qualifying_data, scheme, certify_info, signature); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Eys_Certify, rval); rc = tool_rc_from_tpm(rval); return rc; } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_certify_skip_esapi_call: return rc; } tool_rc tpm2_rsa_decrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, const TPM2B_PUBLIC_KEY_RSA *cipher_text, const TPMT_RSA_DECRYPT *scheme, const TPM2B_DATA *label, TPM2B_PUBLIC_KEY_RSA **message, TPM2B_DIGEST *cp_hash) { ESYS_TR keyobj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(ectx, keyobj->tr_handle, keyobj->session, &keyobj_session_handle); if (rc != tool_rc_success) { return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(ectx, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_RSA_Decrypt_Prepare(sys_context, keyobj->handle, cipher_text, scheme, label); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_RSA_Decrypt_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(ectx, keyobj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_rsadecrypt_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(keyobj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(keyobj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_rsadecrypt_free_name1: Esys_Free(name1); goto tpm2_rsadecrypt_skip_esapi_call; } TSS2_RC rval = Esys_RSA_Decrypt(ectx, keyobj->tr_handle, keyobj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, cipher_text, scheme, label, message); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_RSA_Decrypt, rval); return tool_rc_from_tpm(rval); } tpm2_rsadecrypt_skip_esapi_call: return rc; } tool_rc tpm2_rsa_encrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, const TPM2B_PUBLIC_KEY_RSA *message, const TPMT_RSA_DECRYPT *scheme, const TPM2B_DATA *label, TPM2B_PUBLIC_KEY_RSA **cipher_text) { TSS2_RC rval = Esys_RSA_Encrypt(ectx, keyobj->tr_handle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, message, scheme, label, cipher_text); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_RSA_Encrypt, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_load(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parentobj, const TPM2B_PRIVATE *in_private, const TPM2B_PUBLIC *in_public, ESYS_TR *object_handle, TPM2B_DIGEST *cp_hash) { ESYS_TR parent_object_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, parentobj->tr_handle, parentobj->session, &parent_object_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get parent object session handle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_Load_Prepare(sys_context, parentobj->handle, in_private, in_public); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Load_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, parentobj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_load_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(parentobj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(parentobj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_load_free_name1: Esys_Free(name1); goto tpm2_load_skip_esapi_call; } TSS2_RC rval = Esys_Load(esys_context, parentobj->tr_handle, parent_object_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, in_private, in_public, object_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Eys_Load, rval); return tool_rc_from_tpm(rval); } tpm2_load_skip_esapi_call: return rc; } tool_rc tpm2_clear(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy->tr_handle, auth_hierarchy->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle for hierarchy"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_Clear_Prepare(sys_context, auth_hierarchy->handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Clear_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_clear_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(auth_hierarchy->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_clear_free_name1: Esys_Free(name1); goto tpm2_clear_skip_esapi_call; } TSS2_RC rval = Esys_Clear(esys_context, auth_hierarchy->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { LOG_PERR(Esys_Clear, rval); return tool_rc_from_tpm(rval); } tpm2_clear_skip_esapi_call: return rc; } tool_rc tpm2_clearcontrol(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy, TPMI_YES_NO disable_clear, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy->tr_handle, auth_hierarchy->session, &shandle); if (rc != tool_rc_success) { return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_ClearControl_Prepare(sys_context, auth_hierarchy->handle, disable_clear); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_ClearControl_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_clearcontrol_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(auth_hierarchy->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_clearcontrol_free_name1: Esys_Free(name1); goto tpm2_clearcontrol_skip_esapi_call; } TSS2_RC rval = Esys_ClearControl(esys_context, auth_hierarchy->tr_handle, shandle, ESYS_TR_NONE, ESYS_TR_NONE, disable_clear); if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { LOG_PERR(Esys_ClearControl, rval); return tool_rc_from_tpm(rval); } tpm2_clearcontrol_skip_esapi_call: return rc; } tool_rc tpm2_dictionarylockout_setup(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy, UINT32 max_tries, UINT32 recovery_time, UINT32 lockout_recovery_time, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy->tr_handle, auth_hierarchy->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for lockout hierarchy"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_DictionaryAttackParameters_Prepare(sys_context, auth_hierarchy->handle, max_tries, recovery_time, lockout_recovery_time); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_DictionaryAttackParameters_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_dictionary_parameters_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(auth_hierarchy->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_dictionary_parameters_free_name1: Esys_Free(name1); goto tpm2_dictionary_parameters_skip_esapi_call; } LOG_INFO("Setting up Dictionary Lockout parameters."); TPM2_RC rval = Esys_DictionaryAttackParameters(esys_context, auth_hierarchy->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, max_tries, recovery_time, lockout_recovery_time); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_DictionaryAttackParameters, rval); return tool_rc_from_tpm(rval); } tpm2_dictionary_parameters_skip_esapi_call: return rc; } tool_rc tpm2_dictionarylockout_reset(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy->tr_handle, auth_hierarchy->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for lockout hierarchy"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_DictionaryAttackLockReset_Prepare(sys_context, auth_hierarchy->handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_DictionaryAttackLockReset_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_dictionary_attack_reset_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(auth_hierarchy->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_dictionary_attack_reset_free_name1: Esys_Free(name1); goto tpm2_dictionary_attack_reset_skip_esapi_call; } LOG_INFO("Resetting dictionary lockout state."); TPM2_RC rval = Esys_DictionaryAttackLockReset(esys_context, auth_hierarchy->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_DictionaryAttackLockReset, rval); return tool_rc_from_tpm(rval); } tpm2_dictionary_attack_reset_skip_esapi_call: return rc; } tool_rc tpm2_duplicate(ESYS_CONTEXT *esys_context, tpm2_loaded_object *duplicable_key, tpm2_loaded_object *new_parent, const TPM2B_DATA *in_key, const TPMT_SYM_DEF_OBJECT *sym_alg, TPM2B_DATA **out_key, TPM2B_PRIVATE **duplicate, TPM2B_ENCRYPTED_SECRET **encrypted_seed, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, duplicable_key->tr_handle, duplicable_key->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_Duplicate_Prepare(sys_context, duplicable_key->handle, new_parent->handle, in_key, sym_alg); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Duplicate_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, duplicable_key->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_duplicate_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, new_parent->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_duplicate_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(duplicable_key->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(duplicable_key->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_duplicate_free_name1_name2: Esys_Free(name2); tpm2_duplicate_free_name1: Esys_Free(name1); goto tpm2_duplicate_skip_esapi_call; } TSS2_RC rval = Esys_Duplicate(esys_context, duplicable_key->tr_handle, new_parent->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, in_key, sym_alg, out_key, duplicate, encrypted_seed); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_Duplicate, rval); return tool_rc_from_tpm(rval); } tpm2_duplicate_skip_esapi_call: return rc; } tool_rc tpm2_encryptdecrypt(ESYS_CONTEXT *esys_context, tpm2_loaded_object *encryption_key_obj, TPMI_YES_NO decrypt, TPMI_ALG_SYM_MODE mode, const TPM2B_IV *iv_in, const TPM2B_MAX_BUFFER *input_data, TPM2B_MAX_BUFFER **output_data, TPM2B_IV **iv_out, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, encryption_key_obj->tr_handle, encryption_key_obj->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } /* Keep track of which version you ran for error reporting.*/ unsigned version = 2; if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_EncryptDecrypt2_Prepare(sys_context, encryption_key_obj->handle, input_data, decrypt, mode, iv_in); if (tpm2_error_get(rval) == TPM2_RC_COMMAND_CODE) { version = 1; rval = Tss2_Sys_EncryptDecrypt_Prepare(sys_context, encryption_key_obj->handle, decrypt, mode, iv_in, input_data); } if (rval != TPM2_RC_SUCCESS) { if (version == 2) { LOG_PERR(Tss2_Sys_EncryptDecrypt2_Prepare, rval); } else { LOG_PERR(Tss2_Sys_EncryptDecrypt_Prepare, rval); } return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, encryption_key_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_encryptdecrypt_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(encryption_key_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(encryption_key_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_encryptdecrypt_free_name1: Esys_Free(name1); goto tpm2_encryptdecrypt_skip_esapi_call; } TSS2_RC rval = Esys_EncryptDecrypt2(esys_context, encryption_key_obj->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, input_data, decrypt, mode, iv_in, output_data, iv_out); if (tpm2_error_get(rval) == TPM2_RC_COMMAND_CODE) { version = 1; rval = Esys_EncryptDecrypt(esys_context, encryption_key_obj->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, decrypt, mode, iv_in, input_data, output_data, iv_out); } if (rval != TPM2_RC_SUCCESS) { if (version == 2) { LOG_PERR(Esys_EncryptDecrypt2, rval); } else { LOG_PERR(Esys_EncryptDecrypt, rval); } return tool_rc_from_tpm(rval); } tpm2_encryptdecrypt_skip_esapi_call: return rc; } tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy, TPMI_RH_ENABLES enable, TPMI_YES_NO state, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy->tr_handle, auth_hierarchy->session, &shandle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle for hierarchy"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_HierarchyControl_Prepare(sys_context, auth_hierarchy->handle, enable, state); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_HierarchyControl_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_hierarchycontrol_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(auth_hierarchy->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_hierarchycontrol_free_name1: Esys_Free(name1); goto tpm2_hierarchycontrol_skip_esapi_call; } TSS2_RC rval = fix_esys_hierarchy(enable, &enable); if (rval != TSS2_RC_SUCCESS) { LOG_ERR("Unknown hierarchy"); return tool_rc_from_tpm(rval); } rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle, shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state); if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { LOG_PERR(Esys_HierarchyControl, rval); return tool_rc_from_tpm(rval); } tpm2_hierarchycontrol_skip_esapi_call: return rc; } tool_rc tpm2_hmac(ESYS_CONTEXT *esys_context, tpm2_loaded_object *hmac_key_obj, TPMI_ALG_HASH halg, const TPM2B_MAX_BUFFER *input_buffer, TPM2B_DIGEST **out_hmac, TPM2B_DIGEST *cp_hash) { ESYS_TR hmac_key_obj_shandle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, hmac_key_obj->tr_handle, hmac_key_obj->session, &hmac_key_obj_shandle); if (rc != tool_rc_success) { LOG_ERR("Failed to get hmac_key_obj_shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_HMAC_Prepare(sys_context, hmac_key_obj->handle, input_buffer, halg); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_HMAC_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, hmac_key_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_hmac_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(hmac_key_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(hmac_key_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_hmac_free_name1: Esys_Free(name1); goto tpm2_hmac_skip_esapi_call; } TPM2_RC rval = Esys_HMAC(esys_context, hmac_key_obj->tr_handle, hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer, halg, out_hmac); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_HMAC, rval); return tool_rc_from_tpm(rval); } tpm2_hmac_skip_esapi_call: return rc; } tool_rc tpm2_hmac_start(ESYS_CONTEXT *esys_context, tpm2_loaded_object *hmac_key_obj, TPMI_ALG_HASH halg, ESYS_TR *sequence_handle) { ESYS_TR hmac_key_obj_shandle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, hmac_key_obj->tr_handle, hmac_key_obj->session, &hmac_key_obj_shandle); if (rc != tool_rc_success) { LOG_ERR("Failed to get hmac_key_obj_shandle"); return rc; } TPM2B_AUTH null_auth = { .size = 0 }; TPM2_RC rval = Esys_HMAC_Start(esys_context, hmac_key_obj->tr_handle, hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, &null_auth, halg, sequence_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_HMAC, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_hmac_sequenceupdate(ESYS_CONTEXT *esys_context, ESYS_TR sequence_handle, tpm2_loaded_object *hmac_key_obj, const TPM2B_MAX_BUFFER *input_buffer) { ESYS_TR hmac_key_obj_shandle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, hmac_key_obj->tr_handle, hmac_key_obj->session, &hmac_key_obj_shandle); if (rc != tool_rc_success) { LOG_ERR("Failed to get hmac_key_obj_shandle"); return rc; } TPM2_RC rval = Esys_SequenceUpdate(esys_context, sequence_handle, hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_HMAC, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context, ESYS_TR sequence_handle, tpm2_loaded_object *hmac_key_obj, const TPM2B_MAX_BUFFER *input_buffer, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { ESYS_TR hmac_key_obj_shandle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, hmac_key_obj->tr_handle, hmac_key_obj->session, &hmac_key_obj_shandle); if (rc != tool_rc_success) { LOG_ERR("Failed to get hmac_key_obj_shandle"); return rc; } uint32_t hierarchy; TSS2_RC rval = fix_esys_hierarchy(TPM2_RH_NULL, &hierarchy); if (rval != TSS2_RC_SUCCESS) { LOG_ERR("Unknown hierarchy"); return tool_rc_from_tpm(rval); } rval = Esys_SequenceComplete(esys_context, sequence_handle, hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer, hierarchy, result, validation); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_HMAC, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_import(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parent_obj, const TPM2B_DATA *encryption_key, const TPM2B_PUBLIC *object_public, const TPM2B_PRIVATE *duplicate, const TPM2B_ENCRYPTED_SECRET *in_sym_seed, const TPMT_SYM_DEF_OBJECT *symmetric_alg, TPM2B_PRIVATE **out_private, TPM2B_DIGEST *cp_hash) { ESYS_TR parentobj_shandle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, parent_obj->tr_handle, parent_obj->session, &parentobj_shandle); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for phandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_Import_Prepare(sys_context, parent_obj->handle, encryption_key, object_public, duplicate, in_sym_seed, symmetric_alg); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Import_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, parent_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_import_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(parent_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(parent_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_import_free_name1: Esys_Free(name1); goto tpm2_import_skip_esapi_call; } TPM2_RC rval = Esys_Import(esys_context, parent_obj->tr_handle, parentobj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, encryption_key, object_public, duplicate, in_sym_seed, symmetric_alg, out_private); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_HMAC, rval); return tool_rc_from_tpm(rval); } tpm2_import_skip_esapi_call: return rc; } tool_rc tpm2_nv_definespace(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, const TPM2B_AUTH *auth, const TPM2B_NV_PUBLIC *public_info, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_NV_DefineSpace_Prepare(sys_context, auth_hierarchy_obj->handle, auth, public_info); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_DefineSpace_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvdefinespace_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_nvdefinespace_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size) { goto tpm2_nvdefinespace_skip_esapi_call; } } ESYS_TR shandle1 = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } ESYS_TR nvHandle; TSS2_RC rval = Esys_NV_DefineSpace(esys_context, auth_hierarchy_obj->tr_handle, shandle1, shandle2, shandle3, auth, public_info, &nvHandle); if (rval != TPM2_RC_SUCCESS) { LOG_ERR("Failed to define NV area at index 0x%X", public_info->nvPublic.nvIndex); LOG_PERR(Esys_NV_DefineSpace, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_nvdefinespace_skip_esapi_call: return rc; } tool_rc tpm2_nv_increment(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, TPM2B_DIGEST *cp_hash) { ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } // Convert TPM2_HANDLE ctx.nv_index to an ESYS_TR ESYS_TR esys_tr_nv_index; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_Increment_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_Increment_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvincrement_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_index, &name2); if (rc != tool_rc_success) { goto tpm2_nvincrement_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvincrement_free_name1_name2: Esys_Free(name2); tpm2_nvincrement_free_name1: Esys_Free(name1); goto tpm2_nvincrement_skip_esapi_call; } rval = Esys_NV_Increment(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_index, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS) { return tool_rc_from_tpm(rval); } tpm2_nvincrement_skip_esapi_call: return rc; } tool_rc tpm2_nvreadlock(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_handle; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_ReadLock_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_ReadLock_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_readlock_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvreadlock_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvreadlock_free_name1_name2: Esys_Free(name2); tpm2_readlock_free_name1: Esys_Free(name1); goto tpm2_nvreadlock_skip_esapi_call; } rval = Esys_NV_ReadLock(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_handle, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_NV_ReadLock, rval); return tool_rc_from_tpm(rval); } tpm2_nvreadlock_skip_esapi_call: return rc; } tool_rc tpm2_nvwritelock(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_handle; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_WriteLock_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_WriteLock_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvwritelock_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvwritelock_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvwritelock_free_name1_name2: Esys_Free(name2); tpm2_nvwritelock_free_name1: Esys_Free(name1); goto tpm2_nvwritelock_skip_esapi_call; } rval = Esys_NV_WriteLock(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_handle, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_NV_WriteLock, rval); return tool_rc_from_tpm(rval); } tpm2_nvwritelock_skip_esapi_call: return rc; } tool_rc tpm2_nvglobalwritelock(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2B_DIGEST *cp_hash) { ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_NV_GlobalWriteLock_Prepare(sys_context, auth_hierarchy_obj->handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_GlobalWriteLock_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_globalnvwritelock_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_globalnvwritelock_free_name1: Esys_Free(name1); goto tpm2_globalnvwritelock_skip_esapi_call; } TSS2_RC rval = Esys_NV_GlobalWriteLock(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_NV_GlobalWriteLock, rval); return tool_rc_from_tpm(rval); } tpm2_globalnvwritelock_skip_esapi_call: return rc; } tool_rc tpm2_tr_from_tpm_public(ESYS_CONTEXT *esys_context, TPM2_HANDLE handle, ESYS_TR *tr_handle) { TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, handle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, tr_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_nvsetbits(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, UINT64 bits, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_handle; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_SetBits_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index, bits); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_SetBits_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvsetbits_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvsetbits_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvsetbits_free_name1_name2: Esys_Free(name2); tpm2_nvsetbits_free_name1: Esys_Free(name1); goto tpm2_nvsetbits_skip_esapi_call; } rval = Esys_NV_SetBits(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_handle, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, bits); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_NV_SetBits, rval); return tool_rc_from_tpm(rval); } tpm2_nvsetbits_skip_esapi_call: return rc; } tool_rc tpm2_nvextend(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, TPM2B_MAX_NV_BUFFER *data, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { ESYS_TR esys_tr_nv_handle; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_Extend_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index, data); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_Extend_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvextend_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvextend_free_name1_name2; } rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, parameter_hash_algorithm, cp_hash); tpm2_nvextend_free_name1_name2: Esys_Free(name2); tpm2_nvextend_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size) { goto tpm2_nvextend_skip_esapi_call; } } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } rval = Esys_NV_Extend(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_handle, auth_hierarchy_obj_session_handle, shandle2, shandle3, data); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_NV_Extend, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_nvextend_skip_esapi_call: return rc; } tool_rc tpm2_nvundefine(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_handle; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_UndefineSpace_Prepare(sys_context, auth_hierarchy_obj->handle, nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_UndefineSpace_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvundefine_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvundefine_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvundefine_free_name1_name2: Esys_Free(name2); tpm2_nvundefine_free_name1: Esys_Free(name1); goto tpm2_nvundefine_skip_esapi_call; } rval = Esys_NV_UndefineSpace(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_handle, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS) { LOG_ERR("Failed to release NV area at index 0x%X", nv_index); LOG_PERR(Esys_NV_UndefineSpace, rval); return tool_rc_from_tpm(rval); } LOG_INFO("Success to release NV area at index 0x%x.", nv_index); tpm2_nvundefine_skip_esapi_call: return rc; } tool_rc tpm2_nvundefinespecial(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nv_index, tpm2_session *policy_session, TPM2B_DIGEST *cp_hash) { ESYS_TR esys_tr_nv_handle; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle"); return rc; } ESYS_TR policy_session_handle = tpm2_session_get_handle(policy_session); if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_UndefineSpaceSpecial_Prepare(sys_context, nv_index, auth_hierarchy_obj->handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_UndefineSpaceSpecial_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvundefinespecial_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvundefinespecial_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvundefinespecial_free_name1_name2: Esys_Free(name2); tpm2_nvundefinespecial_free_name1: Esys_Free(name1); goto tpm2_nvundefinespecial_skip_esapi_call; } rval = Esys_NV_UndefineSpaceSpecial(esys_context, esys_tr_nv_handle, auth_hierarchy_obj->tr_handle, policy_session_handle, // policy session auth_hierarchy_obj_session_handle, // auth session for hierarchy ESYS_TR_NONE); if (rval != TPM2_RC_SUCCESS) { LOG_ERR("Failed to release NV area at index 0x%X", nv_index); LOG_PERR(Esys_NV_UndefineSpaceSpecial, rval); return tool_rc_from_tpm(rval); } LOG_INFO("Success to release NV area at index 0x%x.", nv_index); tpm2_nvundefinespecial_skip_esapi_call: return rc; } tool_rc tpm2_nvwrite(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, TPM2_HANDLE nvindex, const TPM2B_MAX_NV_BUFFER *data, UINT16 offset, TPM2B_DIGEST *cp_hash) { // Convert TPM2_HANDLE ctx.nv_index to an ESYS_TR ESYS_TR esys_tr_nv_index; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nvindex, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, auth_hierarchy_obj->tr_handle, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_Write_Prepare(sys_context, auth_hierarchy_obj->handle, nvindex, data, offset); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_Write_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, auth_hierarchy_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvwrite_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_index, &name2); if (rc != tool_rc_success) { goto tpm2_nvwrite_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(auth_hierarchy_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(auth_hierarchy_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvwrite_free_name1_name2: Esys_Free(name2); tpm2_nvwrite_free_name1: Esys_Free(name1); goto tpm2_nvwrite_skip_esapi_call; } rval = Esys_NV_Write(esys_context, auth_hierarchy_obj->tr_handle, esys_tr_nv_index, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, data, offset); if (rval != TPM2_RC_SUCCESS) { LOG_ERR("Failed to write NV area at index 0x%X", nvindex); LOG_PERR(Tss2_Sys_NV_Write, rval); return tool_rc_from_tpm(rval); } LOG_INFO("Success to write NV area at index 0x%x offset 0x%x.", nvindex, offset); tpm2_nvwrite_skip_esapi_call: return rc; } tool_rc tpm2_pcr_allocate(ESYS_CONTEXT *esys_context, tpm2_loaded_object *auth_hierarchy_obj, const TPML_PCR_SELECTION *pcr_allocation) { TSS2_RC rval; TPMI_YES_NO allocation_success; UINT32 max_pcr; UINT32 size_needed; UINT32 size_available; ESYS_TR auth_hierarchy_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, ESYS_TR_RH_PLATFORM, auth_hierarchy_obj->session, &auth_hierarchy_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for lockout hierarchy"); return rc; } rval = Esys_PCR_Allocate(esys_context, ESYS_TR_RH_PLATFORM, auth_hierarchy_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, pcr_allocation, &allocation_success, &max_pcr, &size_needed, &size_available); if (rval != TSS2_RC_SUCCESS) { LOG_ERR("Could not allocate PCRs."); LOG_PERR(Esys_PCR_Allocate, rval); return tool_rc_from_tpm(rval); } if (!allocation_success) { LOG_ERR("Allocation failed. " "MaxPCR: %i, Size Needed: %i, Size available: %i", max_pcr, size_needed, size_available); return tool_rc_general_error; } return tool_rc_success; } tool_rc tpm2_sign(ESYS_CONTEXT *esys_context, tpm2_loaded_object *signingkey_obj, TPM2B_DIGEST *digest, TPMT_SIG_SCHEME *in_scheme, TPMT_TK_HASHCHECK *validation, TPMT_SIGNATURE **signature, TPM2B_DIGEST *cp_hash) { ESYS_TR signingkey_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, signingkey_obj->tr_handle, signingkey_obj->session, &signingkey_obj_session_handle); if (rc != tool_rc_success) { return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_Sign_Prepare(sys_context, signingkey_obj->handle, digest, in_scheme, validation); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Sign_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, signingkey_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_sign_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(signingkey_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(signingkey_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_sign_free_name1: Esys_Free(name1); goto tpm2_sign_skip_esapi_call; } TSS2_RC rval = Esys_Sign(esys_context, signingkey_obj->tr_handle, signingkey_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, digest, in_scheme, validation, signature); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Eys_Sign, rval); rc = tool_rc_from_tpm(rval); return rc; } tpm2_sign_skip_esapi_call: return rc; } tool_rc tpm2_nvcertify(ESYS_CONTEXT *esys_context, tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *nvindex_authobj, TPM2_HANDLE nv_index, UINT16 offset, UINT16 size, TPMT_SIG_SCHEME *in_scheme, TPM2B_ATTEST **certify_info, TPMT_SIGNATURE **signature, TPM2B_DATA *policy_qualifier, TPM2B_DIGEST *cp_hash) { ESYS_TR signingkey_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, signingkey_obj->tr_handle, signingkey_obj->session, &signingkey_obj_session_handle); if (rc != tool_rc_success) { return rc; } ESYS_TR nvindex_authobj_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, nvindex_authobj->tr_handle, nvindex_authobj->session, &nvindex_authobj_session_handle); if (rc != tool_rc_success) { return rc; } ESYS_TR esys_tr_nv_index; TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_TR_FromTPMPublic, rval); return tool_rc_from_tpm(rval); } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } rval = Tss2_Sys_NV_Certify_Prepare(sys_context, signingkey_obj->handle, nvindex_authobj->handle, nv_index, policy_qualifier, in_scheme, size, offset); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_NV_Certify_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, signingkey_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_nvcertify_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, nvindex_authobj->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_nvcertify_free_name1_name2; } TPM2B_NAME *name3 = NULL; rc = tpm2_tr_get_name(esys_context, esys_tr_nv_index, &name3); if (rc != tool_rc_success) { goto tpm2_nvcertify_free_name1_name2_name3; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(signingkey_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, name3, tpm2_session_get_authhash(signingkey_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_nvcertify_free_name1_name2_name3: Esys_Free(name3); tpm2_nvcertify_free_name1_name2: Esys_Free(name2); tpm2_nvcertify_free_name1: Esys_Free(name1); goto tpm2_nvcertify_skip_esapi_call; } rval = Esys_NV_Certify(esys_context, signingkey_obj->tr_handle, nvindex_authobj->tr_handle, esys_tr_nv_index, signingkey_obj_session_handle, nvindex_authobj_session_handle, ESYS_TR_NONE, policy_qualifier, in_scheme, size, offset, certify_info, signature); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_NV_Certify, rval); return tool_rc_from_tpm(rval); } tpm2_nvcertify_skip_esapi_call: return rc; } tool_rc tpm2_certifycreation(ESYS_CONTEXT *esys_context, tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *certifiedkey_obj, TPM2B_DIGEST *creation_hash, TPMT_SIG_SCHEME *in_scheme, TPMT_TK_CREATION *creation_ticket, TPM2B_ATTEST **certify_info, TPMT_SIGNATURE **signature, TPM2B_DATA *policy_qualifier, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_CertifyCreation_Prepare(sys_context, signingkey_obj->handle, certifiedkey_obj->handle, policy_qualifier, creation_hash, in_scheme, creation_ticket); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_CertifyCreation_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, signingkey_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_certifycreation_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(esys_context, certifiedkey_obj->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_certifycreation_free_name1_name2; } rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, parameter_hash_algorithm, cp_hash); tpm2_certifycreation_free_name1_name2: Esys_Free(name2); tpm2_certifycreation_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_certifycreation_skip_esapi_call; } } ESYS_TR signingkey_obj_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, signingkey_obj->tr_handle, signingkey_obj->session, &signingkey_obj_session_handle); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_CertifyCreation(esys_context, signingkey_obj->tr_handle, certifiedkey_obj->tr_handle, signingkey_obj_session_handle, shandle2, shandle3, policy_qualifier, creation_hash, in_scheme, creation_ticket, certify_info, signature); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_CertifyCreation, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_certifycreation_skip_esapi_call: return rc; } tool_rc tpm2_setprimarypolicy(ESYS_CONTEXT *esys_context, tpm2_loaded_object *hierarchy_object, TPM2B_DIGEST *auth_policy, TPMI_ALG_HASH hash_algorithm, TPM2B_DIGEST *cp_hash) { ESYS_TR hierarchy_object_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, hierarchy_object->tr_handle, hierarchy_object->session, &hierarchy_object_session_handle); if (rc != tool_rc_success) { return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_SetPrimaryPolicy_Prepare(sys_context, hierarchy_object->handle, auth_policy, hash_algorithm); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_SetPrimaryPolicy_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, hierarchy_object->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_setprimarypolicy_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(hierarchy_object->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(hierarchy_object->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_setprimarypolicy_free_name1: Esys_Free(name1); goto tpm2_setprimarypolicy_skip_esapi_call; } TSS2_RC rval = Esys_SetPrimaryPolicy(esys_context, hierarchy_object->tr_handle, hierarchy_object_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, auth_policy, hash_algorithm); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_SetPrimaryPolicy, rval); return tool_rc_from_tpm(rval); } tpm2_setprimarypolicy_skip_esapi_call: return rc; } tool_rc tpm2_quote(ESYS_CONTEXT *esys_context, tpm2_loaded_object *quote_obj, TPMT_SIG_SCHEME *in_scheme, TPM2B_DATA *qualifying_data, TPML_PCR_SELECTION *pcr_select, TPM2B_ATTEST **quoted, TPMT_SIGNATURE **signature, TPM2B_DIGEST *cp_hash) { ESYS_TR quote_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, quote_obj->tr_handle, quote_obj->session, "e_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_Quote_Prepare(sys_context, quote_obj->handle, qualifying_data, in_scheme, pcr_select); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Quote_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, quote_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_quote_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(quote_obj->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(quote_obj->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_quote_free_name1: Esys_Free(name1); goto tpm2_quote_skip_esapi_call; } TSS2_RC rval = Esys_Quote(esys_context, quote_obj->tr_handle, quote_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, qualifying_data, in_scheme, pcr_select, quoted, signature); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_Quote, rval); return tool_rc_from_tpm(rval); } tpm2_quote_skip_esapi_call: return rc; } tool_rc tpm2_changeeps(ESYS_CONTEXT *ectx, tpm2_session *platform_hierarchy_session, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(ectx, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_ChangeEPS_Prepare(sys_context, TPM2_RH_PLATFORM); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_ObjectChangeAuth_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(ectx, ESYS_TR_RH_PLATFORM ,&name1); if (rc != tool_rc_success) { goto tpm2_changeeps_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_changeeps_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_changeeps_skip_esapi_call; } } ESYS_TR platform_hierarchy_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(ectx, ESYS_TR_RH_PLATFORM, platform_hierarchy_session, &platform_hierarchy_session_handle); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_ChangeEPS(ectx, ESYS_TR_RH_PLATFORM, platform_hierarchy_session_handle, shandle2, shandle3); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ChangeEPS, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_changeeps_skip_esapi_call: return rc; } tool_rc tpm2_changepps(ESYS_CONTEXT *ectx, tpm2_session *platform_hierarchy_session, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = (cp_hash->size || rp_hash->size) ? tpm2_getsapicontext(ectx, &sys_context) : tool_rc_success; if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_ChangePPS_Prepare(sys_context, TPM2_RH_PLATFORM); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_ObjectChangeAuth_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(ectx, ESYS_TR_RH_PLATFORM ,&name1); if (rc != tool_rc_success) { goto tpm2_changepps_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_changepps_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_changepps_skip_esapi_call; } } ESYS_TR platform_hierarchy_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(ectx, ESYS_TR_RH_PLATFORM, platform_hierarchy_session, &platform_hierarchy_session_handle); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_ChangePPS(ectx, ESYS_TR_RH_PLATFORM, platform_hierarchy_session_handle, shandle2, shandle3); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ChangePPS, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_changepps_skip_esapi_call: return rc; } tool_rc tpm2_unseal(ESYS_CONTEXT *esys_context, tpm2_loaded_object *sealkey_obj, TPM2B_SENSITIVE_DATA **out_data, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2, ESYS_TR shandle3) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(esys_context, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_Unseal_Prepare(sys_context, sealkey_obj->handle); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_Unseal_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(esys_context, sealkey_obj->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_unseal_free_name1; } rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, parameter_hash_algorithm, cp_hash); tpm2_unseal_free_name1: Esys_Free(name1); /* * Exit here without making the ESYS call since we just need the cpHash */ if (!rp_hash->size) { goto tpm2_unseal_skip_esapi_call; } } ESYS_TR sealkey_obj_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(esys_context, sealkey_obj->tr_handle, sealkey_obj->session, &sealkey_obj_session_handle); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_Unseal(esys_context, sealkey_obj->tr_handle, sealkey_obj_session_handle, shandle2, shandle3, out_data); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_Unseal, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_unseal_skip_esapi_call: return rc; } tool_rc tpm2_incrementalselftest(ESYS_CONTEXT *ectx, const TPML_ALG *to_test, TPML_ALG **to_do_list) { TSS2_RC rval = Esys_IncrementalSelfTest(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, to_test, to_do_list); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_IncrementalSelfTest, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_stirrandom(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE_DATA *data) { TSS2_RC rval = Esys_StirRandom(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, data); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_StirRandom, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_selftest(ESYS_CONTEXT *ectx, TPMI_YES_NO full_test) { TSS2_RC rval = Esys_SelfTest(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, full_test); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_SelfTest, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_gettestresult(ESYS_CONTEXT *ectx, TPM2B_MAX_BUFFER **out_data, TPM2_RC *test_result) { TSS2_RC rval = Esys_GetTestResult(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, out_data, test_result); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_GetTestResult, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private, const TPM2B_PUBLIC *public, TPMI_RH_HIERARCHY hierarchy, ESYS_TR *object_handle) { TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); if (rval != TSS2_RC_SUCCESS) { LOG_ERR("Unknown hierarchy"); return tool_rc_from_tpm(rval); } rval = Esys_LoadExternal(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, private, public, hierarchy, object_handle); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_LoadExternal, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_pcr_event(ESYS_CONTEXT *ectx, ESYS_TR pcr, tpm2_session *session, const TPM2B_EVENT *event_data, TPML_DIGEST_VALUES **digests) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(ectx, pcr, session, &shandle1); if (rc != tool_rc_success) { return rc; } TSS2_RC rval = Esys_PCR_Event(ectx, pcr, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, event_data, digests); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PCR_Event, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_getrandom(ESYS_CONTEXT *ectx, UINT16 count, TPM2B_DIGEST **random, TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash, ESYS_TR session_handle_1, ESYS_TR session_handle_2, ESYS_TR session_handle_3, TPMI_ALG_HASH parameter_hash_algorithm) { TSS2_SYS_CONTEXT *sys_context = NULL; tool_rc rc = tool_rc_success; if (cp_hash->size || rp_hash->size) { rc = tpm2_getsapicontext(ectx, &sys_context); if (rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } } if (cp_hash->size) { TSS2_RC rval = Tss2_Sys_GetRandom_Prepare(sys_context, count); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_GetRandom_Prepare, rval); return tool_rc_general_error; } rc = tpm2_sapi_getcphash(sys_context, NULL, NULL, NULL, parameter_hash_algorithm, cp_hash); if (rc != tool_rc_success) { return rc; } /* * Exit here without making the ESYS call since if we only need cpHash */ if (!rp_hash->size || rc != tool_rc_success) { goto tpm2_getrandom_skip_esapi_call; } } TSS2_RC rval = Esys_GetRandom(ectx, session_handle_1, session_handle_2, session_handle_3, count, random); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_GetRandom, rval); return tool_rc_from_tpm(rval); } if (rp_hash->size) { rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash, parameter_hash_algorithm); } tpm2_getrandom_skip_esapi_call: return rc; } tool_rc tpm2_startup(ESYS_CONTEXT *ectx, TPM2_SU startup_type) { TSS2_RC rval = Esys_Startup(ectx, startup_type); if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { LOG_PERR(Esys_Startup, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_pcr_reset(ESYS_CONTEXT *ectx, ESYS_TR pcr_handle) { TSS2_RC rval = Esys_PCR_Reset(ectx, pcr_handle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_PCR_Reset, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_makecredential(ESYS_CONTEXT *ectx, ESYS_TR handle, const TPM2B_DIGEST *credential, const TPM2B_NAME *object_name, TPM2B_ID_OBJECT **credential_blob, TPM2B_ENCRYPTED_SECRET **secret) { TSS2_RC rval = Esys_MakeCredential(ectx, handle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, credential, object_name, credential_blob, secret); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_MakeCredential, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_verifysignature(ESYS_CONTEXT *ectx, ESYS_TR key_handle, const TPM2B_DIGEST *digest, const TPMT_SIGNATURE *signature, TPMT_TK_VERIFIED **validation) { TSS2_RC rval = Esys_VerifySignature(ectx, key_handle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, digest, signature, validation); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_VerifySignature, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_readclock(ESYS_CONTEXT *ectx, TPMS_TIME_INFO **current_time) { TSS2_RC rval = Esys_ReadClock(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, current_time); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ReadClock, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_setclock(ESYS_CONTEXT *ectx, tpm2_loaded_object *object, UINT64 new_time, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(ectx, object->tr_handle, object->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for lockout hierarchy"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(ectx, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_ClockSet_Prepare(sys_context, object->handle, new_time); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_ClockSet_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(ectx, object->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_setclock_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(object->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(object->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_setclock_free_name1: Esys_Free(name1); goto tpm2_setclock_skip_esapi_call; } TSS2_RC rval = Esys_ClockSet(ectx, object->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, new_time); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ClockSet, rval); return tool_rc_from_tpm(rval); } tpm2_setclock_skip_esapi_call: return rc; } tool_rc tpm2_clockrateadjust(ESYS_CONTEXT *ectx, tpm2_loaded_object *object, TPM2_CLOCK_ADJUST rate_adjust, TPM2B_DIGEST *cp_hash) { ESYS_TR shandle1 = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(ectx, object->tr_handle, object->session, &shandle1); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for lockout hierarchy"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(ectx, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_ClockRateAdjust_Prepare(sys_context, object->handle, rate_adjust); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_ClockRateAdjust_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(ectx, object->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_clockrateadjust_free_name1; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(object->session)); rc = tpm2_sapi_getcphash(sys_context, name1, NULL, NULL, tpm2_session_get_authhash(object->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_clockrateadjust_free_name1: Esys_Free(name1); goto tpm2_clockrateadjust_skip_esapi_call; } TSS2_RC rval = Esys_ClockRateAdjust(ectx, object->tr_handle, shandle1, ESYS_TR_NONE, ESYS_TR_NONE, rate_adjust); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_ClockRateAdjust, rval); return tool_rc_from_tpm(rval); } tpm2_clockrateadjust_skip_esapi_call: return rc; } tool_rc tpm2_shutdown(ESYS_CONTEXT *ectx, TPM2_SU shutdown_type) { TSS2_RC rval = Esys_Shutdown(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, shutdown_type); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_Shutdown, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_gettime(ESYS_CONTEXT *ectx, tpm2_loaded_object *privacy_admin, tpm2_loaded_object *signing_object, const TPM2B_DATA *qualifying_data, const TPMT_SIG_SCHEME *scheme, TPM2B_ATTEST **time_info, TPMT_SIGNATURE **signature, TPM2B_DIGEST *cp_hash) { ESYS_TR privacy_admin_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(ectx, privacy_admin->tr_handle, privacy_admin->session, &privacy_admin_session_handle); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for privacy admin"); return rc; } ESYS_TR sign_session_handle = ESYS_TR_NONE; rc = tpm2_auth_util_get_shandle(ectx, signing_object->tr_handle, signing_object->session, &sign_session_handle); if (rc != tool_rc_success) { LOG_ERR("Couldn't get shandle for signing key"); return rc; } if (cp_hash) { /* * Need sys_context to be able to calculate CpHash */ TSS2_SYS_CONTEXT *sys_context = NULL; rc = tpm2_getsapicontext(ectx, &sys_context); if(rc != tool_rc_success) { LOG_ERR("Failed to acquire SAPI context."); return rc; } TSS2_RC rval = Tss2_Sys_GetTime_Prepare(sys_context, privacy_admin->handle, signing_object->handle, qualifying_data, scheme); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_GetTime_Prepare, rval); return tool_rc_general_error; } TPM2B_NAME *name1 = NULL; rc = tpm2_tr_get_name(ectx, privacy_admin->tr_handle, &name1); if (rc != tool_rc_success) { goto tpm2_gettime_free_name1; } TPM2B_NAME *name2 = NULL; rc = tpm2_tr_get_name(ectx, signing_object->tr_handle, &name2); if (rc != tool_rc_success) { goto tpm2_gettime_free_name1_name2; } cp_hash->size = tpm2_alg_util_get_hash_size( tpm2_session_get_authhash(signing_object->session)); rc = tpm2_sapi_getcphash(sys_context, name1, name2, NULL, tpm2_session_get_authhash(signing_object->session), cp_hash); /* * Exit here without making the ESYS call since we just need the cpHash */ tpm2_gettime_free_name1_name2: Esys_Free(name2); tpm2_gettime_free_name1: Esys_Free(name1); goto tpm2_gettime_skip_esapi_call; } TSS2_RC rval = Esys_GetTime( ectx, privacy_admin->tr_handle, signing_object->tr_handle, privacy_admin_session_handle, sign_session_handle, ESYS_TR_NONE, qualifying_data, scheme, time_info, signature); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_GetTime, rval); return tool_rc_from_tpm(rval); } tpm2_gettime_skip_esapi_call: return rc; } tool_rc tpm2_geteccparameters(ESYS_CONTEXT *esys_context, TPMI_ECC_CURVE curve_id, TPMS_ALGORITHM_DETAIL_ECC **parameters) { TSS2_RC rval = Esys_ECC_Parameters(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, curve_id, parameters); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_ECC_Parameters, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_ecephemeral(ESYS_CONTEXT *esys_context, TPMI_ECC_CURVE curve_id, TPM2B_ECC_POINT **Q, uint16_t *counter) { TSS2_RC rval = Esys_EC_Ephemeral(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, curve_id, Q, counter); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_EC_Ephemeral, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_commit(ESYS_CONTEXT *esys_context, tpm2_loaded_object *signing_key_object, TPM2B_ECC_POINT *P1, TPM2B_SENSITIVE_DATA *s2, TPM2B_ECC_PARAMETER *y2, TPM2B_ECC_POINT **K, TPM2B_ECC_POINT **L, TPM2B_ECC_POINT **E, uint16_t *counter) { ESYS_TR signing_key_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, signing_key_object->tr_handle, signing_key_object->session, &signing_key_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } TSS2_RC rval = Esys_Commit(esys_context, signing_key_object->tr_handle, signing_key_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, P1, s2, y2, K, L, E, counter); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_Commit, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_ecdhkeygen(ESYS_CONTEXT *esys_context, tpm2_loaded_object *ecc_public_key, TPM2B_ECC_POINT **Z, TPM2B_ECC_POINT **Q) { TSS2_RC rval = Esys_ECDH_KeyGen(esys_context, ecc_public_key->tr_handle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, Z, Q); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_ECDH_KeyGen, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_ecdhzgen(ESYS_CONTEXT *esys_context, tpm2_loaded_object *ecc_key_object, TPM2B_ECC_POINT **Z, TPM2B_ECC_POINT *Q) { ESYS_TR ecc_key_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, ecc_key_object->tr_handle, ecc_key_object->session, &ecc_key_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } TSS2_RC rval = Esys_ECDH_ZGen(esys_context, ecc_key_object->tr_handle, ecc_key_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, Q, Z); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_ECDH_ZGen, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_zgen2phase(ESYS_CONTEXT *esys_context, tpm2_loaded_object *ecc_key_object, TPM2B_ECC_POINT *Q1, TPM2B_ECC_POINT *Q2, TPM2B_ECC_POINT **Z1, TPM2B_ECC_POINT **Z2, TPMI_ECC_KEY_EXCHANGE keyexchange_scheme, UINT16 commit_counter) { ESYS_TR ecc_key_obj_session_handle = ESYS_TR_NONE; tool_rc rc = tpm2_auth_util_get_shandle(esys_context, ecc_key_object->tr_handle, ecc_key_object->session, &ecc_key_obj_session_handle); if (rc != tool_rc_success) { LOG_ERR("Failed to get shandle"); return rc; } TSS2_RC rval = Esys_ZGen_2Phase(esys_context, ecc_key_object->tr_handle, ecc_key_obj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, Q1, Q2, keyexchange_scheme, commit_counter, Z1, Z2); if (rval != TSS2_RC_SUCCESS) { LOG_PERR(Esys_ZGen_2Phase, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_getsapicontext(ESYS_CONTEXT *esys_context, TSS2_SYS_CONTEXT **sys_context) { TSS2_RC rval = Esys_GetSysContext(esys_context, sys_context); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Esys_GetSysContext, rval); return tool_rc_from_tpm(rval); } return tool_rc_success; } tool_rc tpm2_sapi_getrphash(TSS2_SYS_CONTEXT *sys_context, TSS2_RC response_code, TPM2B_DIGEST *rp_hash, TPMI_ALG_HASH halg) { uint8_t command_code[4]; TSS2_RC rval = Tss2_Sys_GetCommandCode(sys_context, &command_code[0]); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_GetCommandCode, rval); return tool_rc_general_error; } const uint8_t *response_parameters; size_t response_parameters_size; rval = Tss2_Sys_GetRpBuffer(sys_context, &response_parameters_size, &response_parameters); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_GetRpBuffer, rval); return tool_rc_general_error; } uint16_t to_hash_len = sizeof(response_code) + sizeof(command_code) + response_parameters_size; uint8_t *to_hash = malloc(to_hash_len); if (!to_hash) { LOG_ERR("oom"); return tool_rc_general_error; } //Response-Code memcpy(to_hash, (uint8_t *)&response_code, sizeof(response_code)); uint16_t offset = sizeof(response_code); //Command-Code memcpy(to_hash + offset, command_code, sizeof(command_code)); offset += sizeof(command_code); //RpBuffer memcpy(to_hash + offset, response_parameters, response_parameters_size); //rpHash tool_rc rc = tool_rc_success; bool result = tpm2_openssl_hash_compute_data(halg, to_hash, to_hash_len, rp_hash); free(to_hash); if (!result) { LOG_ERR("Failed rpHash digest calculation."); rc = tool_rc_general_error; } return rc; } tool_rc tpm2_sapi_getcphash(TSS2_SYS_CONTEXT *sys_context, const TPM2B_NAME *name1, const TPM2B_NAME *name2, const TPM2B_NAME *name3, TPMI_ALG_HASH halg, TPM2B_DIGEST *cp_hash) { uint8_t command_code[4]; TSS2_RC rval = Tss2_Sys_GetCommandCode(sys_context, &command_code[0]); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_GetCommandCode, rval); return tool_rc_general_error; } const uint8_t *command_parameters; size_t command_parameters_size; rval = Tss2_Sys_GetCpBuffer(sys_context, &command_parameters_size, &command_parameters); if (rval != TPM2_RC_SUCCESS) { LOG_PERR(Tss2_Sys_GetCpBuffer, rval); return tool_rc_general_error; } uint16_t to_hash_len = sizeof(command_code) + command_parameters_size; to_hash_len += name1 ? name1->size : 0; to_hash_len += name2 ? name2->size : 0; to_hash_len += name3 ? name3->size : 0; uint8_t *to_hash = malloc(to_hash_len); if (!to_hash) { LOG_ERR("oom"); return tool_rc_general_error; } //Command-Code memcpy(to_hash, command_code, sizeof(command_code)); uint16_t offset = sizeof(command_code); //Names if (name1) { memcpy(to_hash + offset, name1->name, name1->size); offset += name1->size; } if (name2) { memcpy(to_hash + offset, name2->name, name2->size); offset += name2->size; } if (name3) { memcpy(to_hash + offset, name3->name, name3->size); offset += name3->size; } //CpBuffer memcpy(to_hash + offset, command_parameters, command_parameters_size); //cpHash tool_rc rc = tool_rc_success; bool result = tpm2_openssl_hash_compute_data(halg, to_hash, to_hash_len, cp_hash); free(to_hash); if (!result) { LOG_ERR("Failed cpHash digest calculation."); rc = tool_rc_general_error; } return rc; }