/* SPDX-License-Identifier: BSD-3-Clause */ #include #include "files.h" #include "log.h" #include "tpm2.h" #include "tpm2_tool.h" typedef struct tpm_unseal_ctx tpm_unseal_ctx; #define MAX_SESSIONS 3 #define MAX_AUX_SESSIONS 2 struct tpm_unseal_ctx { /* * Inputs */ struct { const char *ctx_path; const char *auth_str; tpm2_loaded_object object; } sealkey; /* * Outputs */ char *output_file_path; TPM2B_SENSITIVE_DATA *output_data; /* * Parameter hashes */ const char *cp_hash_path; TPM2B_DIGEST cp_hash; const char *rp_hash_path; TPM2B_DIGEST rp_hash; bool is_command_dispatch; TPMI_ALG_HASH parameter_hash_algorithm; /* * Aux sessions */ uint8_t aux_session_cnt; tpm2_session *aux_session[MAX_AUX_SESSIONS]; const char *aux_session_path[MAX_AUX_SESSIONS]; ESYS_TR aux_session_handle[MAX_AUX_SESSIONS]; }; static tpm_unseal_ctx ctx = { .aux_session_handle[0] = ESYS_TR_NONE, .aux_session_handle[1] = ESYS_TR_NONE, .parameter_hash_algorithm = TPM2_ALG_ERROR, }; tool_rc unseal(ESYS_CONTEXT *ectx) { /* * 1. TPM2_CC_ OR Retrieve cpHash */ return tpm2_unseal(ectx, &ctx.sealkey.object, &ctx.output_data, &ctx.cp_hash, &ctx.rp_hash, ctx.parameter_hash_algorithm, ctx.aux_session_handle[0], ctx.aux_session_handle[1]); } static tool_rc process_output(ESYS_CONTEXT *ectx) { UNUSED(ectx); /* * 1. Outputs that do not require TPM2_CC_ dispatch */ bool is_file_op_success = true; if (ctx.cp_hash_path) { is_file_op_success = files_save_digest(&ctx.cp_hash, ctx.cp_hash_path); if (!is_file_op_success) { return tool_rc_general_error; } } if (!ctx.is_command_dispatch) { return tool_rc_success; } /* * 2. Outputs generated after TPM2_CC_ dispatch */ if (ctx.output_file_path) { is_file_op_success = files_save_bytes_to_file(ctx.output_file_path, ctx.output_data->buffer, ctx.output_data->size); if (!is_file_op_success) { return tool_rc_general_error; } } if (!ctx.output_file_path) { is_file_op_success = files_write_bytes(stdout, ctx.output_data->buffer, ctx.output_data->size); if (!is_file_op_success) { return tool_rc_general_error; } } if (ctx.rp_hash_path) { is_file_op_success = files_save_digest(&ctx.rp_hash, ctx.rp_hash_path); } return is_file_op_success ? tool_rc_success : tool_rc_general_error; } static tool_rc process_inputs(ESYS_CONTEXT *ectx) { /* * 1. Object and auth initializations */ /* * 1.a Add the new-auth values to be set for the object. */ /* * 1.b Add object names and their auth sessions */ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.sealkey.ctx_path, ctx.sealkey.auth_str, &ctx.sealkey.object, false, TPM2_HANDLES_FLAGS_TRANSIENT | TPM2_HANDLES_FLAGS_PERSISTENT); if (rc != tool_rc_success) { LOG_ERR("Invalid item handle authorization"); return rc; } /* * 2. Restore auxiliary sessions */ rc = tpm2_util_aux_sessions_setup(ectx, ctx.aux_session_cnt, ctx.aux_session_path, ctx.aux_session_handle, ctx.aux_session); if (rc != tool_rc_success) { return rc; } /* * 3. Command specific initializations dependent on loaded objects */ /* * 4. Configuration for calculating the pHash */ /* 4.a Determine pHash length and alg */ tpm2_session *all_sessions[MAX_SESSIONS] = { ctx.sealkey.object.session, ctx.aux_session[0], ctx.aux_session[1] }; const char **cphash_path = ctx.cp_hash_path ? &ctx.cp_hash_path : 0; const char **rphash_path = ctx.rp_hash_path ? &ctx.rp_hash_path : 0; ctx.parameter_hash_algorithm = tpm2_util_calculate_phash_algorithm(ectx, cphash_path, &ctx.cp_hash, rphash_path, &ctx.rp_hash, all_sessions); /* * 4.b Determine if TPM2_CC_ is to be dispatched * !rphash && !cphash [Y] * !rphash && cphash [N] * rphash && !cphash [Y] * rphash && cphash [Y] */ ctx.is_command_dispatch = (ctx.cp_hash_path && !ctx.rp_hash_path) ? false : true; return rc; } static tool_rc check_options(void) { if (!ctx.sealkey.ctx_path) { LOG_ERR("Expected option c"); return tool_rc_option_error; } return tool_rc_success; } static bool on_option(char key, char *value) { switch (key) { case 'c': ctx.sealkey.ctx_path = value; break; case 'p': { ctx.sealkey.auth_str = value; } break; case 'o': ctx.output_file_path = value; break; case 0: ctx.cp_hash_path = value; break; case 1: ctx.rp_hash_path = value; break; case 'S': ctx.aux_session_path[ctx.aux_session_cnt] = value; if (ctx.aux_session_cnt < MAX_AUX_SESSIONS) { ctx.aux_session_cnt++; } else { return false; } break; } return true; } static bool tpm2_tool_onstart(tpm2_options **opts) { static const struct option topts[] = { { "auth", required_argument, NULL, 'p' }, { "output", required_argument, NULL, 'o' }, { "object-context", required_argument, NULL, 'c' }, { "cphash", required_argument, NULL, 0 }, { "rphash", required_argument, NULL, 1 }, { "session", required_argument, NULL, 'S' }, }; *opts = tpm2_options_new("S:p:o:c:", ARRAY_LEN(topts), topts, on_option, NULL, 0); return *opts != NULL; } static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { UNUSED(flags); /* * 1. Process options */ tool_rc rc = check_options(); if (rc != tool_rc_success) { return rc; } /* * 2. Process inputs */ rc = process_inputs(ectx); if (rc != tool_rc_success) { return rc; } /* * 3. TPM2_CC_ call */ rc = unseal(ectx); if (rc != tool_rc_success) { return rc; } /* * 4. Process outputs */ return process_output(ectx); } static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) { UNUSED(ectx); /* * 1. Free objects */ free(ctx.output_data); /* * 2. Close authorization sessions */ tool_rc rc = tool_rc_success; tool_rc tmp_rc = tool_rc_success; if (!ctx.cp_hash_path) { tmp_rc = tpm2_session_close(&ctx.sealkey.object.session); if (tmp_rc != tool_rc_success) { rc = tmp_rc; } } /* * 3. Close auxiliary sessions */ uint8_t i = 0; for(i = 0; i < ctx.aux_session_cnt; i++) { if (ctx.aux_session_path[i]) { tmp_rc = tpm2_session_close(&ctx.aux_session[i]); } if (tmp_rc != tool_rc_success) { rc = tmp_rc; } } return rc; } // Register this tool with tpm2_tool.c TPM2_TOOL_REGISTER("unseal", tpm2_tool_onstart, tpm2_tool_onrun, tpm2_tool_onstop, NULL)