Startseite Erkunden Hilfe
Anmelden
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
tpm2-tools-5.1
/
test
/
integration
/
tests
/
duplicate.sh

duplicate.sh 4.5 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. # SPDX-License-Identifier: BSD-3-Clause
    2. 

  2. 

  3. source helpers.sh
    4. 

  4. 

  5. cleanup() {
    6. 

  6.     rm -f primary.ctx new_parent.prv new_parent.pub new_parent.ctx policy.dat \
    7. 

  7.     session.dat key.prv key.pub key.ctx duppriv.bin dupseed.dat key2.prv \
    8. 

  8.     key2.pub key2.ctx sym_key_in.bin \
    9. 

  9.     primary.pub rsa-priv.pem rsa.pub rsa.priv rsa.dpriv rsa.seed rsa-pub.pem rsa.sig
    10. 

  10. 

  11.     if [ "$1" != "no-shut-down" ]; then
    12. 

  12.           shut_down
    13. 

  13.     fi
    14. 

  14. }
    15. 

  15. trap cleanup EXIT
    16. 

  16. 

  17. start_up
    18. 

  18. 

  19. create_duplication_policy() {
    20. 

  20.     tpm2 startauthsession -Q -S session.dat
    21. 

  21.     tpm2 policycommandcode -Q -S session.dat -L policy.dat TPM2_CC_Duplicate
    22. 

  22.     tpm2 flushcontext -Q session.dat
    23. 

  23.     rm session.dat
    24. 

  24. }
    25. 

  25. 

  26. start_duplication_session() {
    27. 

  27.     tpm2 startauthsession -Q --policy-session -S session.dat
    28. 

  28.     tpm2 policycommandcode -Q -S session.dat -L policy.dat TPM2_CC_Duplicate
    29. 

  29. }
    30. 

  30. 

  31. end_duplication_session() {
    32. 

  32.     tpm2 flushcontext -Q session.dat
    33. 

  33.     rm session.dat
    34. 

  34. }
    35. 

  35. 

  36. dump_duplication_session() {
    37. 

  37.     rm session.dat
    38. 

  38. }
    39. 

  39. 

  40. dd if=/dev/urandom of=sym_key_in.bin bs=1 count=16 status=none
    41. 

  41. 

  42. tpm2 createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
    43. 

  43. 

  44. # Create a new parent, we will only use the public portion
    45. 

  45. tpm2 create -Q -C primary.ctx -g sha256 -G rsa -r new_parent.prv \
    46. 

  46. -u new_parent.pub -a "decrypt|fixedparent|fixedtpm|restricted|\
    47. 

  47. sensitivedataorigin"
    48. 

  48. 

  49. # Create the key we want to duplicate
    50. 

  50. create_duplication_policy
    51. 

  51. tpm2 create -Q -C primary.ctx -g sha256 -G rsa -r key.prv -u key.pub \
    52. 

  52. -L policy.dat -a "sensitivedataorigin|sign|decrypt"
    53. 

  53. tpm2 load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
    54. 

  54. 

  55. tpm2 loadexternal -Q -C o -u new_parent.pub -c new_parent.ctx
    56. 

  56. 

  57. ## Null parent, Null Sym Alg
    58. 

  58. start_duplication_session
    59. 

  59. tpm2 duplicate -Q -C null -c key.ctx -G null -p "session:session.dat" \
    60. 

  60. -r dupprv.bin -s dupseed.dat
    61. 

  61. end_duplication_session
    62. 

  62. 

  63. ## Null Sym Alg
    64. 

  64. start_duplication_session
    65. 

  65. tpm2 duplicate -Q -C new_parent.ctx -c key.ctx -G null \
    66. 

  66. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    67. 

  67. end_duplication_session
    68. 

  68. 

  69. ## Null parent
    70. 

  70. start_duplication_session
    71. 

  71. tpm2 duplicate -Q -C null -c key.ctx -G aes -i sym_key_in.bin \
    72. 

  72. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    73. 

  73. end_duplication_session
    74. 

  74. 

  75. ## AES Sym Alg, user supplied key
    76. 

  76. start_duplication_session
    77. 

  77. tpm2 duplicate -Q -C new_parent.ctx -c key.ctx -G aes -i sym_key_in.bin \
    78. 

  78. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    79. 

  79. end_duplication_session
    80. 

  80. 

  81. ## AES Sym Alg, no user supplied key
    82. 

  82. start_duplication_session
    83. 

  83. tpm2 duplicate -Q -C new_parent.ctx -c key.ctx -G aes -o sym_key_out.bin \
    84. 

  84. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    85. 

  85. end_duplication_session
    86. 

  86. 

  87. ## Repeat the tests with a key that requires encrypted duplication
    88. 

  88. tpm2 create -Q -C primary.ctx -g sha256 -G rsa -r key2.prv -u key2.pub \
    89. 

  89. -L policy.dat -a "sensitivedataorigin|sign|decrypt|encryptedduplication"
    90. 

  90. tpm2 load -Q -C primary.ctx -r key2.prv -u key2.pub -c key2.ctx
    91. 

  91. 

  92. ## AES Sym Alg, user supplied key
    93. 

  93. start_duplication_session
    94. 

  94. tpm2 duplicate -Q -C new_parent.ctx -c key2.ctx -G aes -i sym_key_in.bin \
    95. 

  95. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    96. 

  96. end_duplication_session
    97. 

  97. 

  98. ## AES Sym Alg, no user supplied key
    99. 

  99. start_duplication_session
    100. 

  100. tpm2 duplicate -Q -C new_parent.ctx -c key2.ctx -G aes -o sym_key_out.bin \
    101. 

  101. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    102. 

  102. end_duplication_session
    103. 

  103. 

  104. ## External RSA key, wrapped for the primary key
    105. 

  105. tpm2 readpublic -c primary.ctx -o primary.pub
    106. 

  106. openssl genrsa -out rsa-priv.pem
    107. 

  107. openssl rsa -in rsa-priv.pem -pubout > rsa-pub.pem
    108. 

  108. tpm2 duplicate \
    109. 

  109. 	-U primary.pub \
    110. 

  110. 	-G rsa \
    111. 

  111. 	-k rsa-priv.pem \
    112. 

  112. 	-u rsa.pub \
    113. 

  113. 	-r rsa.dpriv \
    114. 

  114. 	-s rsa.seed
    115. 

  115. tpm2 import \
    116. 

  116. 	-C primary.ctx \
    117. 

  117. 	-G rsa \
    118. 

  118. 	-i rsa.dpriv \
    119. 

  119. 	-s rsa.seed \
    120. 

  120. 	-u rsa.pub \
    121. 

  121. 	-r rsa.priv
    122. 

  122. 

  123. # validate that TPM signatures with this imported key are acceptable to OpenSSL
    124. 

  124. tpm2 load \
    125. 

  125. 	-C primary.ctx \
    126. 

  126. 	-c rsa.ctx \
    127. 

  127. 	-u rsa.pub \
    128. 

  128. 	-r rsa.priv
    129. 

  129. echo foo | tpm2 sign \
    130. 

  130. 	-c rsa.ctx \
    131. 

  131. 	-o rsa.sig \
    132. 

  132. 	-f plain
    133. 

  133. echo foo | openssl dgst \
    134. 

  134. 	-sha256 \
    135. 

  135. 	-verify rsa-pub.pem \
    136. 

  136. 	-signature rsa.sig
    137. 

  137. 

  138. 

  139. trap - ERR
    140. 

  140. 

  141. ## Null parent - should fail (TPM_RC_HIERARCHY)
    142. 

  142. start_duplication_session
    143. 

  143. tpm2 duplicate -Q -C null -c key2.ctx -G aes -i sym_key_in.bin \
    144. 

  144. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    145. 

  145. if [ $? -eq 0 ]; then
    146. 

  146.   echo "Expected \"tpm2 duplicate -C null \" to fail."
    147. 

  147.   exit 1
    148. 

  148. fi
    149. 

  149. dump_duplication_session
    150. 

  150. 

  151. ## Null Sym Alg - should fail (TPM_RC_SYMMETRIC)
    152. 

  152. start_duplication_session
    153. 

  153. tpm2 duplicate -Q -C new_parent.ctx -c key2.ctx -G null \
    154. 

  154. -p "session:session.dat" -r dupprv.bin -s dupseed.dat
    155. 

  155. if [ $? -eq 0 ]; then
    156. 

  156.   echo "Expected \"tpm2 duplicate -G null \" to fail."
    157. 

  157.   exit 1
    158. 

  158. fi
    159. 

  159. dump_duplication_session
    160. 

  160. 

  161. exit 0
    162.