Home Explore Help
Sign In
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
tpm2-tools-5.1
/
tools
/
tpm2_getekcertificate.c

tpm2_getekcertificate.c 23 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816 
  1. /* SPDX-License-Identifier: BSD-3-Clause */
    2. 

  2. 

  3. #include <stdbool.h>
    4. 

  4. #include <stdio.h>
    5. 

  5. #include <stdlib.h>
    6. 

  6. #include <string.h>
    7. 

  7. 

  8. #include <curl/curl.h>
    9. 

  9. #include <openssl/buffer.h>
    10. 

  10. #include <openssl/evp.h>
    11. 

  11. #include <openssl/sha.h>
    12. 

  12. 

  13. #include "files.h"
    14. 

  14. #include "log.h"
    15. 

  15. #include "object.h"
    16. 

  16. #include "tpm2.h"
    17. 

  17. #include "tpm2_alg_util.h"
    18. 

  18. #include "tpm2_auth_util.h"
    19. 

  19. #include "tpm2_capability.h"
    20. 

  20. #include "tpm2_nv_util.h"
    21. 

  21. #include "tpm2_tool.h"
    22. 

  22. 

  23. typedef struct tpm_getekcertificate_ctx tpm_getekcertificate_ctx;
    24. 

  24. struct tpm_getekcertificate_ctx {
    25. 

  25.     // TPM Device properties
    26. 

  26.     bool is_tpm2_device_active;
    27. 

  27.     bool is_cert_on_nv;
    28. 

  28.     bool is_intc_cert;
    29. 

  29.     bool is_rsa_ek_cert_nv_location_defined;
    30. 

  30.     bool is_ecc_ek_cert_nv_location_defined;
    31. 

  31.     bool is_tpmgeneratedeps;
    32. 

  32.     // Certficate data handling
    33. 

  33.     uint8_t cert_count;
    34. 

  34.     char *ec_cert_path_1;
    35. 

  35.     FILE *ec_cert_file_handle_1;
    36. 

  36.     char *ec_cert_path_2;
    37. 

  37.     FILE *ec_cert_file_handle_2;
    38. 

  38.     unsigned char *rsa_cert_buffer;
    39. 

  39.     uint16_t rsa_cert_buffer_size;
    40. 

  40.     unsigned char *ecc_cert_buffer;
    41. 

  41.     uint16_t ecc_cert_buffer_size;
    42. 

  42.     bool is_cert_raw;
    43. 

  43.     // EK certificate hosting particulars
    44. 

  44.     char *ek_server_addr;
    45. 

  45.     unsigned int SSL_NO_VERIFY;
    46. 

  46.     char *ek_path;
    47. 

  47.     bool verbose;
    48. 

  48.     TPM2B_PUBLIC *out_public;
    49. 

  49. };
    50. 

  50. 

  51. static tpm_getekcertificate_ctx ctx = {
    52. 

  52.     .is_tpm2_device_active = true,
    53. 

  53.     .ek_server_addr = "https://ekop.intel.com/ekcertservice/",
    54. 

  54.     .is_cert_on_nv = true,
    55. 

  55.     .cert_count = 0,
    56. 

  56. };
    57. 

  57. 

  58. static unsigned char *hash_ek_public(void) {
    59. 

  59. 

  60.     unsigned char *hash = (unsigned char*) malloc(SHA256_DIGEST_LENGTH);
    61. 

  61.     if (!hash) {
    62. 

  62.         LOG_ERR("OOM");
    63. 

  63.         return NULL;
    64. 

  64.     }
    65. 

  65. 

  66.     SHA256_CTX sha256;
    67. 

  67.     int is_success = SHA256_Init(&sha256);
    68. 

  68.     if (!is_success) {
    69. 

  69.         LOG_ERR("SHA256_Init failed");
    70. 

  70.         goto err;
    71. 

  71.     }
    72. 

  72. 

  73.     switch (ctx.out_public->publicArea.type) {
    74. 

  74.     case TPM2_ALG_RSA:
    75. 

  75.         is_success = SHA256_Update(&sha256,
    76. 

  76.                 ctx.out_public->publicArea.unique.rsa.buffer,
    77. 

  77.                 ctx.out_public->publicArea.unique.rsa.size);
    78. 

  78.         if (!is_success) {
    79. 

  79.             LOG_ERR("SHA256_Update failed");
    80. 

  80.             goto err;
    81. 

  81.         }
    82. 

  82. 

  83.         if (ctx.out_public->publicArea.parameters.rsaDetail.exponent != 0) {
    84. 

  84.             LOG_ERR("non-default exponents unsupported");
    85. 

  85.             goto err;
    86. 

  86.         }
    87. 

  87.         BYTE buf[3] = { 0x1, 0x00, 0x01 }; // Exponent
    88. 

  88.         is_success = SHA256_Update(&sha256, buf, sizeof(buf));
    89. 

  89.         if (!is_success) {
    90. 

  90.             LOG_ERR("SHA256_Update failed");
    91. 

  91.             goto err;
    92. 

  92.         }
    93. 

  93.         break;
    94. 

  94. 

  95.     case TPM2_ALG_ECC:
    96. 

  96.         is_success = SHA256_Update(&sha256,
    97. 

  97.                 ctx.out_public->publicArea.unique.ecc.x.buffer,
    98. 

  98.                 ctx.out_public->publicArea.unique.ecc.x.size);
    99. 

  99.         if (!is_success) {
    100. 

  100.             LOG_ERR("SHA256_Update failed");
    101. 

  101.             goto err;
    102. 

  102.         }
    103. 

  103. 

  104.         is_success = SHA256_Update(&sha256,
    105. 

  105.                 ctx.out_public->publicArea.unique.ecc.y.buffer,
    106. 

  106.                 ctx.out_public->publicArea.unique.ecc.y.size);
    107. 

  107.         if (!is_success) {
    108. 

  108.             LOG_ERR("SHA256_Update failed");
    109. 

  109.             goto err;
    110. 

  110.         }
    111. 

  111.         break;
    112. 

  112. 

  113.     default:
    114. 

  114.         LOG_ERR("unsupported EK algorithm");
    115. 

  115.         goto err;
    116. 

  116.     }
    117. 

  117. 

  118.     is_success = SHA256_Final(hash, &sha256);
    119. 

  119.     if (!is_success) {
    120. 

  120.         LOG_ERR("SHA256_Final failed");
    121. 

  121.         goto err;
    122. 

  122.     }
    123. 

  123. 

  124.     if (ctx.verbose) {
    125. 

  125.         tpm2_tool_output("public-key-hash:\n");
    126. 

  126.         tpm2_tool_output("  sha256: ");
    127. 

  127.         unsigned i;
    128. 

  128.         for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
    129. 

  129.             tpm2_tool_output("%02X", hash[i]);
    130. 

  130.         }
    131. 

  131.         tpm2_tool_output("\n");
    132. 

  132.     }
    133. 

  133. 

  134.     return hash;
    135. 

  135. err:
    136. 

  136.     free(hash);
    137. 

  137.     return NULL;
    138. 

  138. }
    139. 

  139. 

  140. static char *base64_encode(const unsigned char* buffer)
    141. 

  141. {
    142. 

  142.     BIO *bio, *b64;
    143. 

  143.     BUF_MEM *buffer_pointer;
    144. 

  144. 

  145.     LOG_INFO("Calculating the base64_encode of the hash of the Endorsement"
    146. 

  146.              "Public Key:");
    147. 

  147. 

  148.     if (buffer == NULL) {
    149. 

  149.         LOG_ERR("hash_ek_public returned null");
    150. 

  150.         return NULL;
    151. 

  151.     }
    152. 

  152. 

  153.     b64 = BIO_new(BIO_f_base64());
    154. 

  154.     bio = BIO_new(BIO_s_mem());
    155. 

  155.     bio = BIO_push(b64, bio);
    156. 

  156.     BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
    157. 

  157.     BIO_write(bio, buffer, SHA256_DIGEST_LENGTH);
    158. 

  158.     UNUSED(BIO_flush(bio));
    159. 

  159.     BIO_get_mem_ptr(bio, &buffer_pointer);
    160. 

  160. 

  161.     /* these are not NULL terminated */
    162. 

  162.     char *b64text = buffer_pointer->data;
    163. 

  163.     size_t len = buffer_pointer->length;
    164. 

  164. 

  165.     size_t i;
    166. 

  166.     for (i = 0; i < len; i++) {
    167. 

  167.         if (b64text[i] == '+') {
    168. 

  168.             b64text[i] = '-';
    169. 

  169.         }
    170. 

  170.         if (b64text[i] == '/') {
    171. 

  171.             b64text[i] = '_';
    172. 

  172.         }
    173. 

  173.     }
    174. 

  174. 

  175.     char *final_string = NULL;
    176. 

  176. 

  177.     CURL *curl = curl_easy_init();
    178. 

  178.     if (curl) {
    179. 

  179.         char *output = curl_easy_escape(curl, b64text, len);
    180. 

  180.         if (output) {
    181. 

  181.             final_string = strdup(output);
    182. 

  182.             curl_free(output);
    183. 

  183.         }
    184. 

  184.     }
    185. 

  185.     curl_easy_cleanup(curl);
    186. 

  186.     curl_global_cleanup();
    187. 

  187.     BIO_free_all(bio);
    188. 

  188. 

  189.     /* format to a proper NULL terminated string */
    190. 

  190.     return final_string;
    191. 

  191. }
    192. 

  192. 

  193. static size_t writecallback(char *contents, size_t size, size_t nitems,
    194. 

  194.     void *CERT_BUFFER) {
    195. 

  195. 

  196.     strncpy(CERT_BUFFER, (const char *)contents, nitems * size);
    197. 

  197.     ctx.rsa_cert_buffer_size = nitems * size;
    198. 

  198. 

  199.     return ctx.rsa_cert_buffer_size;
    200. 

  200. }
    201. 

  201. 

  202. static bool retrieve_web_endorsement_certificate(char *b64h) {
    203. 

  203. 

  204.     #define NULL_TERM_LEN 1                 // '\0'
    205. 

  205.     #define PATH_JOIN_CHAR_LEN 1            // '/'
    206. 

  206.     size_t len = strlen(ctx.ek_server_addr) + strlen(b64h) + NULL_TERM_LEN +
    207. 

  207.         PATH_JOIN_CHAR_LEN;
    208. 

  208.     char *weblink = (char *) malloc(len);
    209. 

  209.     if (!weblink) {
    210. 

  210.         LOG_ERR("oom");
    211. 

  211.         return false;
    212. 

  212.     }
    213. 

  213. 

  214.     bool ret = true;
    215. 

  215.     CURLcode rc = curl_global_init(CURL_GLOBAL_DEFAULT);
    216. 

  216.     if (rc != CURLE_OK) {
    217. 

  217.         LOG_ERR("curl_global_init failed: %s", curl_easy_strerror(rc));
    218. 

  218.         ret = false;
    219. 

  219.         goto out_memory;
    220. 

  220.     }
    221. 

  221. 

  222.     CURL *curl = curl_easy_init();
    223. 

  223.     if (!curl) {
    224. 

  224.         LOG_ERR("curl_easy_init failed");
    225. 

  225.         ret = false;
    226. 

  226.         goto out_global_cleanup;
    227. 

  227.     }
    228. 

  228. 

  229.     /*
    230. 

  230.      * should not be used - Used only on platforms with older CA certificates.
    231. 

  231.      */
    232. 

  232.     if (ctx.SSL_NO_VERIFY) {
    233. 

  233.         rc = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
    234. 

  234.         if (rc != CURLE_OK) {
    235. 

  235.             LOG_ERR("curl_easy_setopt for CURLOPT_SSL_VERIFYPEER failed: %s",
    236. 

  236.                     curl_easy_strerror(rc));
    237. 

  237.             ret = false;
    238. 

  238.             goto out_easy_cleanup;
    239. 

  239.         }
    240. 

  240.     }
    241. 

  241. 

  242.     snprintf(weblink, len, "%s%s%s", ctx.ek_server_addr, "/", b64h);
    243. 

  243.     rc = curl_easy_setopt(curl, CURLOPT_URL, weblink);
    244. 

  244.     if (rc != CURLE_OK) {
    245. 

  245.         LOG_ERR("curl_easy_setopt for CURLOPT_URL failed: %s",
    246. 

  246.                 curl_easy_strerror(rc));
    247. 

  247.         ret = false;
    248. 

  248.         goto out_easy_cleanup;
    249. 

  249.     }
    250. 

  250. 

  251.     /*
    252. 

  252.      * If verbose is set, add in diagnostic information for debugging connections.
    253. 

  253.      * https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html
    254. 

  254.      */
    255. 

  255.     rc = curl_easy_setopt(curl, CURLOPT_VERBOSE, (long )ctx.verbose);
    256. 

  256.     if (rc != CURLE_OK) {
    257. 

  257.         LOG_ERR("curl_easy_setopt for CURLOPT_VERBOSE failed: %s",
    258. 

  258.                 curl_easy_strerror(rc));
    259. 

  259.         ret = false;
    260. 

  260.         goto out_easy_cleanup;
    261. 

  261.     }
    262. 

  262. 

  263.     rc = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writecallback);
    264. 

  264.     if (rc != CURLE_OK) {
    265. 

  265.         LOG_ERR("curl_easy_setopt for CURLOPT_WRITEFUNCTION failed: %s",
    266. 

  266.                 curl_easy_strerror(rc));
    267. 

  267.         ret = false;
    268. 

  268.         goto out_easy_cleanup;
    269. 

  269.     }
    270. 

  270.     /*
    271. 

  271.      * As only one cert is downloaded at a time, we can simply use
    272. 

  272.      * rsa_cert_buffer for either RSA EK cert or ECC EK cert.
    273. 

  273.      */
    274. 

  274.     ctx.rsa_cert_buffer = malloc(CURL_MAX_WRITE_SIZE);
    275. 

  275.     rc = curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)ctx.rsa_cert_buffer);
    276. 

  276.     if (rc != CURLE_OK) {
    277. 

  277.         LOG_ERR("curl_easy_setopt for CURLOPT_WRITEDATA failed: %s",
    278. 

  278.                 curl_easy_strerror(rc));
    279. 

  279.         ret = false;
    280. 

  280.         goto out_easy_cleanup;
    281. 

  281.     }
    282. 

  282. 

  283.     rc = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);
    284. 

  284.     if (rc != CURLE_OK) {
    285. 

  285.         LOG_ERR("curl_easy_setopt for CURLOPT_FAILONERROR failed: %s",
    286. 

  286.                 curl_easy_strerror(rc));
    287. 

  287.         goto out_easy_cleanup;
    288. 

  288.     }
    289. 

  289. 

  290.     rc = curl_easy_perform(curl);
    291. 

  291.     if (rc != CURLE_OK) {
    292. 

  292.         LOG_ERR("curl_easy_perform() failed: %s", curl_easy_strerror(rc));
    293. 

  293.         ret = false;
    294. 

  294.         goto out_easy_cleanup;
    295. 

  295.     }
    296. 

  296. 

  297. out_easy_cleanup:
    298. 

  298.     curl_easy_cleanup(curl);
    299. 

  299. out_global_cleanup:
    300. 

  300.     curl_global_cleanup();
    301. 

  301. out_memory:
    302. 

  302.     free(weblink);
    303. 

  303. 

  304.     return ret;
    305. 

  305. }
    306. 

  306. 

  307. static bool get_web_ek_certificate(void) {
    308. 

  308. 

  309.     if (ctx.SSL_NO_VERIFY) {
    310. 

  310.         LOG_WARN("TLS communication with the said TPM manufacturer server setup"
    311. 

  311.                  " with SSL_NO_VERIFY!");
    312. 

  312.     }
    313. 

  313. 

  314.     bool ret = true;
    315. 

  315.     unsigned char *hash = hash_ek_public();
    316. 

  316.     char *b64 = base64_encode(hash);
    317. 

  317.     if (!b64) {
    318. 

  318.         LOG_ERR("base64_encode returned null");
    319. 

  319.         ret = false;
    320. 

  320.         goto out;
    321. 

  321.     }
    322. 

  322. 

  323.     LOG_INFO("%s", b64);
    324. 

  324. 

  325.     ret = retrieve_web_endorsement_certificate(b64);
    326. 

  326. 

  327.     free(b64);
    328. 

  328. out:
    329. 

  329.     free(hash);
    330. 

  330.     return ret;
    331. 

  331. }
    332. 

  332. 

  333. #define INTC 0x494E5443
    334. 

  334. #define IBM  0x49424D20
    335. 

  335. #define RSA_EK_CERT_NV_INDEX 0x01C00002
    336. 

  336. #define ECC_EK_CERT_NV_INDEX 0x01C0000A
    337. 

  337. tool_rc get_tpm_properties(ESYS_CONTEXT *ectx) {
    338. 

  338. 

  339.     TPMI_YES_NO more_data;
    340. 

  340.     TPMS_CAPABILITY_DATA *capability_data;
    341. 

  341.     tool_rc rc = tool_rc_success;
    342. 

  342.     rc = tpm2_getcap(ectx, TPM2_CAP_TPM_PROPERTIES, TPM2_PT_MANUFACTURER,
    343. 

  343.             1, &more_data, &capability_data);
    344. 

  344.     if (rc != tool_rc_success) {
    345. 

  345.         LOG_ERR("TPM property read failure.");
    346. 

  346.         goto get_tpm_properties_out;
    347. 

  347.     }
    348. 

  348. 

  349.     if (capability_data->data.tpmProperties.tpmProperty[0].value == IBM) {
    350. 

  350.         LOG_WARN("The TPM device is a simulator —— Inspect the certficate chain and root certificate");
    351. 

  351.     }
    352. 

  352. 

  353.     if (capability_data->data.tpmProperties.tpmProperty[0].value == INTC) {
    354. 

  354.         ctx.is_intc_cert = true;
    355. 

  355.     }
    356. 

  356. 

  357.     free(capability_data);
    358. 

  358.     rc = tpm2_getcap(ectx, TPM2_CAP_TPM_PROPERTIES, TPM2_PT_PERMANENT,
    359. 

  359.             1, &more_data, &capability_data);
    360. 

  360.     if (rc != tool_rc_success) {
    361. 

  361.         LOG_ERR("TPM property read failure.");
    362. 

  362.         goto get_tpm_properties_out;
    363. 

  363.     }
    364. 

  364. 

  365.     if (capability_data->data.tpmProperties.tpmProperty[0].value &
    366. 

  366.         TPMA_PERMANENT_TPMGENERATEDEPS) {
    367. 

  367.             ctx.is_tpmgeneratedeps = true;
    368. 

  368.     }
    369. 

  369. 

  370.     free(capability_data);
    371. 

  371.     rc = tpm2_getcap(ectx, TPM2_CAP_HANDLES,
    372. 

  372.         tpm2_util_hton_32(TPM2_HT_NV_INDEX), TPM2_PT_NV_INDEX_MAX, NULL,
    373. 

  373.         &capability_data);
    374. 

  374.     if (rc != tool_rc_success) {
    375. 

  375.         LOG_ERR("Failed to read capability data for NV indices.");
    376. 

  376.         ctx.is_cert_on_nv = false;
    377. 

  377.         goto get_tpm_properties_out;
    378. 

  378.     }
    379. 

  379. 

  380.     if (capability_data->data.handles.count == 0) {
    381. 

  381.         ctx.is_cert_on_nv = false;
    382. 

  382.         goto get_tpm_properties_out;
    383. 

  383.     }
    384. 

  384. 

  385.     UINT32 i;
    386. 

  386.     for (i = 0; i < capability_data->data.handles.count; i++) {
    387. 

  387.         TPMI_RH_NV_INDEX index = capability_data->data.handles.handle[i];
    388. 

  388.         if (index == RSA_EK_CERT_NV_INDEX) {
    389. 

  389.             ctx.is_rsa_ek_cert_nv_location_defined = true;
    390. 

  390.         }
    391. 

  391.         if (index == ECC_EK_CERT_NV_INDEX) {
    392. 

  392.             ctx.is_ecc_ek_cert_nv_location_defined = true;
    393. 

  393.         }
    394. 

  394.     }
    395. 

  395. 

  396.     if (!ctx.is_rsa_ek_cert_nv_location_defined &&
    397. 

  397.     !ctx.is_ecc_ek_cert_nv_location_defined) {
    398. 

  398.         ctx.is_cert_on_nv = false;
    399. 

  399.     }
    400. 

  400. 

  401. get_tpm_properties_out:
    402. 

  402.     free(capability_data);
    403. 

  403.     return rc;
    404. 

  404. }
    405. 

  405. 

  406. static tool_rc nv_read(ESYS_CONTEXT *ectx, TPMI_RH_NV_INDEX nv_index) {
    407. 

  407. 

  408.     /*
    409. 

  409.      * Typical NV Index holding EK certificate has an empty auth
    410. 

  410.      * with attributes:
    411. 

  411.      * ppwrite|ppread|ownerread|authread|no_da|written|platformcreate
    412. 

  412.      */
    413. 

  413.     char index_string[11];
    414. 

  414.     if (nv_index == RSA_EK_CERT_NV_INDEX) {
    415. 

  415.         strcpy(index_string, "0x01C00002");
    416. 

  416.     } else {
    417. 

  417.         strcpy(index_string, "0x01C0000A");
    418. 

  418.     }
    419. 

  419.     tpm2_loaded_object object;
    420. 

  420.     tool_rc tmp_rc = tool_rc_success;
    421. 

  421.     tool_rc rc = tpm2_util_object_load_auth(ectx, index_string, NULL, &object,
    422. 

  422.         false, TPM2_HANDLE_FLAGS_NV);
    423. 

  423.     if (rc != tool_rc_success) {
    424. 

  424.         goto nv_read_out;
    425. 

  425.     }
    426. 

  426. 

  427.     rc = nv_index == RSA_EK_CERT_NV_INDEX ?
    428. 

  428.          tpm2_util_nv_read(ectx, nv_index, 0, 0, &object, &ctx.rsa_cert_buffer,
    429. 

  429.          &ctx.rsa_cert_buffer_size, 0) :
    430. 

  430.          tpm2_util_nv_read(ectx, nv_index, 0, 0, &object, &ctx.ecc_cert_buffer,
    431. 

  431.          &ctx.ecc_cert_buffer_size, 0);
    432. 

  432. 

  433. nv_read_out:
    434. 

  434.     tmp_rc = tpm2_session_close(&object.session);
    435. 

  435.     if (rc != tool_rc_success) {
    436. 

  436.         return tmp_rc;
    437. 

  437.     }
    438. 

  438. 

  439.     return rc;
    440. 

  440. }
    441. 

  441. 

  442. static tool_rc get_nv_ek_certificate(ESYS_CONTEXT *ectx) {
    443. 

  443. 

  444.     if (!ctx.is_cert_on_nv) {
    445. 

  445.         LOG_ERR("TCG specified location for EK certs aren't defined.");
    446. 

  446.         return tool_rc_general_error;
    447. 

  447.     }
    448. 

  448. 

  449.     if (ctx.SSL_NO_VERIFY) {
    450. 

  450.         LOG_WARN("Ignoring -X or --allow-unverified if EK certificate found on NV");
    451. 

  451.     }
    452. 

  452. 

  453.     if (ctx.ek_path) {
    454. 

  454.         LOG_WARN("Ignoring -u or --ek-public option if EK certificate found on NV");
    455. 

  455.         return tool_rc_option_error;
    456. 

  456.     }
    457. 

  457. 

  458.     if (ctx.is_rsa_ek_cert_nv_location_defined &&
    459. 

  459.     ctx.is_ecc_ek_cert_nv_location_defined && ctx.cert_count == 1) {
    460. 

  460.         LOG_WARN("Found 2 certficates on NV. Add another -o to save the ECC cert");
    461. 

  461.     }
    462. 

  462. 

  463.     if ((!ctx.is_rsa_ek_cert_nv_location_defined ||
    464. 

  464.     !ctx.is_ecc_ek_cert_nv_location_defined) && ctx.cert_count == 2) {
    465. 

  465.         LOG_WARN("Ignoring the additional output file since only 1 cert found on NV");
    466. 

  466.     }
    467. 

  467. 

  468.     tool_rc rc = tool_rc_success;
    469. 

  469.     if (ctx.is_rsa_ek_cert_nv_location_defined) {
    470. 

  470.         rc = nv_read(ectx, RSA_EK_CERT_NV_INDEX);
    471. 

  471.         if (rc != tool_rc_success) {
    472. 

  472.             return rc;
    473. 

  473.         }
    474. 

  474.     }
    475. 

  475. 

  476.     if (ctx.is_ecc_ek_cert_nv_location_defined) {
    477. 

  477.         rc = nv_read(ectx, ECC_EK_CERT_NV_INDEX);
    478. 

  478.     }
    479. 

  479. 

  480.     return rc;
    481. 

  481. }
    482. 

  482. 

  483. static tool_rc print_intel_ek_certificate_warning(void) {
    484. 

  484. 

  485.     if (ctx.is_intc_cert && ctx.is_tpmgeneratedeps && !ctx.is_cert_on_nv) {
    486. 

  486. 

  487.         LOG_ERR("Cannot proceed. For further information please refer to: "
    488. 

  488.                 "https://www.intel.com/content/www/us/en/security-center/"
    489. 

  489.                 "advisory/intel-sa-00086.html. Recovery tools are located here:"
    490. 

  490.                 "https://github.com/intel/INTEL-SA-00086-Linux-Recovery-Tools");
    491. 

  491. 

  492.         return tool_rc_general_error;
    493. 

  493.     }
    494. 

  494. 

  495.     return tool_rc_success;
    496. 

  496. }
    497. 

  497. 

  498. static tool_rc get_ek_certificates(ESYS_CONTEXT *ectx) {
    499. 

  499. 

  500.     tool_rc rc = tool_rc_success;
    501. 

  501.     if (ctx.is_cert_on_nv) {
    502. 

  502.         rc = get_nv_ek_certificate(ectx);
    503. 

  503.         if (rc == tool_rc_success) {
    504. 

  504.             return rc;
    505. 

  505.         } else {
    506. 

  506.             LOG_WARN("EK certificate not found on NV");
    507. 

  507.             ctx.is_cert_on_nv = false;
    508. 

  508.         }
    509. 

  509.     }
    510. 

  510. 

  511.     /*
    512. 

  512.      * Following is everything applicable to ctx.is_cert_on_nv = false.
    513. 

  513.      */
    514. 

  514. 

  515.     rc = print_intel_ek_certificate_warning();
    516. 

  516.     if (rc != tool_rc_success) {
    517. 

  517.         return rc;
    518. 

  518.     }
    519. 

  519. 

  520.     if (!ctx.ek_path) {
    521. 

  521.         LOG_ERR("Must specify the EK public key path");
    522. 

  522.         return tool_rc_option_error;
    523. 

  523.     }
    524. 

  524. 

  525.     if (ctx.cert_count > 1) {
    526. 

  526.         LOG_ERR("Specify one output path for EK cert file per EK public key");
    527. 

  527.         return tool_rc_option_error;
    528. 

  528.     }
    529. 

  529. 

  530.     bool retval = get_web_ek_certificate();
    531. 

  531.     if (!retval) {
    532. 

  532.         return tool_rc_general_error;
    533. 

  533.     }
    534. 

  534. 

  535.     return tool_rc_success;
    536. 

  536. }
    537. 

  537. 

  538. static tool_rc process_input(ESYS_CONTEXT *ectx) {
    539. 

  539. 

  540.     if (ctx.ek_path) {
    541. 

  541.         ctx.out_public = malloc(sizeof(*ctx.out_public));
    542. 

  542.         ctx.out_public->size = 0;
    543. 

  543.         bool res = files_load_public(ctx.ek_path, ctx.out_public);
    544. 

  544.         if (!res) {
    545. 

  545.             LOG_ERR("Could not load EK public from file");
    546. 

  546.             return tool_rc_general_error;
    547. 

  547.         }
    548. 

  548.     }
    549. 

  549. 

  550.     tool_rc rc = tool_rc_success;
    551. 

  551.     if (ctx.is_tpm2_device_active) {
    552. 

  552.         rc = get_tpm_properties(ectx);
    553. 

  553.         if (rc != tool_rc_success) {
    554. 

  554.             return rc;
    555. 

  555.         }
    556. 

  556.     }
    557. 

  557. 

  558.     return print_intel_ek_certificate_warning();
    559. 

  559. }
    560. 

  560. 

  561. static char *base64_decode(char **split, unsigned int cert_length) {
    562. 

  562. 

  563.     *split += strlen("certficate\" : ");
    564. 

  564.     char *final_string = NULL;
    565. 

  565.     int outlen;
    566. 

  566.     CURL *curl = curl_easy_init();
    567. 

  567.     if (curl) {
    568. 

  568.         char *output = curl_easy_unescape(curl, *split, cert_length, &outlen);
    569. 

  569.         if (output) {
    570. 

  570.             final_string = strdup(output);
    571. 

  571.             curl_free(output);
    572. 

  572.         }
    573. 

  573.     }
    574. 

  574.     curl_easy_cleanup(curl);
    575. 

  575.     curl_global_cleanup();
    576. 

  576. 

  577.     if(final_string) {
    578. 

  578.         size_t i;
    579. 

  579.         for (i = 0; i < strlen(final_string); i++) {
    580. 

  580.             final_string[i] = final_string[i] == '-' ? '+'  : final_string[i];
    581. 

  581.             final_string[i] = final_string[i] == '_' ? '/'  : final_string[i];
    582. 

  582.             final_string[i] = final_string[i] == '"' ? '\0' : final_string[i];
    583. 

  583.             final_string[i] = final_string[i] == '}' ? '\0' : final_string[i];
    584. 

  584.         }
    585. 

  585.     }
    586. 

  586. 

  587.     return final_string;
    588. 

  588. }
    589. 

  589. 

  590. #define PEM_BEGIN_CERT_LINE "\n-----BEGIN CERTIFICATE-----\n"
    591. 

  591. #define PEM_END_CERT_LINE "\n-----END CERTIFICATE-----\n"
    592. 

  592. static tool_rc process_output(void) {
    593. 

  593. 

  594.     /*
    595. 

  595.      * Check if the cert is from INTC based on certificated data containing
    596. 

  596.      * the EK public hash in addition to the certificate data.
    597. 

  597.      * If so set the flag.
    598. 

  598.      */
    599. 

  599.     if (ctx.rsa_cert_buffer) {
    600. 

  600.         ctx.is_intc_cert = ctx.is_intc_cert ? ctx.is_intc_cert :
    601. 

  601.         !(strncmp((const char *)ctx.rsa_cert_buffer,
    602. 

  602.             "{\"pubhash", strlen("{\"pubhash")));
    603. 

  603.     }
    604. 

  604. 

  605.     if (ctx.ecc_cert_buffer) {
    606. 

  606.         ctx.is_intc_cert = ctx.is_intc_cert ? ctx.is_intc_cert :
    607. 

  607.         !(strncmp((const char *)ctx.ecc_cert_buffer,
    608. 

  608.             "{\"pubhash", strlen("{\"pubhash")));
    609. 

  609.     }
    610. 

  610. 

  611.     /*
    612. 

  612.      *  Convert Intel EK certificates as received in the URL safe variant of
    613. 

  613.      *  Base 64: https://tools.ietf.org/html/rfc4648#section-5 to PEM
    614. 

  614.      */
    615. 

  615.     if (ctx.rsa_cert_buffer && ctx.is_intc_cert && !ctx.is_cert_raw) {
    616. 

  616.         char *split = strstr((const char *)ctx.rsa_cert_buffer, "certificate");
    617. 

  617.         char *copy_buffer = base64_decode(&split, ctx.rsa_cert_buffer_size);
    618. 

  618.         ctx.rsa_cert_buffer_size = strlen(PEM_BEGIN_CERT_LINE) +
    619. 

  619.             strlen(copy_buffer) + strlen(PEM_END_CERT_LINE);
    620. 

  620.         strcpy((char *)ctx.rsa_cert_buffer, PEM_BEGIN_CERT_LINE);
    621. 

  621.         strcpy((char *)ctx.rsa_cert_buffer + strlen(PEM_BEGIN_CERT_LINE),
    622. 

  622.             copy_buffer);
    623. 

  623.         strcpy((char *)ctx.rsa_cert_buffer + strlen(PEM_BEGIN_CERT_LINE) +
    624. 

  624.             strlen(copy_buffer), PEM_END_CERT_LINE);
    625. 

  625.         free(copy_buffer);
    626. 

  626.     }
    627. 

  627. 

  628.     if (ctx.ecc_cert_buffer && ctx.is_intc_cert && !ctx.is_cert_raw) {
    629. 

  629.         char *split = strstr((const char *)ctx.ecc_cert_buffer, "certificate");
    630. 

  630.         char *copy_buffer = base64_decode(&split, ctx.ecc_cert_buffer_size);
    631. 

  631.         ctx.ecc_cert_buffer_size = strlen(PEM_BEGIN_CERT_LINE) +
    632. 

  632.             strlen(copy_buffer) + strlen(PEM_END_CERT_LINE);
    633. 

  633.         strcpy((char *)ctx.ecc_cert_buffer, PEM_BEGIN_CERT_LINE);
    634. 

  634.         strcpy((char *)ctx.ecc_cert_buffer + strlen(PEM_BEGIN_CERT_LINE),
    635. 

  635.             copy_buffer);
    636. 

  636.         strcpy((char *)ctx.ecc_cert_buffer + strlen(PEM_BEGIN_CERT_LINE) +
    637. 

  637.             strlen(copy_buffer), PEM_END_CERT_LINE);
    638. 

  638.         free(copy_buffer);
    639. 

  639.     }
    640. 

  640. 

  641.     bool retval = true;
    642. 

  642.     if (ctx.rsa_cert_buffer) {
    643. 

  643.         retval = files_write_bytes(
    644. 

  644.             ctx.ec_cert_file_handle_1 ? ctx.ec_cert_file_handle_1 : stdout,
    645. 

  645.             ctx.rsa_cert_buffer, ctx.rsa_cert_buffer_size);
    646. 

  646.         if (!retval) {
    647. 

  647.             return tool_rc_general_error;
    648. 

  648.         }
    649. 

  649.     }
    650. 

  650. 

  651.     if (ctx.ecc_cert_buffer) {
    652. 

  652.         retval = files_write_bytes(
    653. 

  653.             ctx.ec_cert_file_handle_2 ? ctx.ec_cert_file_handle_2 :
    654. 

  654.             ctx.rsa_cert_buffer ? stdout : ctx.ec_cert_file_handle_1,
    655. 

  655.             ctx.ecc_cert_buffer, ctx.ecc_cert_buffer_size);
    656. 

  656.         if (!retval) {
    657. 

  657.             return tool_rc_general_error;
    658. 

  658.         }
    659. 

  659.     }
    660. 

  660. 

  661.     return tool_rc_success;
    662. 

  662. }
    663. 

  663. 

  664. static tool_rc check_input_options(void) {
    665. 

  665. 

  666.     if (!ctx.ek_path && !ctx.is_cert_on_nv) {
    667. 

  667.         LOG_ERR("Must specify the EK public key path");
    668. 

  668.         return tool_rc_option_error;
    669. 

  669.     }
    670. 

  670. 

  671.     if (!ctx.ek_server_addr && !ctx.is_cert_on_nv) {
    672. 

  672.         LOG_ERR("Must specify a valid remote server url!");
    673. 

  673.         return tool_rc_option_error;
    674. 

  674.     }
    675. 

  675. 

  676.     if (ctx.ec_cert_path_1) {
    677. 

  677.         ctx.ec_cert_file_handle_1 = fopen(ctx.ec_cert_path_1, "wb");
    678. 

  678.         if (!ctx.ec_cert_file_handle_1) {
    679. 

  679.             LOG_ERR("Could not open file for writing: \"%s\"",
    680. 

  680.                 ctx.ec_cert_path_1);
    681. 

  681.             return tool_rc_general_error;
    682. 

  682.         }
    683. 

  683.     }
    684. 

  684. 

  685.     if (ctx.ec_cert_path_2) {
    686. 

  686.         ctx.ec_cert_file_handle_2 = fopen(ctx.ec_cert_path_2, "wb");
    687. 

  687.         if (!ctx.ec_cert_file_handle_2) {
    688. 

  688.             LOG_ERR("Could not open file for writing: \"%s\"",
    689. 

  689.                 ctx.ec_cert_path_2);
    690. 

  690.             return tool_rc_general_error;
    691. 

  691.         }
    692. 

  692.     }
    693. 

  693. 

  694.     return tool_rc_success;
    695. 

  695. }
    696. 

  696. 

  697. static bool on_args(int argc, char **argv) {
    698. 

  698. 

  699.     if (argc > 1) {
    700. 

  700.         LOG_ERR("Only supports one remote server url, got: %d", argc);
    701. 

  701.         return false;
    702. 

  702.     }
    703. 

  703. 

  704.     ctx.ek_server_addr = argv[0];
    705. 

  705.     ctx.is_cert_on_nv = false;
    706. 

  706. 

  707.     return true;
    708. 

  708. }
    709. 

  709. 

  710. static bool on_option(char key, char *value) {
    711. 

  711. 

  712.     switch (key) {
    713. 

  713.     case 'o':
    714. 

  714.         if (ctx.cert_count < 2) {
    715. 

  715.             ctx.cert_count++;
    716. 

  716.         } else {
    717. 

  717.             LOG_ERR("Specify only 2 outputs for RSA/ ECC certificates");
    718. 

  718.             return false;
    719. 

  719.         }
    720. 

  720.         if (ctx.cert_count == 1) {
    721. 

  721.             ctx.ec_cert_path_1 = value;
    722. 

  722.         }
    723. 

  723.         if (ctx.cert_count == 2) {
    724. 

  724.             ctx.ec_cert_path_2 = value;
    725. 

  725.         }
    726. 

  726.         break;
    727. 

  727.     case 'X':
    728. 

  728.         ctx.SSL_NO_VERIFY = 1;
    729. 

  729.         break;
    730. 

  730.     case 'u':
    731. 

  731.         ctx.ek_path = value;
    732. 

  732.         break;
    733. 

  733.     case 'x':
    734. 

  734.         ctx.is_tpm2_device_active = false;
    735. 

  735.         ctx.is_cert_on_nv = false;
    736. 

  736.         break;
    737. 

  737.     case 0:
    738. 

  738.         ctx.is_cert_raw = true;
    739. 

  739.         break;
    740. 

  740.     }
    741. 

  741.     return true;
    742. 

  742. }
    743. 

  743. 

  744. static bool tpm2_tool_onstart(tpm2_options **opts) {
    745. 

  745. 

  746.     const struct option topts[] =
    747. 

  747.     {
    748. 

  748.         { "ek-certificate",   required_argument, NULL, 'o' },
    749. 

  749.         { "allow-unverified", no_argument,       NULL, 'X' },
    750. 

  750.         { "ek-public",        required_argument, NULL, 'u' },
    751. 

  751.         { "offline",          no_argument,       NULL, 'x' },
    752. 

  752.         { "raw",              no_argument,       NULL,  0  },
    753. 

  753.     };
    754. 

  754. 

  755.     *opts = tpm2_options_new("o:u:Xx", ARRAY_LEN(topts), topts, on_option,
    756. 

  756.             on_args, 0);
    757. 

  757. 

  758.     return *opts != NULL;
    759. 

  759. }
    760. 

  760. 

  761. static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
    762. 

  762. 

  763.     UNUSED(ectx);
    764. 

  764. 

  765.     tool_rc rc = check_input_options();
    766. 

  766.     if (rc != tool_rc_success) {
    767. 

  767.         return rc;
    768. 

  768.     }
    769. 

  769. 

  770.     rc = process_input(ectx);
    771. 

  771.     if (rc != tool_rc_success) {
    772. 

  772.         return rc;
    773. 

  773.     }
    774. 

  774. 

  775.     ctx.verbose = flags.verbose;
    776. 

  776. 

  777.     rc = get_ek_certificates(ectx);
    778. 

  778.     if (rc != tool_rc_success) {
    779. 

  779.         return rc;
    780. 

  780.     }
    781. 

  781. 

  782.     return process_output();
    783. 

  783. }
    784. 

  784. 

  785. static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
    786. 

  786. 

  787.     UNUSED(ectx);
    788. 

  788. 

  789.     if (ctx.ec_cert_file_handle_1) {
    790. 

  790.         fclose(ctx.ec_cert_file_handle_1);
    791. 

  791.     }
    792. 

  792. 

  793.     if (ctx.ec_cert_file_handle_2) {
    794. 

  794.         fclose(ctx.ec_cert_file_handle_2);
    795. 

  795.     }
    796. 

  796. 

  797.     if (ctx.rsa_cert_buffer) {
    798. 

  798.         free(ctx.rsa_cert_buffer);
    799. 

  799.     }
    800. 

  800. 

  801.     if (ctx.ecc_cert_buffer) {
    802. 

  802.         free(ctx.ecc_cert_buffer);
    803. 

  803.     }
    804. 

  804. 

  805.     return tool_rc_success;
    806. 

  806. }
    807. 

  807. 

  808. static void tpm2_tool_onexit(void) {
    809. 

  809. 

  810.     if (ctx.out_public) {
    811. 

  811.         free(ctx.out_public);
    812. 

  812.     }
    813. 

  813. }
    814. 

  814. 

  815. // Register this tool with tpm2_tool.c
    816. 

  816. TPM2_TOOL_REGISTER("getekcertificate", tpm2_tool_onstart, tpm2_tool_onrun, tpm2_tool_onstop, tpm2_tool_onexit)
    817.