/* SPDX-License-Identifier: BSD-2-Clause */ /******************************************************************************* * Copyright 2018-2019, Fraunhofer SIT sponsored by Infineon Technologies AG * All rights reserved. ******************************************************************************/ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include "tss2_fapi.h" #include "fapi_int.h" #include "fapi_util.h" #include "fapi_policy.h" #include "tss2_esys.h" #define LOGMODULE fapi #include "util/log.h" #include "util/aux_util.h" /** One-Call function for Fapi_CreateSeal * * Creates a sealed object and stores it in the FAPI metadata store. If no data * is provided, the TPM generates random data to fill the sealed object. * * @param[in,out] context The FAPI_CONTEXT * @param[in] path The path to the new sealed object * @param[in] type The type of the new sealed object. May be NULL * @param[in] size The size of the new sealed object. Must not be 0 * @param[in] policyPath The path to the policy that is associated with the new * sealed object. May be NULL * @param[in] authValue The authorization value for the new sealed object. May * be NULL * @param[in] data The data that is to be sealed within the new object. May be * NULL * * @retval TSS2_RC_SUCCESS: if the function call was a success. * @retval TSS2_FAPI_RC_BAD_REFERENCE: if context, or path is NULL. * @retval TSS2_FAPI_RC_BAD_CONTEXT: if context corruption is detected. * @retval TSS2_FAPI_RC_KEY_NOT_FOUND: if the parent key does not map to a * FAPI key. * @retval TSS2_FAPI_RC_BAD_PATH: if policyPath is non-NULL and does not map to * a FAPI key. * @retval TSS2_FAPI_RC_PATH_ALREADY_EXISTS: if a sealed object already exists * at path. * @retval TSS2_FAPI_RC_BAD_VALUE: if the keyType is invalid. * @retval TSS2_FAPI_RC_BAD_SEQUENCE: if the context has an asynchronous * operation already pending. * @retval TSS2_FAPI_RC_IO_ERROR: if the data cannot be saved. * @retval TSS2_FAPI_RC_MEMORY: if the FAPI cannot allocate enough memory for * internal operations or return parameters. * @retval TSS2_FAPI_RC_NO_TPM if FAPI was initialized in no-TPM-mode via its * config file. * @retval TSS2_FAPI_RC_TRY_AGAIN if an I/O operation is not finished yet and * this function needs to be called again. * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN if a required authorization callback * is not set. * @retval TSS2_ESYS_RC_* possible error codes of ESAPI. */ TSS2_RC Fapi_CreateSeal( FAPI_CONTEXT *context, char const *path, char const *type, size_t size, char const *policyPath, char const *authValue, uint8_t const *data) { LOG_TRACE("called for context:%p", context); TSS2_RC r, r2; /* Check for NULL parameters */ check_not_null(context); check_not_null(path); /* Check whether TCTI and ESYS are initialized */ return_if_null(context->esys, "Command can't be executed in none TPM mode.", TSS2_FAPI_RC_NO_TPM); /* If the async state automata of FAPI shall be tested, then we must not set the timeouts of ESYS to blocking mode. During testing, the mssim tcti will ensure multiple re-invocations. Usually however the synchronous invocations of FAPI shall instruct ESYS to block until a result is available. */ #ifndef TEST_FAPI_ASYNC r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK); return_if_error_reset_state(r, "Set Timeout to blocking"); #endif /* TEST_FAPI_ASYNC */ r = Fapi_CreateSeal_Async(context, path, type, size, policyPath, authValue, data); return_if_error_reset_state(r, "CreateSeal"); do { /* We wait for file I/O to be ready if the FAPI state automata are in a file I/O state. */ r = ifapi_io_poll(&context->io); return_if_error(r, "Something went wrong with IO polling"); /* Repeatedly call the finish function, until FAPI has transitioned through all execution stages / states of this invocation. */ r = Fapi_CreateSeal_Finish(context); } while ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN); /* Reset the ESYS timeout to non-blocking, immediate response. */ r2 = Esys_SetTimeout(context->esys, 0); return_if_error(r2, "Set Timeout to non-blocking"); return_if_error_reset_state(r, "CreateSeal"); LOG_TRACE("finished"); return TSS2_RC_SUCCESS; } /** Asynchronous function for Fapi_CreateSeal * * Creates a sealed object and stores it in the FAPI metadata store. If no data * is provided, the TPM generates random data to fill the sealed object. * * Call Fapi_CreateSeal_Finish to finish the execution of this command. * * @param[in,out] context The FAPI_CONTEXT * @param[in] path The path to the new sealed object * @param[in] type The type of the new sealed object. May be NULL * @param[in] size The size of the new sealed object. Must not be 0 * @param[in] policyPath The path to the policy that is associated with the new * sealed object. May be NULL * @param[in] authValue The authorization value for the new sealed object. May * be NULL * @param[in] data The data that is to be sealed within the new object. May be * NULL * * @retval TSS2_RC_SUCCESS: if the function call was a success. * @retval TSS2_FAPI_RC_BAD_REFERENCE: if context, or path is NULL. * @retval TSS2_FAPI_RC_BAD_CONTEXT: if context corruption is detected. * @retval TSS2_FAPI_RC_KEY_NOT_FOUND: if the parent key does not map to a * FAPI key. * @retval TSS2_FAPI_RC_BAD_PATH: if policyPath is non-NULL and does not map to * a FAPI key. * @retval TSS2_FAPI_RC_PATH_ALREADY_EXISTS: if a sealed object already exists * at path. * @retval TSS2_FAPI_RC_BAD_VALUE: if the keyType is invalid. * @retval TSS2_FAPI_RC_BAD_SEQUENCE: if the context has an asynchronous * operation already pending. * @retval TSS2_FAPI_RC_IO_ERROR: if the data cannot be saved. * @retval TSS2_FAPI_RC_MEMORY: if the FAPI cannot allocate enough memory for * internal operations or return parameters. * @retval TSS2_FAPI_RC_NO_TPM if FAPI was initialized in no-TPM-mode via its * config file. */ TSS2_RC Fapi_CreateSeal_Async( FAPI_CONTEXT *context, char const *path, char const *type, size_t size, char const *policyPath, char const *authValue, uint8_t const *data) { LOG_TRACE("called for context:%p", context); LOG_TRACE("path: %s", path); LOG_TRACE("type: %s", type); LOG_TRACE("size: %zi", size); LOG_TRACE("policyPath: %s", policyPath); LOG_TRACE("authValue: %s", authValue); TSS2_RC r; /* Check for NULL parameters */ check_not_null(context); check_not_null(path); /* Reset all context-internal session state information. */ r = ifapi_session_init(context); return_if_error(r, "Initialize CreateSeal"); /* Copy parameters to context for use during _Finish. */ memset(&context->cmd.Key_Create.public_templ, 0, sizeof(IFAPI_KEY_TEMPLATE)); r = ifapi_key_create_prepare_sensitive(context, path, policyPath, size, authValue, data); return_if_error(r, "Key create."); /* Set the flags of the NV index to be created. If no type is given the empty-string default type flags are set. */ r = ifapi_set_key_flags(type ? type : "", (policyPath && strcmp(policyPath, "") != 0) ? true : false, &context->cmd.Key_Create.public_templ); return_if_error(r, "Set key flags for key"); context->cmd.Key_Create.public_templ.public.publicArea.objectAttributes &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN; /* Initialize the context state for this operation. */ context->state = CREATE_SEAL; LOG_TRACE("finished"); return TSS2_RC_SUCCESS; } /** Asynchronous finish function for Fapi_CreateSeal * * This function should be called after a previous Fapi_CreateSeal. * * @param[in,out] context The FAPI_CONTEXT * * @retval TSS2_RC_SUCCESS: if the function call was a success. * @retval TSS2_FAPI_RC_BAD_REFERENCE: if context is NULL. * @retval TSS2_FAPI_RC_BAD_CONTEXT: if context corruption is detected. * @retval TSS2_FAPI_RC_BAD_SEQUENCE: if the context has an asynchronous * operation already pending. * @retval TSS2_FAPI_RC_IO_ERROR: if the data cannot be saved. * @retval TSS2_FAPI_RC_MEMORY: if the FAPI cannot allocate enough memory for * internal operations or return parameters. * @retval TSS2_FAPI_RC_TRY_AGAIN: if the asynchronous operation is not yet * complete. Call this function again later. * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into * the function. * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN if a required authorization callback * is not set. * @retval TSS2_ESYS_RC_* possible error codes of ESAPI. */ TSS2_RC Fapi_CreateSeal_Finish( FAPI_CONTEXT *context) { LOG_TRACE("called for context:%p", context); TSS2_RC r; /* Check for NULL parameters */ check_not_null(context); switch (context->state) { statecase(context->state, CREATE_SEAL); /* Create the seal object. A seal object internally is a so-called KEYED_HASH object and created in the same way as a regular key. Thus the function name ifapi_key_create(). */ r = ifapi_key_create(context, &context->cmd.Key_Create.public_templ); return_try_again(r); goto_if_error(r, "Key create", error_cleanup); break; statecasedefault(context->state); } error_cleanup: /* Cleanup any intermediate results and state stored in the context. */ ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object); ifapi_cleanup_ifapi_object(context->loadKey.key_object); ifapi_cleanup_ifapi_object(&context->loadKey.auth_object); context->state = _FAPI_STATE_INIT; LOG_TRACE("finished"); return r; }