1*758e9fbaSOystein Eftevaag /* SPDX-License-Identifier: BSD-2-Clause */
2*758e9fbaSOystein Eftevaag /*******************************************************************************
3*758e9fbaSOystein Eftevaag * Copyright 2018-2019, Fraunhofer SIT sponsored by Infineon Technologies AG
4*758e9fbaSOystein Eftevaag * All rights reserved.
5*758e9fbaSOystein Eftevaag *******************************************************************************/
6*758e9fbaSOystein Eftevaag
7*758e9fbaSOystein Eftevaag #ifdef HAVE_CONFIG_H
8*758e9fbaSOystein Eftevaag #include <config.h>
9*758e9fbaSOystein Eftevaag #endif
10*758e9fbaSOystein Eftevaag
11*758e9fbaSOystein Eftevaag #include <string.h>
12*758e9fbaSOystein Eftevaag #include <stdlib.h>
13*758e9fbaSOystein Eftevaag
14*758e9fbaSOystein Eftevaag #include "tss2_mu.h"
15*758e9fbaSOystein Eftevaag #include "fapi_util.h"
16*758e9fbaSOystein Eftevaag #include "fapi_crypto.h"
17*758e9fbaSOystein Eftevaag #include "fapi_policy.h"
18*758e9fbaSOystein Eftevaag #include "ifapi_helpers.h"
19*758e9fbaSOystein Eftevaag #include "ifapi_json_deserialize.h"
20*758e9fbaSOystein Eftevaag #include "tpm_json_deserialize.h"
21*758e9fbaSOystein Eftevaag #define LOGMODULE fapi
22*758e9fbaSOystein Eftevaag #include "util/log.h"
23*758e9fbaSOystein Eftevaag #include "util/aux_util.h"
24*758e9fbaSOystein Eftevaag
25*758e9fbaSOystein Eftevaag /** Copy policy digest.
26*758e9fbaSOystein Eftevaag *
27*758e9fbaSOystein Eftevaag * One digest is copied from certain position in a policy list to the
28*758e9fbaSOystein Eftevaag * same position in a second list.
29*758e9fbaSOystein Eftevaag *
30*758e9fbaSOystein Eftevaag * @param[out] dest The digest list to which the new value is added.
31*758e9fbaSOystein Eftevaag * @param[in] src The digest list with the value to be copied.
32*758e9fbaSOystein Eftevaag * @param[in] digest_idx The index of the digest to be copied.
33*758e9fbaSOystein Eftevaag * @param[in] hash_size The number of bytes to be copied.
34*758e9fbaSOystein Eftevaag * @param[in] txt Text which will be used for additional logging information..
35*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
36*758e9fbaSOystein Eftevaag */
37*758e9fbaSOystein Eftevaag static void
copy_policy_digest(TPML_DIGEST_VALUES * dest,TPML_DIGEST_VALUES * src,size_t digest_idx,size_t hash_size,char * txt)38*758e9fbaSOystein Eftevaag copy_policy_digest(TPML_DIGEST_VALUES *dest, TPML_DIGEST_VALUES *src,
39*758e9fbaSOystein Eftevaag size_t digest_idx, size_t hash_size, char *txt)
40*758e9fbaSOystein Eftevaag {
41*758e9fbaSOystein Eftevaag memcpy(&dest->digests[digest_idx].digest, &src->digests[digest_idx].digest,
42*758e9fbaSOystein Eftevaag hash_size);
43*758e9fbaSOystein Eftevaag dest->digests[digest_idx].hashAlg = src->digests[digest_idx].hashAlg;
44*758e9fbaSOystein Eftevaag LOGBLOB_DEBUG((uint8_t *)&dest->digests[digest_idx].digest, hash_size,
45*758e9fbaSOystein Eftevaag "%s : Copy digest size: %zu", txt, hash_size);
46*758e9fbaSOystein Eftevaag dest->count = src->count;
47*758e9fbaSOystein Eftevaag }
48*758e9fbaSOystein Eftevaag
49*758e9fbaSOystein Eftevaag /** Logdefault policy digest.
50*758e9fbaSOystein Eftevaag *
51*758e9fbaSOystein Eftevaag * @param[in] dest The digest to be logged.
52*758e9fbaSOystein Eftevaag * @param[in] digest_idx The index of the digest to be logged
53*758e9fbaSOystein Eftevaag * @param[in] hash_size The number of bytes to be logged
54*758e9fbaSOystein Eftevaag * @param[in] txt Text which will be used for additional logging information.
55*758e9fbaSOystein Eftevaag */
56*758e9fbaSOystein Eftevaag static void
log_policy_digest(TPML_DIGEST_VALUES * dest,size_t digest_idx,size_t hash_size,char * txt)57*758e9fbaSOystein Eftevaag log_policy_digest(TPML_DIGEST_VALUES *dest, size_t digest_idx, size_t hash_size,
58*758e9fbaSOystein Eftevaag char *txt)
59*758e9fbaSOystein Eftevaag {
60*758e9fbaSOystein Eftevaag LOGBLOB_DEBUG((uint8_t *)&dest->digests[digest_idx].digest, hash_size,
61*758e9fbaSOystein Eftevaag "Digest %s", txt);
62*758e9fbaSOystein Eftevaag }
63*758e9fbaSOystein Eftevaag
64*758e9fbaSOystein Eftevaag /** Calculate a policy digest for a certain PCR selection.
65*758e9fbaSOystein Eftevaag *
66*758e9fbaSOystein Eftevaag * From a PCR list the list of PCR values and the corresponding PCR digest
67*758e9fbaSOystein Eftevaag * is computed. The passed policy digest will be extended with this data
68*758e9fbaSOystein Eftevaag * and also with the policy command code.
69*758e9fbaSOystein Eftevaag *
70*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the list of selected PCRs.
71*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
72*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
73*758e9fbaSOystein Eftevaag *
74*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
75*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
76*758e9fbaSOystein Eftevaag * the function.
77*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
78*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
79*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
80*758e9fbaSOystein Eftevaag */
81*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_compute_policy_pcr(TPMS_POLICYPCR * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)82*758e9fbaSOystein Eftevaag ifapi_compute_policy_pcr(
83*758e9fbaSOystein Eftevaag TPMS_POLICYPCR *policy,
84*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
85*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
86*758e9fbaSOystein Eftevaag {
87*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
88*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
89*758e9fbaSOystein Eftevaag TPML_PCR_SELECTION pcr_selection;
90*758e9fbaSOystein Eftevaag size_t digest_idx;
91*758e9fbaSOystein Eftevaag TPM2B_DIGEST pcr_digest;
92*758e9fbaSOystein Eftevaag size_t hash_size;
93*758e9fbaSOystein Eftevaag
94*758e9fbaSOystein Eftevaag LOG_TRACE("call");
95*758e9fbaSOystein Eftevaag
96*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
97*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
98*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
99*758e9fbaSOystein Eftevaag current_hash_alg);
100*758e9fbaSOystein Eftevaag }
101*758e9fbaSOystein Eftevaag
102*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
103*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
104*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
105*758e9fbaSOystein Eftevaag
106*758e9fbaSOystein Eftevaag /* Compute PCR selection and pcr digest */
107*758e9fbaSOystein Eftevaag r = ifapi_compute_policy_digest(policy->pcrs, &pcr_selection,
108*758e9fbaSOystein Eftevaag current_hash_alg, &pcr_digest);
109*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy digest and selection.");
110*758e9fbaSOystein Eftevaag
111*758e9fbaSOystein Eftevaag LOG_TRACE("Compute policy pcr");
112*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
113*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
114*758e9fbaSOystein Eftevaag
115*758e9fbaSOystein Eftevaag /* Update the passed policy. */
116*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
117*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
118*758e9fbaSOystein Eftevaag r, cleanup);
119*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyPCR, r, cleanup);
120*758e9fbaSOystein Eftevaag /* The marshaled version of the digest list will be added. */
121*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPML_PCR_SELECTION, &pcr_selection, r, cleanup);
122*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &pcr_digest.buffer[0], hash_size, r,
123*758e9fbaSOystein Eftevaag cleanup);
124*758e9fbaSOystein Eftevaag
125*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
126*758e9fbaSOystein Eftevaag (uint8_t *) & current_digest->
127*758e9fbaSOystein Eftevaag digests[digest_idx].digest, &hash_size);
128*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
129*758e9fbaSOystein Eftevaag
130*758e9fbaSOystein Eftevaag cleanup:
131*758e9fbaSOystein Eftevaag if (cryptoContext)
132*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
133*758e9fbaSOystein Eftevaag return r;
134*758e9fbaSOystein Eftevaag }
135*758e9fbaSOystein Eftevaag
136*758e9fbaSOystein Eftevaag /** Calculate a policy digest for a TPM2B object name, and a policy reference.
137*758e9fbaSOystein Eftevaag *
138*758e9fbaSOystein Eftevaag * A policy hash based on a passed policy digest, the policy command code,
139*758e9fbaSOystein Eftevaag * optionally the name, and the policy reference will be computed.
140*758e9fbaSOystein Eftevaag * The calculation is carried out in two steps. First a hash with the
141*758e9fbaSOystein Eftevaag * command code and the passed digest, and optionaly the name is computed.
142*758e9fbaSOystein Eftevaag * This digest, together with the other parameters is used to compute
143*758e9fbaSOystein Eftevaag * the final policy digest.
144*758e9fbaSOystein Eftevaag *
145*758e9fbaSOystein Eftevaag * @param[in] command_code The TPM command code of the policy command.
146*758e9fbaSOystein Eftevaag * @param[in] name The name of a key or a NV object.
147*758e9fbaSOystein Eftevaag * @param[in] policyRef The policy reference value.
148*758e9fbaSOystein Eftevaag * @param[in] hash_size The digest size of the used hash algorithm.
149*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The used has algorithm.
150*758e9fbaSOystein Eftevaag * @param[in,out] digest The policy digest which will be extended.
151*758e9fbaSOystein Eftevaag *
152*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
153*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
154*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
155*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
156*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
157*758e9fbaSOystein Eftevaag * the function.
158*758e9fbaSOystein Eftevaag */
159*758e9fbaSOystein Eftevaag static TSS2_RC
calculate_policy_key_param(TPM2_CC command_code,TPM2B_NAME * name,TPM2B_NONCE * policyRef,size_t hash_size,TPMI_ALG_HASH current_hash_alg,TPMU_HA * digest)160*758e9fbaSOystein Eftevaag calculate_policy_key_param(
161*758e9fbaSOystein Eftevaag TPM2_CC command_code,
162*758e9fbaSOystein Eftevaag TPM2B_NAME *name,
163*758e9fbaSOystein Eftevaag TPM2B_NONCE *policyRef,
164*758e9fbaSOystein Eftevaag size_t hash_size,
165*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg,
166*758e9fbaSOystein Eftevaag TPMU_HA *digest)
167*758e9fbaSOystein Eftevaag {
168*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
169*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
170*758e9fbaSOystein Eftevaag
171*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
172*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
173*758e9fbaSOystein Eftevaag
174*758e9fbaSOystein Eftevaag LOGBLOB_DEBUG((uint8_t *) digest, hash_size, "Digest Start");
175*758e9fbaSOystein Eftevaag
176*758e9fbaSOystein Eftevaag /* First compute hash from passed policy digest and command code
177*758e9fbaSOystein Eftevaag and optionally the object name */
178*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, digest, hash_size, r, cleanup);
179*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, command_code, r, cleanup);
180*758e9fbaSOystein Eftevaag if (name && name->size > 0) {
181*758e9fbaSOystein Eftevaag LOGBLOB_DEBUG(&name->name[0], name->size, "Key name");
182*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &name->name[0],
183*758e9fbaSOystein Eftevaag name->size, r, cleanup);
184*758e9fbaSOystein Eftevaag }
185*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
186*758e9fbaSOystein Eftevaag (uint8_t *) digest, &hash_size);
187*758e9fbaSOystein Eftevaag LOGBLOB_DEBUG((uint8_t *) digest, hash_size, "Digest Finish");
188*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
189*758e9fbaSOystein Eftevaag
190*758e9fbaSOystein Eftevaag /* Use policyRef for second hash computation */
191*758e9fbaSOystein Eftevaag if (policyRef) {
192*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
193*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
194*758e9fbaSOystein Eftevaag
195*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, digest, hash_size, r, cleanup);
196*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &policyRef->buffer[0],
197*758e9fbaSOystein Eftevaag policyRef->size, r, cleanup);
198*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
199*758e9fbaSOystein Eftevaag (uint8_t *) digest, &hash_size);
200*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
201*758e9fbaSOystein Eftevaag }
202*758e9fbaSOystein Eftevaag
203*758e9fbaSOystein Eftevaag cleanup:
204*758e9fbaSOystein Eftevaag if (cryptoContext)
205*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
206*758e9fbaSOystein Eftevaag return r;
207*758e9fbaSOystein Eftevaag }
208*758e9fbaSOystein Eftevaag
209*758e9fbaSOystein Eftevaag /** Calculate a policy digest for a signed policy.
210*758e9fbaSOystein Eftevaag *
211*758e9fbaSOystein Eftevaag * Based on the command code, the public key, and the policy reference
212*758e9fbaSOystein Eftevaag * stored in the policy the new policy digest is computed by the function
213*758e9fbaSOystein Eftevaag * calculate_policy_key_param().
214*758e9fbaSOystein Eftevaag *
215*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the public key and the policy reference.
216*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
217*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
218*758e9fbaSOystein Eftevaag *
219*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
220*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
221*758e9fbaSOystein Eftevaag * the function.
222*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
223*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
224*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
225*758e9fbaSOystein Eftevaag */
226*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_signed(TPMS_POLICYSIGNED * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)227*758e9fbaSOystein Eftevaag ifapi_calculate_policy_signed(
228*758e9fbaSOystein Eftevaag TPMS_POLICYSIGNED *policy,
229*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
230*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
231*758e9fbaSOystein Eftevaag {
232*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
233*758e9fbaSOystein Eftevaag size_t digest_idx;
234*758e9fbaSOystein Eftevaag size_t hash_size;
235*758e9fbaSOystein Eftevaag
236*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
237*758e9fbaSOystein Eftevaag
238*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
239*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
240*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
241*758e9fbaSOystein Eftevaag current_hash_alg);
242*758e9fbaSOystein Eftevaag }
243*758e9fbaSOystein Eftevaag
244*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
245*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
246*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
247*758e9fbaSOystein Eftevaag
248*758e9fbaSOystein Eftevaag r = calculate_policy_key_param(TPM2_CC_PolicySigned,
249*758e9fbaSOystein Eftevaag &policy->publicKey,
250*758e9fbaSOystein Eftevaag &policy->policyRef, hash_size,
251*758e9fbaSOystein Eftevaag current_hash_alg,
252*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest);
253*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash start", cleanup);
254*758e9fbaSOystein Eftevaag
255*758e9fbaSOystein Eftevaag cleanup:
256*758e9fbaSOystein Eftevaag return r;
257*758e9fbaSOystein Eftevaag }
258*758e9fbaSOystein Eftevaag
259*758e9fbaSOystein Eftevaag /** Calculate a policy digest for a policy stored in an approved NV index.
260*758e9fbaSOystein Eftevaag *
261*758e9fbaSOystein Eftevaag * Based on the command code, and the computed NV name the new policy digest
262*758e9fbaSOystein Eftevaag * is computed by the function calculate_policy_key_param().
263*758e9fbaSOystein Eftevaag *
264*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the public information of the NV index.
265*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
266*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
267*758e9fbaSOystein Eftevaag *
268*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
269*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
270*758e9fbaSOystein Eftevaag * the function.
271*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
272*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
273*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
274*758e9fbaSOystein Eftevaag */
275*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_authorize_nv(TPMS_POLICYAUTHORIZENV * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)276*758e9fbaSOystein Eftevaag ifapi_calculate_policy_authorize_nv(
277*758e9fbaSOystein Eftevaag TPMS_POLICYAUTHORIZENV *policy,
278*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
279*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
280*758e9fbaSOystein Eftevaag {
281*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
282*758e9fbaSOystein Eftevaag size_t digest_idx;
283*758e9fbaSOystein Eftevaag size_t hash_size;
284*758e9fbaSOystein Eftevaag TPM2B_NAME nv_name;
285*758e9fbaSOystein Eftevaag
286*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
287*758e9fbaSOystein Eftevaag
288*758e9fbaSOystein Eftevaag /* Written flag has to be set for policy calculation, because during
289*758e9fbaSOystein Eftevaag policy execution it will be set. */
290*758e9fbaSOystein Eftevaag policy->nvPublic.nvPublic.attributes |= TPMA_NV_WRITTEN;
291*758e9fbaSOystein Eftevaag
292*758e9fbaSOystein Eftevaag r = ifapi_nv_get_name(&policy->nvPublic, &nv_name);
293*758e9fbaSOystein Eftevaag return_if_error(r, "Compute NV name");
294*758e9fbaSOystein Eftevaag
295*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
296*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
297*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
298*758e9fbaSOystein Eftevaag current_hash_alg);
299*758e9fbaSOystein Eftevaag }
300*758e9fbaSOystein Eftevaag
301*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
302*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
303*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
304*758e9fbaSOystein Eftevaag
305*758e9fbaSOystein Eftevaag r = calculate_policy_key_param(TPM2_CC_PolicyAuthorizeNV,
306*758e9fbaSOystein Eftevaag &nv_name,
307*758e9fbaSOystein Eftevaag NULL, hash_size, current_hash_alg,
308*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest);
309*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash start", cleanup);
310*758e9fbaSOystein Eftevaag
311*758e9fbaSOystein Eftevaag cleanup:
312*758e9fbaSOystein Eftevaag return r;
313*758e9fbaSOystein Eftevaag }
314*758e9fbaSOystein Eftevaag
315*758e9fbaSOystein Eftevaag /** Calculate a policy digest to allow duplication force a selected new parent.
316*758e9fbaSOystein Eftevaag *
317*758e9fbaSOystein Eftevaag * Based on the command code, the name of the new parent, and the include object
318*758e9fbaSOystein Eftevaag * switch the new policy digest is computed.
319*758e9fbaSOystein Eftevaag *
320*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the new parent information.
321*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
322*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
323*758e9fbaSOystein Eftevaag *
324*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
325*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
326*758e9fbaSOystein Eftevaag * the function.
327*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
328*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
329*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
330*758e9fbaSOystein Eftevaag */
331*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_duplicate(TPMS_POLICYDUPLICATIONSELECT * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)332*758e9fbaSOystein Eftevaag ifapi_calculate_policy_duplicate(
333*758e9fbaSOystein Eftevaag TPMS_POLICYDUPLICATIONSELECT *policy,
334*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
335*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
336*758e9fbaSOystein Eftevaag {
337*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
338*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
339*758e9fbaSOystein Eftevaag size_t digest_idx;
340*758e9fbaSOystein Eftevaag size_t hash_size;
341*758e9fbaSOystein Eftevaag
342*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
343*758e9fbaSOystein Eftevaag
344*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
345*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
346*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
347*758e9fbaSOystein Eftevaag current_hash_alg);
348*758e9fbaSOystein Eftevaag }
349*758e9fbaSOystein Eftevaag
350*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
351*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
352*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
353*758e9fbaSOystein Eftevaag
354*758e9fbaSOystein Eftevaag LOG_TRACE("Compute policy");
355*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
356*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
357*758e9fbaSOystein Eftevaag
358*758e9fbaSOystein Eftevaag /* Update the policy digest */
359*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
360*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
361*758e9fbaSOystein Eftevaag r, cleanup);
362*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyDuplicationSelect, r,
363*758e9fbaSOystein Eftevaag cleanup);
364*758e9fbaSOystein Eftevaag LOGBLOB_DEBUG(&policy->newParentName.name[0], policy->newParentName.size,
365*758e9fbaSOystein Eftevaag "Policy Duplicate Parent Name");
366*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &policy->newParentName.name[0],
367*758e9fbaSOystein Eftevaag policy->newParentName.size, r, cleanup);
368*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, BYTE, policy->includeObject, r, cleanup);
369*758e9fbaSOystein Eftevaag
370*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
371*758e9fbaSOystein Eftevaag (uint8_t *) & current_digest->
372*758e9fbaSOystein Eftevaag digests[digest_idx].digest, &hash_size);
373*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
374*758e9fbaSOystein Eftevaag
375*758e9fbaSOystein Eftevaag LOGBLOB_DEBUG((uint8_t *) & current_digest->digests[digest_idx].digest,
376*758e9fbaSOystein Eftevaag hash_size, "Policy Duplicate digest");
377*758e9fbaSOystein Eftevaag
378*758e9fbaSOystein Eftevaag cleanup:
379*758e9fbaSOystein Eftevaag if (cryptoContext)
380*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
381*758e9fbaSOystein Eftevaag return r;
382*758e9fbaSOystein Eftevaag }
383*758e9fbaSOystein Eftevaag
384*758e9fbaSOystein Eftevaag /** Calculate a policy digest for a placeholder policy.
385*758e9fbaSOystein Eftevaag *
386*758e9fbaSOystein Eftevaag * The placeholder policy can be extended during execution by a
387*758e9fbaSOystein Eftevaag * signed policy, which can be verified by using the parameters of
388*758e9fbaSOystein Eftevaag * this placeholder policy.
389*758e9fbaSOystein Eftevaag * Based on the command code, the key name of the signing key and
390*758e9fbaSOystein Eftevaag * a policy reference the new policy digest is computed by the
391*758e9fbaSOystein Eftevaag * function calculate_policy_key_param().
392*758e9fbaSOystein Eftevaag *
393*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the name of the public key and the
394*758e9fbaSOystein Eftevaag * policy reference.
395*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
396*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
397*758e9fbaSOystein Eftevaag *
398*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
399*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
400*758e9fbaSOystein Eftevaag * the function.
401*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
402*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
403*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
404*758e9fbaSOystein Eftevaag */
405*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_authorize(TPMS_POLICYAUTHORIZE * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)406*758e9fbaSOystein Eftevaag ifapi_calculate_policy_authorize(
407*758e9fbaSOystein Eftevaag TPMS_POLICYAUTHORIZE *policy,
408*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
409*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
410*758e9fbaSOystein Eftevaag {
411*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
412*758e9fbaSOystein Eftevaag size_t digest_idx;
413*758e9fbaSOystein Eftevaag size_t hash_size;
414*758e9fbaSOystein Eftevaag
415*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
416*758e9fbaSOystein Eftevaag
417*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
418*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
419*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
420*758e9fbaSOystein Eftevaag current_hash_alg);
421*758e9fbaSOystein Eftevaag }
422*758e9fbaSOystein Eftevaag
423*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
424*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
425*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
426*758e9fbaSOystein Eftevaag
427*758e9fbaSOystein Eftevaag r = calculate_policy_key_param(TPM2_CC_PolicyAuthorize,
428*758e9fbaSOystein Eftevaag &policy->keyName,
429*758e9fbaSOystein Eftevaag &policy->policyRef, hash_size,
430*758e9fbaSOystein Eftevaag current_hash_alg,
431*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest);
432*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash start", cleanup);
433*758e9fbaSOystein Eftevaag
434*758e9fbaSOystein Eftevaag cleanup:
435*758e9fbaSOystein Eftevaag return r;
436*758e9fbaSOystein Eftevaag }
437*758e9fbaSOystein Eftevaag
438*758e9fbaSOystein Eftevaag /** Calculate a policy for adding secret-based authorization.
439*758e9fbaSOystein Eftevaag *
440*758e9fbaSOystein Eftevaag * During execution proving the knowledge of the secrect auth value of a certain
441*758e9fbaSOystein Eftevaag * object is required. The name of this object and a policy reference is used
442*758e9fbaSOystein Eftevaag * for policy calculation.
443*758e9fbaSOystein Eftevaag * Based on the command code, the object name and a policy reference the new
444*758e9fbaSOystein Eftevaag * policy digest is computed by the function calculate_policy_key_param().
445*758e9fbaSOystein Eftevaag *
446*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the object name of the object to be
447*758e9fbaSOystein Eftevaag * authorized and the policy reference.
448*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
449*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
450*758e9fbaSOystein Eftevaag *
451*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
452*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
453*758e9fbaSOystein Eftevaag * the function.
454*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
455*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
456*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
457*758e9fbaSOystein Eftevaag */
458*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_secret(TPMS_POLICYSECRET * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)459*758e9fbaSOystein Eftevaag ifapi_calculate_policy_secret(
460*758e9fbaSOystein Eftevaag TPMS_POLICYSECRET *policy,
461*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
462*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
463*758e9fbaSOystein Eftevaag {
464*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
465*758e9fbaSOystein Eftevaag size_t digest_idx;
466*758e9fbaSOystein Eftevaag size_t hash_size;
467*758e9fbaSOystein Eftevaag
468*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
469*758e9fbaSOystein Eftevaag
470*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
471*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
472*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
473*758e9fbaSOystein Eftevaag current_hash_alg);
474*758e9fbaSOystein Eftevaag }
475*758e9fbaSOystein Eftevaag
476*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
477*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
478*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
479*758e9fbaSOystein Eftevaag
480*758e9fbaSOystein Eftevaag /* Update the policy */
481*758e9fbaSOystein Eftevaag r = calculate_policy_key_param(TPM2_CC_PolicySecret,
482*758e9fbaSOystein Eftevaag (TPM2B_NAME *)&policy->objectName,
483*758e9fbaSOystein Eftevaag &policy->policyRef, hash_size,
484*758e9fbaSOystein Eftevaag current_hash_alg,
485*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest);
486*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash start", cleanup);
487*758e9fbaSOystein Eftevaag
488*758e9fbaSOystein Eftevaag cleanup:
489*758e9fbaSOystein Eftevaag return r;
490*758e9fbaSOystein Eftevaag }
491*758e9fbaSOystein Eftevaag
492*758e9fbaSOystein Eftevaag /** Calculate a policy for for comparing current TPM timers with the policy.
493*758e9fbaSOystein Eftevaag *
494*758e9fbaSOystein Eftevaag * The timer value and the operation for comparison defined in the policy will
495*758e9fbaSOystein Eftevaag * bu used to update the policy digest.
496*758e9fbaSOystein Eftevaag * The offset which is supported by the TPM policy for FAPI will be 0.
497*758e9fbaSOystein Eftevaag *
498*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the timer value and the operation for
499*758e9fbaSOystein Eftevaag * comparison.
500*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
501*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
502*758e9fbaSOystein Eftevaag *
503*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
504*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
505*758e9fbaSOystein Eftevaag * the function.
506*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
507*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
508*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
509*758e9fbaSOystein Eftevaag */
510*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_counter_timer(TPMS_POLICYCOUNTERTIMER * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)511*758e9fbaSOystein Eftevaag ifapi_calculate_policy_counter_timer(
512*758e9fbaSOystein Eftevaag TPMS_POLICYCOUNTERTIMER *policy,
513*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
514*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
515*758e9fbaSOystein Eftevaag {
516*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
517*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
518*758e9fbaSOystein Eftevaag size_t digest_idx;
519*758e9fbaSOystein Eftevaag size_t hash_size;
520*758e9fbaSOystein Eftevaag TPM2B_DIGEST counter_timer_hash;
521*758e9fbaSOystein Eftevaag
522*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
523*758e9fbaSOystein Eftevaag
524*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
525*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
526*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
527*758e9fbaSOystein Eftevaag current_hash_alg);
528*758e9fbaSOystein Eftevaag }
529*758e9fbaSOystein Eftevaag
530*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
531*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
532*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
533*758e9fbaSOystein Eftevaag
534*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
535*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
536*758e9fbaSOystein Eftevaag
537*758e9fbaSOystein Eftevaag /* Compute a has value from the offset, the timer value and the operation. */
538*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &policy->operandB.buffer[0],
539*758e9fbaSOystein Eftevaag policy->operandB.size, r, cleanup);
540*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, UINT16, policy->offset, r, cleanup);
541*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, UINT16, policy->operation, r, cleanup);
542*758e9fbaSOystein Eftevaag
543*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
544*758e9fbaSOystein Eftevaag (uint8_t *) &counter_timer_hash.buffer[0], &hash_size);
545*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
546*758e9fbaSOystein Eftevaag
547*758e9fbaSOystein Eftevaag /* Extend the policy digest from the hash value computed above and the
548*758e9fbaSOystein Eftevaag command code. */
549*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
550*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
551*758e9fbaSOystein Eftevaag
552*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
553*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
554*758e9fbaSOystein Eftevaag r, cleanup);
555*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyCounterTimer, r, cleanup);
556*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &counter_timer_hash.buffer[0],
557*758e9fbaSOystein Eftevaag hash_size, r, cleanup);
558*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
559*758e9fbaSOystein Eftevaag (uint8_t *) ¤t_digest->digests[digest_idx].digest,
560*758e9fbaSOystein Eftevaag &hash_size);
561*758e9fbaSOystein Eftevaag cleanup:
562*758e9fbaSOystein Eftevaag if (cryptoContext)
563*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
564*758e9fbaSOystein Eftevaag return r;
565*758e9fbaSOystein Eftevaag }
566*758e9fbaSOystein Eftevaag
567*758e9fbaSOystein Eftevaag /** Update policy if only the command codes are used.
568*758e9fbaSOystein Eftevaag *
569*758e9fbaSOystein Eftevaag * Some simple policies use onle one or two command codes for policy calculation.
570*758e9fbaSOystein Eftevaag *
571*758e9fbaSOystein Eftevaag * @param[in] command_code1 The first command code for policy extension.
572*758e9fbaSOystein Eftevaag * Can be NULL.
573*758e9fbaSOystein Eftevaag * @param[in] command_code2 The second command code for policy extension.
574*758e9fbaSOystein Eftevaag * Can be NULL.
575*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
576*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
577*758e9fbaSOystein Eftevaag *
578*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
579*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
580*758e9fbaSOystein Eftevaag * the function.
581*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
582*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
583*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
584*758e9fbaSOystein Eftevaag */
585*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_simple_policy(TPM2_CC command_code1,TPM2_CC command_code2,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)586*758e9fbaSOystein Eftevaag ifapi_calculate_simple_policy(
587*758e9fbaSOystein Eftevaag TPM2_CC command_code1,
588*758e9fbaSOystein Eftevaag TPM2_CC command_code2,
589*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
590*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
591*758e9fbaSOystein Eftevaag {
592*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
593*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
594*758e9fbaSOystein Eftevaag size_t digest_idx;
595*758e9fbaSOystein Eftevaag size_t hash_size;
596*758e9fbaSOystein Eftevaag
597*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
598*758e9fbaSOystein Eftevaag
599*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
600*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
601*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
602*758e9fbaSOystein Eftevaag current_hash_alg);
603*758e9fbaSOystein Eftevaag }
604*758e9fbaSOystein Eftevaag
605*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
606*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
607*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
608*758e9fbaSOystein Eftevaag
609*758e9fbaSOystein Eftevaag /* Update the policy */
610*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
611*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
612*758e9fbaSOystein Eftevaag
613*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
614*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
615*758e9fbaSOystein Eftevaag r, cleanup);
616*758e9fbaSOystein Eftevaag if (command_code1) {
617*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, command_code1, r, cleanup);
618*758e9fbaSOystein Eftevaag }
619*758e9fbaSOystein Eftevaag if (command_code2) {
620*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, command_code2, r, cleanup);
621*758e9fbaSOystein Eftevaag }
622*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
623*758e9fbaSOystein Eftevaag (uint8_t *) ¤t_digest->digests[digest_idx].digest,
624*758e9fbaSOystein Eftevaag &hash_size);
625*758e9fbaSOystein Eftevaag
626*758e9fbaSOystein Eftevaag cleanup:
627*758e9fbaSOystein Eftevaag if (cryptoContext)
628*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
629*758e9fbaSOystein Eftevaag return r;
630*758e9fbaSOystein Eftevaag }
631*758e9fbaSOystein Eftevaag
632*758e9fbaSOystein Eftevaag /** Update policy with command code policy physical presence.
633*758e9fbaSOystein Eftevaag *
634*758e9fbaSOystein Eftevaag * The policy will be updated with the function ifapi_calculate_simple_policy()
635*758e9fbaSOystein Eftevaag *
636*758e9fbaSOystein Eftevaag * @param[in] policy The policy physical presence.
637*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
638*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
639*758e9fbaSOystein Eftevaag *
640*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
641*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
642*758e9fbaSOystein Eftevaag * the function.
643*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
644*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
645*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
646*758e9fbaSOystein Eftevaag */
647*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_physical_presence(TPMS_POLICYPHYSICALPRESENCE * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)648*758e9fbaSOystein Eftevaag ifapi_calculate_policy_physical_presence(
649*758e9fbaSOystein Eftevaag TPMS_POLICYPHYSICALPRESENCE *policy,
650*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
651*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
652*758e9fbaSOystein Eftevaag {
653*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
654*758e9fbaSOystein Eftevaag (void)policy;
655*758e9fbaSOystein Eftevaag
656*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
657*758e9fbaSOystein Eftevaag
658*758e9fbaSOystein Eftevaag r = ifapi_calculate_simple_policy(TPM2_CC_PolicyPhysicalPresence, 0,
659*758e9fbaSOystein Eftevaag current_digest, current_hash_alg);
660*758e9fbaSOystein Eftevaag return_if_error(r, "Calculate policy for command code.");
661*758e9fbaSOystein Eftevaag
662*758e9fbaSOystein Eftevaag return r;
663*758e9fbaSOystein Eftevaag }
664*758e9fbaSOystein Eftevaag
665*758e9fbaSOystein Eftevaag /** Update policy with command code of policy auth value.
666*758e9fbaSOystein Eftevaag *
667*758e9fbaSOystein Eftevaag * The policy will be updated with the function ifapi_calculate_simple_policy()
668*758e9fbaSOystein Eftevaag *
669*758e9fbaSOystein Eftevaag * @param[in] policy The policy auth value.
670*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
671*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
672*758e9fbaSOystein Eftevaag *
673*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
674*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
675*758e9fbaSOystein Eftevaag * the function.
676*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
677*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
678*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
679*758e9fbaSOystein Eftevaag */
680*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_auth_value(TPMS_POLICYAUTHVALUE * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)681*758e9fbaSOystein Eftevaag ifapi_calculate_policy_auth_value(
682*758e9fbaSOystein Eftevaag TPMS_POLICYAUTHVALUE *policy,
683*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
684*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
685*758e9fbaSOystein Eftevaag {
686*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
687*758e9fbaSOystein Eftevaag (void)policy;
688*758e9fbaSOystein Eftevaag
689*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
690*758e9fbaSOystein Eftevaag
691*758e9fbaSOystein Eftevaag r = ifapi_calculate_simple_policy(TPM2_CC_PolicyAuthValue, 0,
692*758e9fbaSOystein Eftevaag current_digest, current_hash_alg);
693*758e9fbaSOystein Eftevaag return_if_error(r, "Calculate policy auth value.");
694*758e9fbaSOystein Eftevaag
695*758e9fbaSOystein Eftevaag return r;
696*758e9fbaSOystein Eftevaag }
697*758e9fbaSOystein Eftevaag
698*758e9fbaSOystein Eftevaag /** Update policy with the command code of policy password.
699*758e9fbaSOystein Eftevaag *
700*758e9fbaSOystein Eftevaag * The policy will be updated with the function ifapi_calculate_simple_policy()
701*758e9fbaSOystein Eftevaag *
702*758e9fbaSOystein Eftevaag * @param[in] policy The policy password.
703*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
704*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
705*758e9fbaSOystein Eftevaag *
706*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
707*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
708*758e9fbaSOystein Eftevaag * the function.
709*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
710*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
711*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
712*758e9fbaSOystein Eftevaag */
713*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_password(TPMS_POLICYPASSWORD * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)714*758e9fbaSOystein Eftevaag ifapi_calculate_policy_password(
715*758e9fbaSOystein Eftevaag TPMS_POLICYPASSWORD *policy,
716*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
717*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
718*758e9fbaSOystein Eftevaag {
719*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
720*758e9fbaSOystein Eftevaag (void)policy;
721*758e9fbaSOystein Eftevaag
722*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
723*758e9fbaSOystein Eftevaag
724*758e9fbaSOystein Eftevaag r = ifapi_calculate_simple_policy(TPM2_CC_PolicyAuthValue, 0,
725*758e9fbaSOystein Eftevaag current_digest, current_hash_alg);
726*758e9fbaSOystein Eftevaag return_if_error(r, "Calculate policy password.");
727*758e9fbaSOystein Eftevaag
728*758e9fbaSOystein Eftevaag return r;
729*758e9fbaSOystein Eftevaag }
730*758e9fbaSOystein Eftevaag
731*758e9fbaSOystein Eftevaag /** Update policy command code with a command code defined in the policy.
732*758e9fbaSOystein Eftevaag *
733*758e9fbaSOystein Eftevaag * For the update two command codes will be used. The command code of
734*758e9fbaSOystein Eftevaag * policy command code and the passed command code.
735*758e9fbaSOystein Eftevaag * The policy will be updated with the function ifapi_calculate_simple_policy()
736*758e9fbaSOystein Eftevaag *
737*758e9fbaSOystein Eftevaag * @param[in] policy The policy command code with the second command code.
738*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
739*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
740*758e9fbaSOystein Eftevaag *
741*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
742*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
743*758e9fbaSOystein Eftevaag * the function.
744*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
745*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
746*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
747*758e9fbaSOystein Eftevaag */
748*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_command_code(TPMS_POLICYCOMMANDCODE * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)749*758e9fbaSOystein Eftevaag ifapi_calculate_policy_command_code(
750*758e9fbaSOystein Eftevaag TPMS_POLICYCOMMANDCODE *policy,
751*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
752*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
753*758e9fbaSOystein Eftevaag {
754*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
755*758e9fbaSOystein Eftevaag
756*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
757*758e9fbaSOystein Eftevaag
758*758e9fbaSOystein Eftevaag r = ifapi_calculate_simple_policy(TPM2_CC_PolicyCommandCode, policy->code,
759*758e9fbaSOystein Eftevaag current_digest, current_hash_alg);
760*758e9fbaSOystein Eftevaag return_if_error(r, "Calculate policy for command code.");
761*758e9fbaSOystein Eftevaag
762*758e9fbaSOystein Eftevaag return r;
763*758e9fbaSOystein Eftevaag }
764*758e9fbaSOystein Eftevaag
765*758e9fbaSOystein Eftevaag /** Compute policy if only a digest and a command code are needed for extension.
766*758e9fbaSOystein Eftevaag *
767*758e9fbaSOystein Eftevaag * @param[in] digest the digest which will be used for policy extension.
768*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
769*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
770*758e9fbaSOystein Eftevaag * @param[in] command_code The compute of the command which did compute the digest.
771*758e9fbaSOystein Eftevaag *
772*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
773*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
774*758e9fbaSOystein Eftevaag * the function.
775*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
776*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
777*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
778*758e9fbaSOystein Eftevaag */
779*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_digest_hash(TPM2B_DIGEST * digest,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg,TPM2_CC command_code)780*758e9fbaSOystein Eftevaag ifapi_calculate_policy_digest_hash(
781*758e9fbaSOystein Eftevaag TPM2B_DIGEST *digest,
782*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
783*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg,
784*758e9fbaSOystein Eftevaag TPM2_CC command_code)
785*758e9fbaSOystein Eftevaag {
786*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
787*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
788*758e9fbaSOystein Eftevaag size_t digest_idx;
789*758e9fbaSOystein Eftevaag size_t hash_size;
790*758e9fbaSOystein Eftevaag
791*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
792*758e9fbaSOystein Eftevaag
793*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
794*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
795*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
796*758e9fbaSOystein Eftevaag current_hash_alg);
797*758e9fbaSOystein Eftevaag }
798*758e9fbaSOystein Eftevaag
799*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
800*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
801*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
802*758e9fbaSOystein Eftevaag
803*758e9fbaSOystein Eftevaag /* Update the policy. */
804*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
805*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
806*758e9fbaSOystein Eftevaag
807*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
808*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
809*758e9fbaSOystein Eftevaag r, cleanup);
810*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, command_code, r, cleanup);
811*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &digest->buffer[0],
812*758e9fbaSOystein Eftevaag digest->size, r, cleanup);
813*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
814*758e9fbaSOystein Eftevaag (uint8_t *) ¤t_digest->digests[digest_idx].digest,
815*758e9fbaSOystein Eftevaag &hash_size);
816*758e9fbaSOystein Eftevaag cleanup:
817*758e9fbaSOystein Eftevaag if (cryptoContext)
818*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
819*758e9fbaSOystein Eftevaag return r;
820*758e9fbaSOystein Eftevaag }
821*758e9fbaSOystein Eftevaag
822*758e9fbaSOystein Eftevaag /** Compute policy bound to a specific set of TPM entities.
823*758e9fbaSOystein Eftevaag *
824*758e9fbaSOystein Eftevaag * The policy digest will be updated with the function
825*758e9fbaSOystein Eftevaag * ifapi_calculate_policy_digest_hash() which will add the hash of the
826*758e9fbaSOystein Eftevaag * entity name list.
827*758e9fbaSOystein Eftevaag *
828*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the list of entity names.
829*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
830*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
831*758e9fbaSOystein Eftevaag *
832*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
833*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
834*758e9fbaSOystein Eftevaag * the function.
835*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
836*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
837*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
838*758e9fbaSOystein Eftevaag */
839*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_name_hash(TPMS_POLICYNAMEHASH * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)840*758e9fbaSOystein Eftevaag ifapi_calculate_policy_name_hash(
841*758e9fbaSOystein Eftevaag TPMS_POLICYNAMEHASH *policy,
842*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
843*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
844*758e9fbaSOystein Eftevaag {
845*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
846*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
847*758e9fbaSOystein Eftevaag size_t hash_size;
848*758e9fbaSOystein Eftevaag size_t i;
849*758e9fbaSOystein Eftevaag
850*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
851*758e9fbaSOystein Eftevaag
852*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
853*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
854*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
855*758e9fbaSOystein Eftevaag current_hash_alg);
856*758e9fbaSOystein Eftevaag }
857*758e9fbaSOystein Eftevaag
858*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
859*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
860*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
861*758e9fbaSOystein Eftevaag
862*758e9fbaSOystein Eftevaag /* Compute name hash from the list of object names */
863*758e9fbaSOystein Eftevaag for (i = 0; i <= policy->count; i++) {
864*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &policy->objectNames[i].name[0],
865*758e9fbaSOystein Eftevaag policy->objectNames[i].size, r,
866*758e9fbaSOystein Eftevaag cleanup);
867*758e9fbaSOystein Eftevaag }
868*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
869*758e9fbaSOystein Eftevaag (uint8_t *) &policy->nameHash.buffer[0],
870*758e9fbaSOystein Eftevaag &hash_size);
871*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
872*758e9fbaSOystein Eftevaag
873*758e9fbaSOystein Eftevaag policy->nameHash.size = hash_size;
874*758e9fbaSOystein Eftevaag
875*758e9fbaSOystein Eftevaag /* Update the policy with the computed hash value of the name list and
876*758e9fbaSOystein Eftevaag the command code. */
877*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_digest_hash(&policy->nameHash,
878*758e9fbaSOystein Eftevaag current_digest,
879*758e9fbaSOystein Eftevaag current_hash_alg, TPM2_CC_PolicyNameHash);
880*758e9fbaSOystein Eftevaag return_if_error(r, "Calculate digest hash for policy");
881*758e9fbaSOystein Eftevaag
882*758e9fbaSOystein Eftevaag cleanup:
883*758e9fbaSOystein Eftevaag if (cryptoContext)
884*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
885*758e9fbaSOystein Eftevaag return r;
886*758e9fbaSOystein Eftevaag }
887*758e9fbaSOystein Eftevaag
888*758e9fbaSOystein Eftevaag /** Compute policy bound to a specific command and command parameters.
889*758e9fbaSOystein Eftevaag *
890*758e9fbaSOystein Eftevaag * The cp hash value and the command code will be updated by the
891*758e9fbaSOystein Eftevaag * function ifapi_calculate_policy_digest_hash().
892*758e9fbaSOystein Eftevaag *
893*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the cp hash value.
894*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
895*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
896*758e9fbaSOystein Eftevaag *
897*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
898*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
899*758e9fbaSOystein Eftevaag * the function.
900*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
901*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
902*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
903*758e9fbaSOystein Eftevaag */
904*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_cp_hash(TPMS_POLICYCPHASH * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)905*758e9fbaSOystein Eftevaag ifapi_calculate_policy_cp_hash(
906*758e9fbaSOystein Eftevaag TPMS_POLICYCPHASH *policy,
907*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
908*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
909*758e9fbaSOystein Eftevaag {
910*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
911*758e9fbaSOystein Eftevaag
912*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
913*758e9fbaSOystein Eftevaag
914*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_digest_hash(&policy->cpHash,
915*758e9fbaSOystein Eftevaag current_digest, current_hash_alg,
916*758e9fbaSOystein Eftevaag TPM2_CC_PolicyCpHash);
917*758e9fbaSOystein Eftevaag return_if_error(r, "Calculate digest hash for policy");
918*758e9fbaSOystein Eftevaag
919*758e9fbaSOystein Eftevaag return r;
920*758e9fbaSOystein Eftevaag }
921*758e9fbaSOystein Eftevaag
922*758e9fbaSOystein Eftevaag /** Compute policy which limits authorization to a specific locality.
923*758e9fbaSOystein Eftevaag *
924*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the locality.
925*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
926*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
927*758e9fbaSOystein Eftevaag *
928*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
929*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
930*758e9fbaSOystein Eftevaag * the function.
931*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
932*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
933*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
934*758e9fbaSOystein Eftevaag */
935*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_locality(TPMS_POLICYLOCALITY * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)936*758e9fbaSOystein Eftevaag ifapi_calculate_policy_locality(
937*758e9fbaSOystein Eftevaag TPMS_POLICYLOCALITY *policy,
938*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
939*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
940*758e9fbaSOystein Eftevaag {
941*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
942*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
943*758e9fbaSOystein Eftevaag size_t digest_idx;
944*758e9fbaSOystein Eftevaag size_t hash_size;
945*758e9fbaSOystein Eftevaag
946*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
947*758e9fbaSOystein Eftevaag
948*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
949*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
950*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
951*758e9fbaSOystein Eftevaag current_hash_alg);
952*758e9fbaSOystein Eftevaag }
953*758e9fbaSOystein Eftevaag
954*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
955*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
956*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
957*758e9fbaSOystein Eftevaag
958*758e9fbaSOystein Eftevaag /* Update the policy */
959*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
960*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
961*758e9fbaSOystein Eftevaag
962*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
963*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
964*758e9fbaSOystein Eftevaag r, cleanup);
965*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyLocality, r, cleanup);
966*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, BYTE, policy->locality, r, cleanup);
967*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
968*758e9fbaSOystein Eftevaag (uint8_t *) & current_digest->
969*758e9fbaSOystein Eftevaag digests[digest_idx].digest, &hash_size);
970*758e9fbaSOystein Eftevaag
971*758e9fbaSOystein Eftevaag cleanup:
972*758e9fbaSOystein Eftevaag if (cryptoContext)
973*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
974*758e9fbaSOystein Eftevaag return r;
975*758e9fbaSOystein Eftevaag }
976*758e9fbaSOystein Eftevaag
977*758e9fbaSOystein Eftevaag /** Compute policy bound to bound to the TPMA_NV_WRITTEN attributes.
978*758e9fbaSOystein Eftevaag *
979*758e9fbaSOystein Eftevaag * The expected value of the NV written attribute is part of the policy.
980*758e9fbaSOystein Eftevaag *
981*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the expected attribute value.
982*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
983*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
984*758e9fbaSOystein Eftevaag *
985*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
986*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
987*758e9fbaSOystein Eftevaag * the function.
988*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
989*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
990*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
991*758e9fbaSOystein Eftevaag */
992*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_nv_written(TPMS_POLICYNVWRITTEN * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)993*758e9fbaSOystein Eftevaag ifapi_calculate_policy_nv_written(
994*758e9fbaSOystein Eftevaag TPMS_POLICYNVWRITTEN *policy,
995*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
996*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
997*758e9fbaSOystein Eftevaag {
998*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
999*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
1000*758e9fbaSOystein Eftevaag size_t digest_idx;
1001*758e9fbaSOystein Eftevaag size_t hash_size;
1002*758e9fbaSOystein Eftevaag
1003*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
1004*758e9fbaSOystein Eftevaag
1005*758e9fbaSOystein Eftevaag if (!(hash_size = ifapi_hash_get_digest_size(current_hash_alg))) {
1006*758e9fbaSOystein Eftevaag goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
1007*758e9fbaSOystein Eftevaag "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
1008*758e9fbaSOystein Eftevaag current_hash_alg);
1009*758e9fbaSOystein Eftevaag }
1010*758e9fbaSOystein Eftevaag
1011*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
1012*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
1013*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
1014*758e9fbaSOystein Eftevaag
1015*758e9fbaSOystein Eftevaag /* Update the policy */
1016*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
1017*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
1018*758e9fbaSOystein Eftevaag
1019*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
1020*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
1021*758e9fbaSOystein Eftevaag r, cleanup);
1022*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyNvWritten, r, cleanup);
1023*758e9fbaSOystein Eftevaag /* Update the expected attribute value. */
1024*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, BYTE, policy->writtenSet, r, cleanup);
1025*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
1026*758e9fbaSOystein Eftevaag (uint8_t *) & current_digest->
1027*758e9fbaSOystein Eftevaag digests[digest_idx].digest, &hash_size);
1028*758e9fbaSOystein Eftevaag
1029*758e9fbaSOystein Eftevaag cleanup:
1030*758e9fbaSOystein Eftevaag if (cryptoContext)
1031*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
1032*758e9fbaSOystein Eftevaag return r;
1033*758e9fbaSOystein Eftevaag }
1034*758e9fbaSOystein Eftevaag
1035*758e9fbaSOystein Eftevaag /** Compute policy bound to the content of an NV index.
1036*758e9fbaSOystein Eftevaag *
1037*758e9fbaSOystein Eftevaag * The value used for comparison, the compare operation and an
1038*758e9fbaSOystein Eftevaag * offset for the NV index are part of the policy.
1039*758e9fbaSOystein Eftevaag *
1040*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the expected values used for comparison.
1041*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
1042*758e9fbaSOystein Eftevaag * @param[in] current_hash_alg The hash algorithm used for the policy computation.
1043*758e9fbaSOystein Eftevaag *
1044*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
1045*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
1046*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
1047*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
1048*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
1049*758e9fbaSOystein Eftevaag * the function.
1050*758e9fbaSOystein Eftevaag */
1051*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_nv(TPMS_POLICYNV * policy,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH current_hash_alg)1052*758e9fbaSOystein Eftevaag ifapi_calculate_policy_nv(
1053*758e9fbaSOystein Eftevaag TPMS_POLICYNV *policy,
1054*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
1055*758e9fbaSOystein Eftevaag TPMI_ALG_HASH current_hash_alg)
1056*758e9fbaSOystein Eftevaag {
1057*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
1058*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
1059*758e9fbaSOystein Eftevaag TPM2B_NAME nv_name;
1060*758e9fbaSOystein Eftevaag size_t hash_size;
1061*758e9fbaSOystein Eftevaag TPM2B_DIGEST nv_hash;
1062*758e9fbaSOystein Eftevaag size_t digest_idx;
1063*758e9fbaSOystein Eftevaag
1064*758e9fbaSOystein Eftevaag LOG_DEBUG("call");
1065*758e9fbaSOystein Eftevaag
1066*758e9fbaSOystein Eftevaag memset(&nv_name, 0, sizeof(TPM2B_NAME));
1067*758e9fbaSOystein Eftevaag
1068*758e9fbaSOystein Eftevaag /* Compute NV name from public info */
1069*758e9fbaSOystein Eftevaag
1070*758e9fbaSOystein Eftevaag r = ifapi_nv_get_name(&policy->nvPublic, &nv_name);
1071*758e9fbaSOystein Eftevaag return_if_error(r, "Compute NV name");
1072*758e9fbaSOystein Eftevaag
1073*758e9fbaSOystein Eftevaag /* Compute of the index of the current policy in the passed digest list */
1074*758e9fbaSOystein Eftevaag r = get_policy_digest_idx(current_digest, current_hash_alg, &digest_idx);
1075*758e9fbaSOystein Eftevaag return_if_error(r, "Get hash alg for digest.");
1076*758e9fbaSOystein Eftevaag
1077*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
1078*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
1079*758e9fbaSOystein Eftevaag
1080*758e9fbaSOystein Eftevaag /* Compute the hash for the compare operation. */
1081*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &policy->operandB.buffer[0],
1082*758e9fbaSOystein Eftevaag policy->operandB.size, r, cleanup);
1083*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, UINT16, policy->offset, r, cleanup);
1084*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, UINT16, policy->operation, r, cleanup);
1085*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
1086*758e9fbaSOystein Eftevaag (uint8_t *) &nv_hash.buffer[0], &hash_size);
1087*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
1088*758e9fbaSOystein Eftevaag
1089*758e9fbaSOystein Eftevaag nv_hash.size = hash_size;
1090*758e9fbaSOystein Eftevaag
1091*758e9fbaSOystein Eftevaag /* Update the policy with the hash of the compare operation and the NV name. */
1092*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
1093*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
1094*758e9fbaSOystein Eftevaag
1095*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext,
1096*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest, hash_size,
1097*758e9fbaSOystein Eftevaag r, cleanup);
1098*758e9fbaSOystein Eftevaag HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyNV, r, cleanup);
1099*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &nv_hash.buffer[0], nv_hash.size, r, cleanup)
1100*758e9fbaSOystein Eftevaag HASH_UPDATE_BUFFER(cryptoContext, &nv_name.name[0], nv_name.size, r, cleanup);
1101*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
1102*758e9fbaSOystein Eftevaag (uint8_t *) ¤t_digest->digests[digest_idx].digest,
1103*758e9fbaSOystein Eftevaag &hash_size);
1104*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash finish");
1105*758e9fbaSOystein Eftevaag
1106*758e9fbaSOystein Eftevaag cleanup:
1107*758e9fbaSOystein Eftevaag if (cryptoContext)
1108*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
1109*758e9fbaSOystein Eftevaag return r;
1110*758e9fbaSOystein Eftevaag }
1111*758e9fbaSOystein Eftevaag
1112*758e9fbaSOystein Eftevaag /** Compute a list of policies to enable authorization options.
1113*758e9fbaSOystein Eftevaag *
1114*758e9fbaSOystein Eftevaag * First the policy digest will be computed for every branch.
1115*758e9fbaSOystein Eftevaag * After that the policy digest will be reset to zero and extended by the
1116*758e9fbaSOystein Eftevaag * list of computed policy digests of the branches.
1117*758e9fbaSOystein Eftevaag *
1118*758e9fbaSOystein Eftevaag * @param[in] policyOr The policy with the possible policy branches.
1119*758e9fbaSOystein Eftevaag * @param[in,out] current_digest The digest list which has to be updated.
1120*758e9fbaSOystein Eftevaag * @param[in] hash_alg The hash algorithm used for the policy computation.
1121*758e9fbaSOystein Eftevaag * @param[in] hash_size The size of the policy digest.
1122*758e9fbaSOystein Eftevaag * @param[in] digest_idx The index of the current policy in the passed digest list.
1123*758e9fbaSOystein Eftevaag *
1124*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
1125*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
1126*758e9fbaSOystein Eftevaag * the function.
1127*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
1128*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
1129*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
1130*758e9fbaSOystein Eftevaag */
1131*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy_or(TPMS_POLICYOR * policyOr,TPML_DIGEST_VALUES * current_digest,TPMI_ALG_HASH hash_alg,size_t hash_size,size_t digest_idx)1132*758e9fbaSOystein Eftevaag ifapi_calculate_policy_or(
1133*758e9fbaSOystein Eftevaag TPMS_POLICYOR *policyOr,
1134*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *current_digest,
1135*758e9fbaSOystein Eftevaag TPMI_ALG_HASH hash_alg,
1136*758e9fbaSOystein Eftevaag size_t hash_size,
1137*758e9fbaSOystein Eftevaag size_t digest_idx)
1138*758e9fbaSOystein Eftevaag {
1139*758e9fbaSOystein Eftevaag size_t i;
1140*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
1141*758e9fbaSOystein Eftevaag IFAPI_CRYPTO_CONTEXT_BLOB *cryptoContext = NULL;
1142*758e9fbaSOystein Eftevaag
1143*758e9fbaSOystein Eftevaag for (i = 0; i < policyOr->branches->count; i++) {
1144*758e9fbaSOystein Eftevaag /* Compute the policy digest for every branch. */
1145*758e9fbaSOystein Eftevaag copy_policy_digest(&policyOr->branches->authorizations[i].policyDigests,
1146*758e9fbaSOystein Eftevaag current_digest, digest_idx, hash_size,
1147*758e9fbaSOystein Eftevaag "Copy or digest");
1148*758e9fbaSOystein Eftevaag
1149*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy(policyOr->branches->authorizations[i].policy,
1150*758e9fbaSOystein Eftevaag &policyOr->branches->authorizations[i].
1151*758e9fbaSOystein Eftevaag policyDigests, hash_alg, hash_size,
1152*758e9fbaSOystein Eftevaag digest_idx);
1153*758e9fbaSOystein Eftevaag log_policy_digest(&policyOr->branches->authorizations[i].policyDigests,
1154*758e9fbaSOystein Eftevaag digest_idx, hash_size, "Branch digest");
1155*758e9fbaSOystein Eftevaag
1156*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy.");
1157*758e9fbaSOystein Eftevaag }
1158*758e9fbaSOystein Eftevaag /* Reset the or policy digest because the digest is included in all sub policies */
1159*758e9fbaSOystein Eftevaag memset(¤t_digest->digests[digest_idx], 0, hash_size);
1160*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_start(&cryptoContext, hash_alg);
1161*758e9fbaSOystein Eftevaag return_if_error(r, "crypto hash start");
1162*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_update(cryptoContext, (const uint8_t *)
1163*758e9fbaSOystein Eftevaag ¤t_digest->digests[digest_idx].digest,
1164*758e9fbaSOystein Eftevaag hash_size);
1165*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash update", cleanup);
1166*758e9fbaSOystein Eftevaag
1167*758e9fbaSOystein Eftevaag /* Start with the update of the reset digest. */
1168*758e9fbaSOystein Eftevaag uint8_t buffer[sizeof(TPM2_CC)];
1169*758e9fbaSOystein Eftevaag size_t offset = 0;
1170*758e9fbaSOystein Eftevaag r = Tss2_MU_TPM2_CC_Marshal(TPM2_CC_PolicyOR,
1171*758e9fbaSOystein Eftevaag &buffer[0], sizeof(TPM2_CC), &offset);
1172*758e9fbaSOystein Eftevaag goto_if_error(r, "Marshal cc", cleanup);
1173*758e9fbaSOystein Eftevaag
1174*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_update(cryptoContext,
1175*758e9fbaSOystein Eftevaag (const uint8_t *)&buffer[0], sizeof(TPM2_CC));
1176*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash update", cleanup);
1177*758e9fbaSOystein Eftevaag
1178*758e9fbaSOystein Eftevaag /* Update the digest with the complete list of computed digests of the branches. */
1179*758e9fbaSOystein Eftevaag for (i = 0; i < policyOr->branches->count; i++) {
1180*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_update(cryptoContext, (const uint8_t *)
1181*758e9fbaSOystein Eftevaag &policyOr->branches->authorizations[i]
1182*758e9fbaSOystein Eftevaag .policyDigests.digests[digest_idx].digest,
1183*758e9fbaSOystein Eftevaag hash_size);
1184*758e9fbaSOystein Eftevaag log_policy_digest(&policyOr->branches->authorizations[i].policyDigests,
1185*758e9fbaSOystein Eftevaag digest_idx, hash_size, "Or branch");
1186*758e9fbaSOystein Eftevaag current_digest->count =
1187*758e9fbaSOystein Eftevaag policyOr->branches->authorizations[i].policyDigests.count;
1188*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash update", cleanup);
1189*758e9fbaSOystein Eftevaag }
1190*758e9fbaSOystein Eftevaag current_digest->digests[digest_idx].hashAlg = hash_alg;
1191*758e9fbaSOystein Eftevaag r = ifapi_crypto_hash_finish(&cryptoContext,
1192*758e9fbaSOystein Eftevaag (uint8_t *) & current_digest->
1193*758e9fbaSOystein Eftevaag digests[digest_idx].digest, &hash_size);
1194*758e9fbaSOystein Eftevaag log_policy_digest(current_digest, digest_idx, hash_size, "Final or digest");
1195*758e9fbaSOystein Eftevaag goto_if_error(r, "crypto hash finish", cleanup);
1196*758e9fbaSOystein Eftevaag
1197*758e9fbaSOystein Eftevaag cleanup:
1198*758e9fbaSOystein Eftevaag if (cryptoContext)
1199*758e9fbaSOystein Eftevaag ifapi_crypto_hash_abort(&cryptoContext);
1200*758e9fbaSOystein Eftevaag return r;
1201*758e9fbaSOystein Eftevaag }
1202*758e9fbaSOystein Eftevaag
1203*758e9fbaSOystein Eftevaag /** Compute policy digest for a list of policies.
1204*758e9fbaSOystein Eftevaag *
1205*758e9fbaSOystein Eftevaag * Every policy in the list will update the previous policy. Thus the final
1206*758e9fbaSOystein Eftevaag * policy digest will describe the sequential execution of the policy list.
1207*758e9fbaSOystein Eftevaag *
1208*758e9fbaSOystein Eftevaag * @param[in] policy The policy with the policy list.
1209*758e9fbaSOystein Eftevaag * @param[in,out] policyDigests The digest list which has to be updated.
1210*758e9fbaSOystein Eftevaag * @param[in] hash_alg The hash algorithm used for the policy computation.
1211*758e9fbaSOystein Eftevaag * @param[in] hash_size The size of the policy digest.
1212*758e9fbaSOystein Eftevaag * @param[in] digest_idx The index of the current policy in the passed digest list.
1213*758e9fbaSOystein Eftevaag *
1214*758e9fbaSOystein Eftevaag * @retval TSS2_RC_SUCCESS on success.
1215*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_VALUE if an invalid value was passed into
1216*758e9fbaSOystein Eftevaag * the function.
1217*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_GENERAL_FAILURE if an internal error occurred.
1218*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
1219*758e9fbaSOystein Eftevaag * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
1220*758e9fbaSOystein Eftevaag */
1221*758e9fbaSOystein Eftevaag TSS2_RC
ifapi_calculate_policy(TPML_POLICYELEMENTS * policy,TPML_DIGEST_VALUES * policyDigests,TPMI_ALG_HASH hash_alg,size_t hash_size,size_t digest_idx)1222*758e9fbaSOystein Eftevaag ifapi_calculate_policy(
1223*758e9fbaSOystein Eftevaag TPML_POLICYELEMENTS *policy,
1224*758e9fbaSOystein Eftevaag TPML_DIGEST_VALUES *policyDigests,
1225*758e9fbaSOystein Eftevaag TPMI_ALG_HASH hash_alg,
1226*758e9fbaSOystein Eftevaag size_t hash_size,
1227*758e9fbaSOystein Eftevaag size_t digest_idx)
1228*758e9fbaSOystein Eftevaag {
1229*758e9fbaSOystein Eftevaag size_t i;
1230*758e9fbaSOystein Eftevaag TSS2_RC r = TSS2_RC_SUCCESS;
1231*758e9fbaSOystein Eftevaag
1232*758e9fbaSOystein Eftevaag for (i = 0; i < policy->count; i++) {
1233*758e9fbaSOystein Eftevaag
1234*758e9fbaSOystein Eftevaag copy_policy_digest(&policy->elements[i].policyDigests,
1235*758e9fbaSOystein Eftevaag policyDigests, digest_idx, hash_size,
1236*758e9fbaSOystein Eftevaag "Copy policy digest (to)");
1237*758e9fbaSOystein Eftevaag
1238*758e9fbaSOystein Eftevaag switch (policy->elements[i].type) {
1239*758e9fbaSOystein Eftevaag
1240*758e9fbaSOystein Eftevaag case POLICYPCR:
1241*758e9fbaSOystein Eftevaag r = ifapi_compute_policy_pcr(&policy->elements[i].element.PolicyPCR,
1242*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests,
1243*758e9fbaSOystein Eftevaag hash_alg);
1244*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy pcr");
1245*758e9fbaSOystein Eftevaag break;
1246*758e9fbaSOystein Eftevaag
1247*758e9fbaSOystein Eftevaag case POLICYSIGNED:
1248*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_signed(&policy->elements[i].element.
1249*758e9fbaSOystein Eftevaag PolicySigned,
1250*758e9fbaSOystein Eftevaag &policy->elements[i].
1251*758e9fbaSOystein Eftevaag policyDigests, hash_alg);
1252*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy nv");
1253*758e9fbaSOystein Eftevaag
1254*758e9fbaSOystein Eftevaag break;
1255*758e9fbaSOystein Eftevaag
1256*758e9fbaSOystein Eftevaag case POLICYDUPLICATIONSELECT:
1257*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_duplicate(&policy->elements[i].element.
1258*758e9fbaSOystein Eftevaag PolicyDuplicationSelect,
1259*758e9fbaSOystein Eftevaag &policy->elements[i].
1260*758e9fbaSOystein Eftevaag policyDigests, hash_alg);
1261*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy duplication select");
1262*758e9fbaSOystein Eftevaag
1263*758e9fbaSOystein Eftevaag break;
1264*758e9fbaSOystein Eftevaag
1265*758e9fbaSOystein Eftevaag case POLICYAUTHORIZENV:
1266*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_authorize_nv(&policy->elements[i].
1267*758e9fbaSOystein Eftevaag element.PolicyAuthorizeNv,
1268*758e9fbaSOystein Eftevaag &policy->elements[i].
1269*758e9fbaSOystein Eftevaag policyDigests, hash_alg);
1270*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy authorizeg");
1271*758e9fbaSOystein Eftevaag
1272*758e9fbaSOystein Eftevaag break;
1273*758e9fbaSOystein Eftevaag
1274*758e9fbaSOystein Eftevaag case POLICYAUTHORIZE:
1275*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_authorize(&policy->elements[i].element.
1276*758e9fbaSOystein Eftevaag PolicyAuthorize,
1277*758e9fbaSOystein Eftevaag &policy->elements[i].
1278*758e9fbaSOystein Eftevaag policyDigests, hash_alg);
1279*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy authorizeg");
1280*758e9fbaSOystein Eftevaag
1281*758e9fbaSOystein Eftevaag break;
1282*758e9fbaSOystein Eftevaag
1283*758e9fbaSOystein Eftevaag case POLICYSECRET:
1284*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_secret(&policy->elements[i].element.
1285*758e9fbaSOystein Eftevaag PolicySecret,
1286*758e9fbaSOystein Eftevaag &policy->elements[i].
1287*758e9fbaSOystein Eftevaag policyDigests, hash_alg);
1288*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy nv");
1289*758e9fbaSOystein Eftevaag
1290*758e9fbaSOystein Eftevaag break;
1291*758e9fbaSOystein Eftevaag
1292*758e9fbaSOystein Eftevaag case POLICYOR:
1293*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_or(&policy->elements[i].element.PolicyOr,
1294*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests,
1295*758e9fbaSOystein Eftevaag hash_alg, hash_size, digest_idx);
1296*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy or");
1297*758e9fbaSOystein Eftevaag
1298*758e9fbaSOystein Eftevaag break;
1299*758e9fbaSOystein Eftevaag
1300*758e9fbaSOystein Eftevaag case POLICYNV:
1301*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_nv(&policy->elements[i].element.PolicyNV,
1302*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests,
1303*758e9fbaSOystein Eftevaag hash_alg);
1304*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy nv");
1305*758e9fbaSOystein Eftevaag
1306*758e9fbaSOystein Eftevaag break;
1307*758e9fbaSOystein Eftevaag
1308*758e9fbaSOystein Eftevaag case POLICYNVWRITTEN:
1309*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_nv_written(&policy->elements[i].element.
1310*758e9fbaSOystein Eftevaag PolicyNvWritten,
1311*758e9fbaSOystein Eftevaag &policy->elements[i].
1312*758e9fbaSOystein Eftevaag policyDigests, hash_alg);
1313*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy nv written");
1314*758e9fbaSOystein Eftevaag break;
1315*758e9fbaSOystein Eftevaag
1316*758e9fbaSOystein Eftevaag case POLICYCOUNTERTIMER:
1317*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_counter_timer(
1318*758e9fbaSOystein Eftevaag &policy->elements[i].element.PolicyCounterTimer,
1319*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1320*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy counter timer");
1321*758e9fbaSOystein Eftevaag break;
1322*758e9fbaSOystein Eftevaag
1323*758e9fbaSOystein Eftevaag case POLICYPHYSICALPRESENCE:
1324*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_physical_presence(
1325*758e9fbaSOystein Eftevaag &policy->elements[i].element.PolicyPhysicalPresence,
1326*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1327*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy physical presence");
1328*758e9fbaSOystein Eftevaag break;
1329*758e9fbaSOystein Eftevaag
1330*758e9fbaSOystein Eftevaag case POLICYAUTHVALUE:
1331*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_auth_value(&policy->elements[i].element.PolicyAuthValue,
1332*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1333*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy auth value");
1334*758e9fbaSOystein Eftevaag break;
1335*758e9fbaSOystein Eftevaag
1336*758e9fbaSOystein Eftevaag case POLICYPASSWORD:
1337*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_password(&policy->elements[i].element.PolicyPassword,
1338*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1339*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy password");
1340*758e9fbaSOystein Eftevaag break;
1341*758e9fbaSOystein Eftevaag
1342*758e9fbaSOystein Eftevaag case POLICYCOMMANDCODE:
1343*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_command_code(&policy->elements[i].element.PolicyCommandCode,
1344*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1345*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy physical presence");
1346*758e9fbaSOystein Eftevaag break;
1347*758e9fbaSOystein Eftevaag
1348*758e9fbaSOystein Eftevaag case POLICYNAMEHASH:
1349*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_name_hash(&policy->elements[i].element.PolicyNameHash,
1350*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1351*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy name hash");
1352*758e9fbaSOystein Eftevaag break;
1353*758e9fbaSOystein Eftevaag
1354*758e9fbaSOystein Eftevaag case POLICYCPHASH:
1355*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_cp_hash(&policy->elements[i].element.PolicyCpHash,
1356*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1357*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy cp hash");
1358*758e9fbaSOystein Eftevaag break;
1359*758e9fbaSOystein Eftevaag
1360*758e9fbaSOystein Eftevaag case POLICYLOCALITY:
1361*758e9fbaSOystein Eftevaag r = ifapi_calculate_policy_locality(&policy->elements[i].element.PolicyLocality,
1362*758e9fbaSOystein Eftevaag &policy->elements[i].policyDigests, hash_alg);
1363*758e9fbaSOystein Eftevaag return_if_error(r, "Compute policy locality");
1364*758e9fbaSOystein Eftevaag break;
1365*758e9fbaSOystein Eftevaag
1366*758e9fbaSOystein Eftevaag case POLICYACTION:
1367*758e9fbaSOystein Eftevaag /* This does not alter the policyDigest */
1368*758e9fbaSOystein Eftevaag break;
1369*758e9fbaSOystein Eftevaag
1370*758e9fbaSOystein Eftevaag default:
1371*758e9fbaSOystein Eftevaag return_error(TSS2_FAPI_RC_BAD_VALUE,
1372*758e9fbaSOystein Eftevaag "Policy not implemented");
1373*758e9fbaSOystein Eftevaag }
1374*758e9fbaSOystein Eftevaag
1375*758e9fbaSOystein Eftevaag copy_policy_digest(policyDigests, &policy->elements[i].policyDigests,
1376*758e9fbaSOystein Eftevaag digest_idx, hash_size, "Copy policy digest (from)");
1377*758e9fbaSOystein Eftevaag }
1378*758e9fbaSOystein Eftevaag return r;
1379*758e9fbaSOystein Eftevaag }
1380