tss: add tpm2_PolicySecret

Add a cut down version of PolicySecret (with no nonceTPM, cpHashA or expiry and thus no returned timeout or ticket) for use with a PolicySecret statement in the encoded policy statements. For simplicity the authorization string is passed in and the internal routine constructs the necessary HMAC session for encoding it in the command (this saves the calling code from having to worry about multiple sessions). Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
author: James Bottomley <James.Bottomley@HansenPartnership.com> 2023-12-15 17:36:38 -0500
committer: James Bottomley <James.Bottomley@HansenPartnership.com> 2023-12-17 09:51:44 -0500
commit: d5eeceff61adfc529670359808424c7e811865f4 (patch)
tree: 23229f7db474bfedbe54548923987131f1541bff
parent: 2b85ef8efa2f6e1d8fb2466b68f66febe4da4d30 (diff)
download: openssl_tpm2_engine-d5eeceff61adfc529670359808424c7e811865f4.tar.gz
2 files changed, 105 insertions, 0 deletions
diff --git a/src/include/ibm-tss.h b/src/include/ibm-tss.h
index 4d7d1c0..214f7e6 100644
--- a/src/include/ibm-tss.h
+++ b/src/include/ibm-tss.h
@@ -635,6 +635,67 @@ tpm2_PolicyLocality(TSS_CONTEXT *tssContext, TPM_HANDLE policySession,
 }
 
 static inline TPM_RC
+tpm2_PolicySecret(TSS_CONTEXT *tssContext, TPM_HANDLE authHandle,
+		  TPM_HANDLE policySession, DIGEST_2B *policyRef,
+		  const char *authVal)
+{
+	PolicySecret_In in;
+	PolicySecret_Out out;
+	TPM_RC rc;
+	TPMT_SYM_DEF symmetric;
+	TPM_HANDLE authSession;
+
+	/*
+	 * Simple use case: we take a bound session inside this
+	 * function because we know the auth and we have an object
+	 * handle.  In theory the caller should pass in the session,
+	 * but all current callers would flush the handle immediately
+	 * after so it simplifies the API to do the session setup and
+	 * teardown inside this call.
+	 */
+
+	symmetric.algorithm = TPM_ALG_AES;
+	symmetric.keyBits.aes = 128;
+	symmetric.mode.aes = TPM_ALG_CFB;
+
+	/* need public area pulled in for nonce computation */
+	if ((authHandle >> 24) == TPM_HT_NV_INDEX)
+		tpm2_NV_ReadPublic(tssContext, authHandle, NULL);
+	else
+		tpm2_ReadPublic(tssContext, authHandle, NULL, TPM_RH_NULL, NULL);
+
+	rc = tpm2_StartAuthSession(tssContext, TPM_RH_NULL, authHandle,
+				   TPM_SE_HMAC, &symmetric, TPM_ALG_SHA256,
+				   &authSession, authVal);
+	if (rc)
+		return rc;
+
+	in.authHandle = authHandle;
+	in.policySession = policySession;
+	in.nonceTPM.b.size = 0;
+	in.cpHashA.b.size = 0;
+
+	in.policyRef.t = *policyRef;
+	in.expiration = 0;
+
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicySecret,
+			 authSession, authVal, 0,
+			 TPM_RH_NULL, NULL, 0);
+
+	if (rc) {
+		tpm2_FlushContext(tssContext, authSession);
+		tpm2_error(rc, "TPM2_PolicySecret");
+		return rc;
+	}
+
+	return rc;
+}
+
+static inline TPM_RC
 tpm2_PolicyGetDigest(TSS_CONTEXT *tssContext, TPM_HANDLE policySession,
 		     DIGEST_2B *digest)
 {
diff --git a/src/include/intel-tss.h b/src/include/intel-tss.h
index d989e33..47d5683 100644
--- a/src/include/intel-tss.h
+++ b/src/include/intel-tss.h
@@ -71,6 +71,7 @@
 #define TPM_CC_PolicyCounterTimer	TPM2_CC_PolicyCounterTimer
 #define TPM_CC_PolicyAuthorize	TPM2_CC_PolicyAuthorize
 #define TPM_CC_PolicyLocality	TPM2_CC_PolicyLocality
+#define TPM_CC_PolicySecret	TPM2_CC_PolicySecret
 
 #define TPM_ST_HASHCHECK	TPM2_ST_HASHCHECK
 
@@ -1082,6 +1083,49 @@ tpm2_PolicyLocality(TSS_CONTEXT *tssContext, TPM_HANDLE policySession,
 }
 
 static inline TPM_RC
+tpm2_PolicySecret(TSS_CONTEXT *tssContext, TPM_HANDLE authHandle,
+		  TPM_HANDLE policySession, DIGEST_2B *policyRef,
+		  const char *authVal)
+{
+	TPM_RC rc;
+	TPM_HANDLE authSession;
+	TPMT_SYM_DEF symmetric;
+
+	/*
+	 * Simple use case: we take a bound session inside this
+	 * function because we know the auth and we have an object
+	 * handle.  In theory the caller should pass in the session,
+	 * but all current callers would flush the handle immediately
+	 * after so it simplifies the API to do the session setup and
+	 * teardown inside this call.
+	 */
+
+	symmetric.algorithm = TPM_ALG_AES;
+	symmetric.keyBits.aes = 128;
+	symmetric.mode.aes = TPM_ALG_CFB;
+
+
+	rc = tpm2_StartAuthSession(tssContext, TPM_RH_NULL, authHandle,
+				   TPM_SE_HMAC, &symmetric, TPM_ALG_SHA256,
+				   &authSession, authVal);
+	if (rc)
+		return rc;
+
+	intel_auth_helper(tssContext, authHandle, authVal);
+	intel_sess_helper(tssContext, authSession, 0);
+
+	rc = Esys_PolicySecret(tssContext, authHandle, policySession,
+			       authSession, ESYS_TR_NONE, ESYS_TR_NONE,
+			       NULL /* nonceTPM */, NULL /* cpHashA */,
+			       policyRef, 0, NULL, NULL);
+
+	if (rc)
+		tpm2_FlushContext(tssContext, authSession);
+
+	return rc;
+}
+
+static inline TPM_RC
 tpm2_PolicyGetDigest(TSS_CONTEXT *tssContext, TPM_HANDLE policySession,
 		     DIGEST_2B *digest)
 {
author	James Bottomley <James.Bottomley@HansenPartnership.com>	2023-12-15 17:36:38 -0500
committer	James Bottomley <James.Bottomley@HansenPartnership.com>	2023-12-17 09:51:44 -0500
commit	d5eeceff61adfc529670359808424c7e811865f4 (patch)
tree	23229f7db474bfedbe54548923987131f1541bff
parent	2b85ef8efa2f6e1d8fb2466b68f66febe4da4d30 (diff)
download	openssl_tpm2_engine-d5eeceff61adfc529670359808424c7e811865f4.tar.gz