Loading...
1# SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2
3import hashlib
4import os
5import socket
6import struct
7import sys
8import unittest
9import fcntl
10import select
11
12TPM2_ST_NO_SESSIONS = 0x8001
13TPM2_ST_SESSIONS = 0x8002
14
15TPM2_CC_FIRST = 0x01FF
16
17TPM2_CC_CREATE_PRIMARY = 0x0131
18TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET = 0x0139
19TPM2_CC_CREATE = 0x0153
20TPM2_CC_LOAD = 0x0157
21TPM2_CC_UNSEAL = 0x015E
22TPM2_CC_FLUSH_CONTEXT = 0x0165
23TPM2_CC_START_AUTH_SESSION = 0x0176
24TPM2_CC_GET_CAPABILITY = 0x017A
25TPM2_CC_GET_RANDOM = 0x017B
26TPM2_CC_PCR_READ = 0x017E
27TPM2_CC_POLICY_PCR = 0x017F
28TPM2_CC_PCR_EXTEND = 0x0182
29TPM2_CC_POLICY_PASSWORD = 0x018C
30TPM2_CC_POLICY_GET_DIGEST = 0x0189
31
32TPM2_SE_POLICY = 0x01
33TPM2_SE_TRIAL = 0x03
34
35TPM2_ALG_RSA = 0x0001
36TPM2_ALG_SHA1 = 0x0004
37TPM2_ALG_AES = 0x0006
38TPM2_ALG_KEYEDHASH = 0x0008
39TPM2_ALG_SHA256 = 0x000B
40TPM2_ALG_NULL = 0x0010
41TPM2_ALG_CBC = 0x0042
42TPM2_ALG_CFB = 0x0043
43
44TPM2_RH_OWNER = 0x40000001
45TPM2_RH_NULL = 0x40000007
46TPM2_RH_LOCKOUT = 0x4000000A
47TPM2_RS_PW = 0x40000009
48
49TPM2_RC_SIZE = 0x01D5
50TPM2_RC_AUTH_FAIL = 0x098E
51TPM2_RC_POLICY_FAIL = 0x099D
52TPM2_RC_COMMAND_CODE = 0x0143
53
54TSS2_RC_LAYER_SHIFT = 16
55TSS2_RESMGR_TPM_RC_LAYER = (11 << TSS2_RC_LAYER_SHIFT)
56
57TPM2_CAP_HANDLES = 0x00000001
58TPM2_CAP_COMMANDS = 0x00000002
59TPM2_CAP_PCRS = 0x00000005
60TPM2_CAP_TPM_PROPERTIES = 0x00000006
61
62TPM2_PT_FIXED = 0x100
63TPM2_PT_TOTAL_COMMANDS = TPM2_PT_FIXED + 41
64
65HR_SHIFT = 24
66HR_LOADED_SESSION = 0x02000000
67HR_TRANSIENT = 0x80000000
68
69SHA1_DIGEST_SIZE = 20
70SHA256_DIGEST_SIZE = 32
71
72TPM2_VER0_ERRORS = {
73 0x000: "TPM_RC_SUCCESS",
74 0x030: "TPM_RC_BAD_TAG",
75}
76
77TPM2_VER1_ERRORS = {
78 0x000: "TPM_RC_FAILURE",
79 0x001: "TPM_RC_FAILURE",
80 0x003: "TPM_RC_SEQUENCE",
81 0x00B: "TPM_RC_PRIVATE",
82 0x019: "TPM_RC_HMAC",
83 0x020: "TPM_RC_DISABLED",
84 0x021: "TPM_RC_EXCLUSIVE",
85 0x024: "TPM_RC_AUTH_TYPE",
86 0x025: "TPM_RC_AUTH_MISSING",
87 0x026: "TPM_RC_POLICY",
88 0x027: "TPM_RC_PCR",
89 0x028: "TPM_RC_PCR_CHANGED",
90 0x02D: "TPM_RC_UPGRADE",
91 0x02E: "TPM_RC_TOO_MANY_CONTEXTS",
92 0x02F: "TPM_RC_AUTH_UNAVAILABLE",
93 0x030: "TPM_RC_REBOOT",
94 0x031: "TPM_RC_UNBALANCED",
95 0x042: "TPM_RC_COMMAND_SIZE",
96 0x043: "TPM_RC_COMMAND_CODE",
97 0x044: "TPM_RC_AUTHSIZE",
98 0x045: "TPM_RC_AUTH_CONTEXT",
99 0x046: "TPM_RC_NV_RANGE",
100 0x047: "TPM_RC_NV_SIZE",
101 0x048: "TPM_RC_NV_LOCKED",
102 0x049: "TPM_RC_NV_AUTHORIZATION",
103 0x04A: "TPM_RC_NV_UNINITIALIZED",
104 0x04B: "TPM_RC_NV_SPACE",
105 0x04C: "TPM_RC_NV_DEFINED",
106 0x050: "TPM_RC_BAD_CONTEXT",
107 0x051: "TPM_RC_CPHASH",
108 0x052: "TPM_RC_PARENT",
109 0x053: "TPM_RC_NEEDS_TEST",
110 0x054: "TPM_RC_NO_RESULT",
111 0x055: "TPM_RC_SENSITIVE",
112 0x07F: "RC_MAX_FM0",
113}
114
115TPM2_FMT1_ERRORS = {
116 0x001: "TPM_RC_ASYMMETRIC",
117 0x002: "TPM_RC_ATTRIBUTES",
118 0x003: "TPM_RC_HASH",
119 0x004: "TPM_RC_VALUE",
120 0x005: "TPM_RC_HIERARCHY",
121 0x007: "TPM_RC_KEY_SIZE",
122 0x008: "TPM_RC_MGF",
123 0x009: "TPM_RC_MODE",
124 0x00A: "TPM_RC_TYPE",
125 0x00B: "TPM_RC_HANDLE",
126 0x00C: "TPM_RC_KDF",
127 0x00D: "TPM_RC_RANGE",
128 0x00E: "TPM_RC_AUTH_FAIL",
129 0x00F: "TPM_RC_NONCE",
130 0x010: "TPM_RC_PP",
131 0x012: "TPM_RC_SCHEME",
132 0x015: "TPM_RC_SIZE",
133 0x016: "TPM_RC_SYMMETRIC",
134 0x017: "TPM_RC_TAG",
135 0x018: "TPM_RC_SELECTOR",
136 0x01A: "TPM_RC_INSUFFICIENT",
137 0x01B: "TPM_RC_SIGNATURE",
138 0x01C: "TPM_RC_KEY",
139 0x01D: "TPM_RC_POLICY_FAIL",
140 0x01F: "TPM_RC_INTEGRITY",
141 0x020: "TPM_RC_TICKET",
142 0x021: "TPM_RC_RESERVED_BITS",
143 0x022: "TPM_RC_BAD_AUTH",
144 0x023: "TPM_RC_EXPIRED",
145 0x024: "TPM_RC_POLICY_CC",
146 0x025: "TPM_RC_BINDING",
147 0x026: "TPM_RC_CURVE",
148 0x027: "TPM_RC_ECC_POINT",
149}
150
151TPM2_WARN_ERRORS = {
152 0x001: "TPM_RC_CONTEXT_GAP",
153 0x002: "TPM_RC_OBJECT_MEMORY",
154 0x003: "TPM_RC_SESSION_MEMORY",
155 0x004: "TPM_RC_MEMORY",
156 0x005: "TPM_RC_SESSION_HANDLES",
157 0x006: "TPM_RC_OBJECT_HANDLES",
158 0x007: "TPM_RC_LOCALITY",
159 0x008: "TPM_RC_YIELDED",
160 0x009: "TPM_RC_CANCELED",
161 0x00A: "TPM_RC_TESTING",
162 0x010: "TPM_RC_REFERENCE_H0",
163 0x011: "TPM_RC_REFERENCE_H1",
164 0x012: "TPM_RC_REFERENCE_H2",
165 0x013: "TPM_RC_REFERENCE_H3",
166 0x014: "TPM_RC_REFERENCE_H4",
167 0x015: "TPM_RC_REFERENCE_H5",
168 0x016: "TPM_RC_REFERENCE_H6",
169 0x018: "TPM_RC_REFERENCE_S0",
170 0x019: "TPM_RC_REFERENCE_S1",
171 0x01A: "TPM_RC_REFERENCE_S2",
172 0x01B: "TPM_RC_REFERENCE_S3",
173 0x01C: "TPM_RC_REFERENCE_S4",
174 0x01D: "TPM_RC_REFERENCE_S5",
175 0x01E: "TPM_RC_REFERENCE_S6",
176 0x020: "TPM_RC_NV_RATE",
177 0x021: "TPM_RC_LOCKOUT",
178 0x022: "TPM_RC_RETRY",
179 0x023: "TPM_RC_NV_UNAVAILABLE",
180 0x7F: "TPM_RC_NOT_USED",
181}
182
183RC_VER1 = 0x100
184RC_FMT1 = 0x080
185RC_WARN = 0x900
186
187ALG_DIGEST_SIZE_MAP = {
188 TPM2_ALG_SHA1: SHA1_DIGEST_SIZE,
189 TPM2_ALG_SHA256: SHA256_DIGEST_SIZE,
190}
191
192ALG_HASH_FUNCTION_MAP = {
193 TPM2_ALG_SHA1: hashlib.sha1,
194 TPM2_ALG_SHA256: hashlib.sha256
195}
196
197NAME_ALG_MAP = {
198 "sha1": TPM2_ALG_SHA1,
199 "sha256": TPM2_ALG_SHA256,
200}
201
202
203class UnknownAlgorithmIdError(Exception):
204 def __init__(self, alg):
205 self.alg = alg
206
207 def __str__(self):
208 return '0x%0x' % (alg)
209
210
211class UnknownAlgorithmNameError(Exception):
212 def __init__(self, name):
213 self.name = name
214
215 def __str__(self):
216 return name
217
218
219class UnknownPCRBankError(Exception):
220 def __init__(self, alg):
221 self.alg = alg
222
223 def __str__(self):
224 return '0x%0x' % (alg)
225
226
227class ProtocolError(Exception):
228 def __init__(self, cc, rc):
229 self.cc = cc
230 self.rc = rc
231
232 if (rc & RC_FMT1) == RC_FMT1:
233 self.name = TPM2_FMT1_ERRORS.get(rc & 0x3f, "TPM_RC_UNKNOWN")
234 elif (rc & RC_WARN) == RC_WARN:
235 self.name = TPM2_WARN_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
236 elif (rc & RC_VER1) == RC_VER1:
237 self.name = TPM2_VER1_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
238 else:
239 self.name = TPM2_VER0_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
240
241 def __str__(self):
242 if self.cc:
243 return '%s: cc=0x%08x, rc=0x%08x' % (self.name, self.cc, self.rc)
244 else:
245 return '%s: rc=0x%08x' % (self.name, self.rc)
246
247
248class AuthCommand(object):
249 """TPMS_AUTH_COMMAND"""
250
251 def __init__(self, session_handle=TPM2_RS_PW, nonce=bytes(),
252 session_attributes=0, hmac=bytes()):
253 self.session_handle = session_handle
254 self.nonce = nonce
255 self.session_attributes = session_attributes
256 self.hmac = hmac
257
258 def __bytes__(self):
259 fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
260 return struct.pack(fmt, self.session_handle, len(self.nonce),
261 self.nonce, self.session_attributes, len(self.hmac),
262 self.hmac)
263
264 def __len__(self):
265 fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
266 return struct.calcsize(fmt)
267
268
269class SensitiveCreate(object):
270 """TPMS_SENSITIVE_CREATE"""
271
272 def __init__(self, user_auth=bytes(), data=bytes()):
273 self.user_auth = user_auth
274 self.data = data
275
276 def __bytes__(self):
277 fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
278 return struct.pack(fmt, len(self.user_auth), self.user_auth,
279 len(self.data), self.data)
280
281 def __len__(self):
282 fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
283 return struct.calcsize(fmt)
284
285
286class Public(object):
287 """TPMT_PUBLIC"""
288
289 FIXED_TPM = (1 << 1)
290 FIXED_PARENT = (1 << 4)
291 SENSITIVE_DATA_ORIGIN = (1 << 5)
292 USER_WITH_AUTH = (1 << 6)
293 RESTRICTED = (1 << 16)
294 DECRYPT = (1 << 17)
295
296 def __fmt(self):
297 return '>HHIH%us%usH%us' % \
298 (len(self.auth_policy), len(self.parameters), len(self.unique))
299
300 def __init__(self, object_type, name_alg, object_attributes,
301 auth_policy=bytes(), parameters=bytes(),
302 unique=bytes()):
303 self.object_type = object_type
304 self.name_alg = name_alg
305 self.object_attributes = object_attributes
306 self.auth_policy = auth_policy
307 self.parameters = parameters
308 self.unique = unique
309
310 def __bytes__(self):
311 return struct.pack(self.__fmt(),
312 self.object_type,
313 self.name_alg,
314 self.object_attributes,
315 len(self.auth_policy),
316 self.auth_policy,
317 self.parameters,
318 len(self.unique),
319 self.unique)
320
321 def __len__(self):
322 return struct.calcsize(self.__fmt())
323
324
325def get_digest_size(alg):
326 ds = ALG_DIGEST_SIZE_MAP.get(alg)
327 if not ds:
328 raise UnknownAlgorithmIdError(alg)
329 return ds
330
331
332def get_hash_function(alg):
333 f = ALG_HASH_FUNCTION_MAP.get(alg)
334 if not f:
335 raise UnknownAlgorithmIdError(alg)
336 return f
337
338
339def get_algorithm(name):
340 alg = NAME_ALG_MAP.get(name)
341 if not alg:
342 raise UnknownAlgorithmNameError(name)
343 return alg
344
345
346def hex_dump(d):
347 d = [format(x, '02x') for x in d]
348 d = [d[i: i + 16] for i in range(0, len(d), 16)]
349 d = [' '.join(x) for x in d]
350 d = os.linesep.join(d)
351
352 return d
353
354class Client:
355 FLAG_DEBUG = 0x01
356 FLAG_SPACE = 0x02
357 FLAG_NONBLOCK = 0x04
358 TPM_IOC_NEW_SPACE = 0xa200
359
360 def __init__(self, flags = 0):
361 self.flags = flags
362
363 if (self.flags & Client.FLAG_SPACE) == 0:
364 self.tpm = open('/dev/tpm0', 'r+b', buffering=0)
365 else:
366 self.tpm = open('/dev/tpmrm0', 'r+b', buffering=0)
367
368 if (self.flags & Client.FLAG_NONBLOCK):
369 flags = fcntl.fcntl(self.tpm, fcntl.F_GETFL)
370 flags |= os.O_NONBLOCK
371 fcntl.fcntl(self.tpm, fcntl.F_SETFL, flags)
372 self.tpm_poll = select.poll()
373
374 def __del__(self):
375 if self.tpm:
376 self.tpm.close()
377
378 def close(self):
379 self.tpm.close()
380
381 def send_cmd(self, cmd):
382 self.tpm.write(cmd)
383
384 if (self.flags & Client.FLAG_NONBLOCK):
385 self.tpm_poll.register(self.tpm, select.POLLIN)
386 self.tpm_poll.poll(10000)
387
388 rsp = self.tpm.read()
389
390 if (self.flags & Client.FLAG_NONBLOCK):
391 self.tpm_poll.unregister(self.tpm)
392
393 if (self.flags & Client.FLAG_DEBUG) != 0:
394 sys.stderr.write('cmd' + os.linesep)
395 sys.stderr.write(hex_dump(cmd) + os.linesep)
396 sys.stderr.write('rsp' + os.linesep)
397 sys.stderr.write(hex_dump(rsp) + os.linesep)
398
399 rc = struct.unpack('>I', rsp[6:10])[0]
400 if rc != 0:
401 cc = struct.unpack('>I', cmd[6:10])[0]
402 raise ProtocolError(cc, rc)
403
404 return rsp
405
406 def read_pcr(self, i, bank_alg = TPM2_ALG_SHA1):
407 pcrsel_len = max((i >> 3) + 1, 3)
408 pcrsel = [0] * pcrsel_len
409 pcrsel[i >> 3] = 1 << (i & 7)
410 pcrsel = ''.join(map(chr, pcrsel)).encode()
411
412 fmt = '>HII IHB%us' % (pcrsel_len)
413 cmd = struct.pack(fmt,
414 TPM2_ST_NO_SESSIONS,
415 struct.calcsize(fmt),
416 TPM2_CC_PCR_READ,
417 1,
418 bank_alg,
419 pcrsel_len, pcrsel)
420
421 rsp = self.send_cmd(cmd)
422
423 pcr_update_cnt, pcr_select_cnt = struct.unpack('>II', rsp[10:18])
424 assert pcr_select_cnt == 1
425 rsp = rsp[18:]
426
427 alg2, pcrsel_len2 = struct.unpack('>HB', rsp[:3])
428 assert bank_alg == alg2 and pcrsel_len == pcrsel_len2
429 rsp = rsp[3 + pcrsel_len:]
430
431 digest_cnt = struct.unpack('>I', rsp[:4])[0]
432 if digest_cnt == 0:
433 return None
434 rsp = rsp[6:]
435
436 return rsp
437
438 def extend_pcr(self, i, dig, bank_alg = TPM2_ALG_SHA1):
439 ds = get_digest_size(bank_alg)
440 assert(ds == len(dig))
441
442 auth_cmd = AuthCommand()
443
444 fmt = '>HII I I%us IH%us' % (len(auth_cmd), ds)
445 cmd = struct.pack(
446 fmt,
447 TPM2_ST_SESSIONS,
448 struct.calcsize(fmt),
449 TPM2_CC_PCR_EXTEND,
450 i,
451 len(auth_cmd),
452 bytes(auth_cmd),
453 1, bank_alg, dig)
454
455 self.send_cmd(cmd)
456
457 def start_auth_session(self, session_type, name_alg = TPM2_ALG_SHA1):
458 fmt = '>HII IIH16sHBHH'
459 cmd = struct.pack(fmt,
460 TPM2_ST_NO_SESSIONS,
461 struct.calcsize(fmt),
462 TPM2_CC_START_AUTH_SESSION,
463 TPM2_RH_NULL,
464 TPM2_RH_NULL,
465 16,
466 ('\0' * 16).encode(),
467 0,
468 session_type,
469 TPM2_ALG_NULL,
470 name_alg)
471
472 return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
473
474 def __calc_pcr_digest(self, pcrs, bank_alg = TPM2_ALG_SHA1,
475 digest_alg = TPM2_ALG_SHA1):
476 x = []
477 f = get_hash_function(digest_alg)
478
479 for i in pcrs:
480 pcr = self.read_pcr(i, bank_alg)
481 if pcr is None:
482 return None
483 x += pcr
484
485 return f(bytearray(x)).digest()
486
487 def policy_pcr(self, handle, pcrs, bank_alg = TPM2_ALG_SHA1,
488 name_alg = TPM2_ALG_SHA1):
489 ds = get_digest_size(name_alg)
490 dig = self.__calc_pcr_digest(pcrs, bank_alg, name_alg)
491 if not dig:
492 raise UnknownPCRBankError(bank_alg)
493
494 pcrsel_len = max((max(pcrs) >> 3) + 1, 3)
495 pcrsel = [0] * pcrsel_len
496 for i in pcrs:
497 pcrsel[i >> 3] |= 1 << (i & 7)
498 pcrsel = ''.join(map(chr, pcrsel)).encode()
499
500 fmt = '>HII IH%usIHB3s' % ds
501 cmd = struct.pack(fmt,
502 TPM2_ST_NO_SESSIONS,
503 struct.calcsize(fmt),
504 TPM2_CC_POLICY_PCR,
505 handle,
506 len(dig),
507 bytes(dig),
508 1,
509 bank_alg,
510 pcrsel_len, pcrsel)
511
512 self.send_cmd(cmd)
513
514 def policy_password(self, handle):
515 fmt = '>HII I'
516 cmd = struct.pack(fmt,
517 TPM2_ST_NO_SESSIONS,
518 struct.calcsize(fmt),
519 TPM2_CC_POLICY_PASSWORD,
520 handle)
521
522 self.send_cmd(cmd)
523
524 def get_policy_digest(self, handle):
525 fmt = '>HII I'
526 cmd = struct.pack(fmt,
527 TPM2_ST_NO_SESSIONS,
528 struct.calcsize(fmt),
529 TPM2_CC_POLICY_GET_DIGEST,
530 handle)
531
532 return self.send_cmd(cmd)[12:]
533
534 def flush_context(self, handle):
535 fmt = '>HIII'
536 cmd = struct.pack(fmt,
537 TPM2_ST_NO_SESSIONS,
538 struct.calcsize(fmt),
539 TPM2_CC_FLUSH_CONTEXT,
540 handle)
541
542 self.send_cmd(cmd)
543
544 def create_root_key(self, auth_value = bytes()):
545 attributes = \
546 Public.FIXED_TPM | \
547 Public.FIXED_PARENT | \
548 Public.SENSITIVE_DATA_ORIGIN | \
549 Public.USER_WITH_AUTH | \
550 Public.RESTRICTED | \
551 Public.DECRYPT
552
553 auth_cmd = AuthCommand()
554 sensitive = SensitiveCreate(user_auth=auth_value)
555
556 public_parms = struct.pack(
557 '>HHHHHI',
558 TPM2_ALG_AES,
559 128,
560 TPM2_ALG_CFB,
561 TPM2_ALG_NULL,
562 2048,
563 0)
564
565 public = Public(
566 object_type=TPM2_ALG_RSA,
567 name_alg=TPM2_ALG_SHA1,
568 object_attributes=attributes,
569 parameters=public_parms)
570
571 fmt = '>HIII I%us H%us H%us HI' % \
572 (len(auth_cmd), len(sensitive), len(public))
573 cmd = struct.pack(
574 fmt,
575 TPM2_ST_SESSIONS,
576 struct.calcsize(fmt),
577 TPM2_CC_CREATE_PRIMARY,
578 TPM2_RH_OWNER,
579 len(auth_cmd),
580 bytes(auth_cmd),
581 len(sensitive),
582 bytes(sensitive),
583 len(public),
584 bytes(public),
585 0, 0)
586
587 return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
588
589 def seal(self, parent_key, data, auth_value, policy_dig,
590 name_alg = TPM2_ALG_SHA1):
591 ds = get_digest_size(name_alg)
592 assert(not policy_dig or ds == len(policy_dig))
593
594 attributes = 0
595 if not policy_dig:
596 attributes |= Public.USER_WITH_AUTH
597 policy_dig = bytes()
598
599 auth_cmd = AuthCommand()
600 sensitive = SensitiveCreate(user_auth=auth_value, data=data)
601
602 public = Public(
603 object_type=TPM2_ALG_KEYEDHASH,
604 name_alg=name_alg,
605 object_attributes=attributes,
606 auth_policy=policy_dig,
607 parameters=struct.pack('>H', TPM2_ALG_NULL))
608
609 fmt = '>HIII I%us H%us H%us HI' % \
610 (len(auth_cmd), len(sensitive), len(public))
611 cmd = struct.pack(
612 fmt,
613 TPM2_ST_SESSIONS,
614 struct.calcsize(fmt),
615 TPM2_CC_CREATE,
616 parent_key,
617 len(auth_cmd),
618 bytes(auth_cmd),
619 len(sensitive),
620 bytes(sensitive),
621 len(public),
622 bytes(public),
623 0, 0)
624
625 rsp = self.send_cmd(cmd)
626
627 return rsp[14:]
628
629 def unseal(self, parent_key, blob, auth_value, policy_handle):
630 private_len = struct.unpack('>H', blob[0:2])[0]
631 public_start = private_len + 2
632 public_len = struct.unpack('>H', blob[public_start:public_start + 2])[0]
633 blob = blob[:private_len + public_len + 4]
634
635 auth_cmd = AuthCommand()
636
637 fmt = '>HII I I%us %us' % (len(auth_cmd), len(blob))
638 cmd = struct.pack(
639 fmt,
640 TPM2_ST_SESSIONS,
641 struct.calcsize(fmt),
642 TPM2_CC_LOAD,
643 parent_key,
644 len(auth_cmd),
645 bytes(auth_cmd),
646 blob)
647
648 data_handle = struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
649
650 if policy_handle:
651 auth_cmd = AuthCommand(session_handle=policy_handle, hmac=auth_value)
652 else:
653 auth_cmd = AuthCommand(hmac=auth_value)
654
655 fmt = '>HII I I%us' % (len(auth_cmd))
656 cmd = struct.pack(
657 fmt,
658 TPM2_ST_SESSIONS,
659 struct.calcsize(fmt),
660 TPM2_CC_UNSEAL,
661 data_handle,
662 len(auth_cmd),
663 bytes(auth_cmd))
664
665 try:
666 rsp = self.send_cmd(cmd)
667 finally:
668 self.flush_context(data_handle)
669
670 data_len = struct.unpack('>I', rsp[10:14])[0] - 2
671
672 return rsp[16:16 + data_len]
673
674 def reset_da_lock(self):
675 auth_cmd = AuthCommand()
676
677 fmt = '>HII I I%us' % (len(auth_cmd))
678 cmd = struct.pack(
679 fmt,
680 TPM2_ST_SESSIONS,
681 struct.calcsize(fmt),
682 TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET,
683 TPM2_RH_LOCKOUT,
684 len(auth_cmd),
685 bytes(auth_cmd))
686
687 self.send_cmd(cmd)
688
689 def __get_cap_cnt(self, cap, pt, cnt):
690 handles = []
691 fmt = '>HII III'
692
693 cmd = struct.pack(fmt,
694 TPM2_ST_NO_SESSIONS,
695 struct.calcsize(fmt),
696 TPM2_CC_GET_CAPABILITY,
697 cap, pt, cnt)
698
699 rsp = self.send_cmd(cmd)[10:]
700 more_data, cap, cnt = struct.unpack('>BII', rsp[:9])
701 rsp = rsp[9:]
702
703 for i in range(0, cnt):
704 handle = struct.unpack('>I', rsp[:4])[0]
705 handles.append(handle)
706 rsp = rsp[4:]
707
708 return handles, more_data
709
710 def get_cap(self, cap, pt):
711 handles = []
712
713 more_data = True
714 while more_data:
715 next_handles, more_data = self.__get_cap_cnt(cap, pt, 1)
716 handles += next_handles
717 pt += 1
718
719 return handles
720
721 def get_cap_pcrs(self):
722 pcr_banks = {}
723
724 fmt = '>HII III'
725
726 cmd = struct.pack(fmt,
727 TPM2_ST_NO_SESSIONS,
728 struct.calcsize(fmt),
729 TPM2_CC_GET_CAPABILITY,
730 TPM2_CAP_PCRS, 0, 1)
731 rsp = self.send_cmd(cmd)[10:]
732 _, _, cnt = struct.unpack('>BII', rsp[:9])
733 rsp = rsp[9:]
734
735 # items are TPMS_PCR_SELECTION's
736 for i in range(0, cnt):
737 hash, sizeOfSelect = struct.unpack('>HB', rsp[:3])
738 rsp = rsp[3:]
739
740 pcrSelect = 0
741 if sizeOfSelect > 0:
742 pcrSelect, = struct.unpack('%ds' % sizeOfSelect,
743 rsp[:sizeOfSelect])
744 rsp = rsp[sizeOfSelect:]
745 pcrSelect = int.from_bytes(pcrSelect, byteorder='big')
746
747 pcr_banks[hash] = pcrSelect
748
749 return pcr_banks
1# SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2
3import hashlib
4import os
5import socket
6import struct
7import sys
8import unittest
9import fcntl
10import select
11
12TPM2_ST_NO_SESSIONS = 0x8001
13TPM2_ST_SESSIONS = 0x8002
14
15TPM2_CC_FIRST = 0x01FF
16
17TPM2_CC_CREATE_PRIMARY = 0x0131
18TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET = 0x0139
19TPM2_CC_CREATE = 0x0153
20TPM2_CC_LOAD = 0x0157
21TPM2_CC_UNSEAL = 0x015E
22TPM2_CC_FLUSH_CONTEXT = 0x0165
23TPM2_CC_START_AUTH_SESSION = 0x0176
24TPM2_CC_GET_CAPABILITY = 0x017A
25TPM2_CC_GET_RANDOM = 0x017B
26TPM2_CC_PCR_READ = 0x017E
27TPM2_CC_POLICY_PCR = 0x017F
28TPM2_CC_PCR_EXTEND = 0x0182
29TPM2_CC_POLICY_PASSWORD = 0x018C
30TPM2_CC_POLICY_GET_DIGEST = 0x0189
31
32TPM2_SE_POLICY = 0x01
33TPM2_SE_TRIAL = 0x03
34
35TPM2_ALG_RSA = 0x0001
36TPM2_ALG_SHA1 = 0x0004
37TPM2_ALG_AES = 0x0006
38TPM2_ALG_KEYEDHASH = 0x0008
39TPM2_ALG_SHA256 = 0x000B
40TPM2_ALG_NULL = 0x0010
41TPM2_ALG_CBC = 0x0042
42TPM2_ALG_CFB = 0x0043
43
44TPM2_RH_OWNER = 0x40000001
45TPM2_RH_NULL = 0x40000007
46TPM2_RH_LOCKOUT = 0x4000000A
47TPM2_RS_PW = 0x40000009
48
49TPM2_RC_SIZE = 0x01D5
50TPM2_RC_AUTH_FAIL = 0x098E
51TPM2_RC_POLICY_FAIL = 0x099D
52TPM2_RC_COMMAND_CODE = 0x0143
53
54TSS2_RC_LAYER_SHIFT = 16
55TSS2_RESMGR_TPM_RC_LAYER = (11 << TSS2_RC_LAYER_SHIFT)
56
57TPM2_CAP_HANDLES = 0x00000001
58TPM2_CAP_COMMANDS = 0x00000002
59TPM2_CAP_TPM_PROPERTIES = 0x00000006
60
61TPM2_PT_FIXED = 0x100
62TPM2_PT_TOTAL_COMMANDS = TPM2_PT_FIXED + 41
63
64HR_SHIFT = 24
65HR_LOADED_SESSION = 0x02000000
66HR_TRANSIENT = 0x80000000
67
68SHA1_DIGEST_SIZE = 20
69SHA256_DIGEST_SIZE = 32
70
71TPM2_VER0_ERRORS = {
72 0x000: "TPM_RC_SUCCESS",
73 0x030: "TPM_RC_BAD_TAG",
74}
75
76TPM2_VER1_ERRORS = {
77 0x000: "TPM_RC_FAILURE",
78 0x001: "TPM_RC_FAILURE",
79 0x003: "TPM_RC_SEQUENCE",
80 0x00B: "TPM_RC_PRIVATE",
81 0x019: "TPM_RC_HMAC",
82 0x020: "TPM_RC_DISABLED",
83 0x021: "TPM_RC_EXCLUSIVE",
84 0x024: "TPM_RC_AUTH_TYPE",
85 0x025: "TPM_RC_AUTH_MISSING",
86 0x026: "TPM_RC_POLICY",
87 0x027: "TPM_RC_PCR",
88 0x028: "TPM_RC_PCR_CHANGED",
89 0x02D: "TPM_RC_UPGRADE",
90 0x02E: "TPM_RC_TOO_MANY_CONTEXTS",
91 0x02F: "TPM_RC_AUTH_UNAVAILABLE",
92 0x030: "TPM_RC_REBOOT",
93 0x031: "TPM_RC_UNBALANCED",
94 0x042: "TPM_RC_COMMAND_SIZE",
95 0x043: "TPM_RC_COMMAND_CODE",
96 0x044: "TPM_RC_AUTHSIZE",
97 0x045: "TPM_RC_AUTH_CONTEXT",
98 0x046: "TPM_RC_NV_RANGE",
99 0x047: "TPM_RC_NV_SIZE",
100 0x048: "TPM_RC_NV_LOCKED",
101 0x049: "TPM_RC_NV_AUTHORIZATION",
102 0x04A: "TPM_RC_NV_UNINITIALIZED",
103 0x04B: "TPM_RC_NV_SPACE",
104 0x04C: "TPM_RC_NV_DEFINED",
105 0x050: "TPM_RC_BAD_CONTEXT",
106 0x051: "TPM_RC_CPHASH",
107 0x052: "TPM_RC_PARENT",
108 0x053: "TPM_RC_NEEDS_TEST",
109 0x054: "TPM_RC_NO_RESULT",
110 0x055: "TPM_RC_SENSITIVE",
111 0x07F: "RC_MAX_FM0",
112}
113
114TPM2_FMT1_ERRORS = {
115 0x001: "TPM_RC_ASYMMETRIC",
116 0x002: "TPM_RC_ATTRIBUTES",
117 0x003: "TPM_RC_HASH",
118 0x004: "TPM_RC_VALUE",
119 0x005: "TPM_RC_HIERARCHY",
120 0x007: "TPM_RC_KEY_SIZE",
121 0x008: "TPM_RC_MGF",
122 0x009: "TPM_RC_MODE",
123 0x00A: "TPM_RC_TYPE",
124 0x00B: "TPM_RC_HANDLE",
125 0x00C: "TPM_RC_KDF",
126 0x00D: "TPM_RC_RANGE",
127 0x00E: "TPM_RC_AUTH_FAIL",
128 0x00F: "TPM_RC_NONCE",
129 0x010: "TPM_RC_PP",
130 0x012: "TPM_RC_SCHEME",
131 0x015: "TPM_RC_SIZE",
132 0x016: "TPM_RC_SYMMETRIC",
133 0x017: "TPM_RC_TAG",
134 0x018: "TPM_RC_SELECTOR",
135 0x01A: "TPM_RC_INSUFFICIENT",
136 0x01B: "TPM_RC_SIGNATURE",
137 0x01C: "TPM_RC_KEY",
138 0x01D: "TPM_RC_POLICY_FAIL",
139 0x01F: "TPM_RC_INTEGRITY",
140 0x020: "TPM_RC_TICKET",
141 0x021: "TPM_RC_RESERVED_BITS",
142 0x022: "TPM_RC_BAD_AUTH",
143 0x023: "TPM_RC_EXPIRED",
144 0x024: "TPM_RC_POLICY_CC",
145 0x025: "TPM_RC_BINDING",
146 0x026: "TPM_RC_CURVE",
147 0x027: "TPM_RC_ECC_POINT",
148}
149
150TPM2_WARN_ERRORS = {
151 0x001: "TPM_RC_CONTEXT_GAP",
152 0x002: "TPM_RC_OBJECT_MEMORY",
153 0x003: "TPM_RC_SESSION_MEMORY",
154 0x004: "TPM_RC_MEMORY",
155 0x005: "TPM_RC_SESSION_HANDLES",
156 0x006: "TPM_RC_OBJECT_HANDLES",
157 0x007: "TPM_RC_LOCALITY",
158 0x008: "TPM_RC_YIELDED",
159 0x009: "TPM_RC_CANCELED",
160 0x00A: "TPM_RC_TESTING",
161 0x010: "TPM_RC_REFERENCE_H0",
162 0x011: "TPM_RC_REFERENCE_H1",
163 0x012: "TPM_RC_REFERENCE_H2",
164 0x013: "TPM_RC_REFERENCE_H3",
165 0x014: "TPM_RC_REFERENCE_H4",
166 0x015: "TPM_RC_REFERENCE_H5",
167 0x016: "TPM_RC_REFERENCE_H6",
168 0x018: "TPM_RC_REFERENCE_S0",
169 0x019: "TPM_RC_REFERENCE_S1",
170 0x01A: "TPM_RC_REFERENCE_S2",
171 0x01B: "TPM_RC_REFERENCE_S3",
172 0x01C: "TPM_RC_REFERENCE_S4",
173 0x01D: "TPM_RC_REFERENCE_S5",
174 0x01E: "TPM_RC_REFERENCE_S6",
175 0x020: "TPM_RC_NV_RATE",
176 0x021: "TPM_RC_LOCKOUT",
177 0x022: "TPM_RC_RETRY",
178 0x023: "TPM_RC_NV_UNAVAILABLE",
179 0x7F: "TPM_RC_NOT_USED",
180}
181
182RC_VER1 = 0x100
183RC_FMT1 = 0x080
184RC_WARN = 0x900
185
186ALG_DIGEST_SIZE_MAP = {
187 TPM2_ALG_SHA1: SHA1_DIGEST_SIZE,
188 TPM2_ALG_SHA256: SHA256_DIGEST_SIZE,
189}
190
191ALG_HASH_FUNCTION_MAP = {
192 TPM2_ALG_SHA1: hashlib.sha1,
193 TPM2_ALG_SHA256: hashlib.sha256
194}
195
196NAME_ALG_MAP = {
197 "sha1": TPM2_ALG_SHA1,
198 "sha256": TPM2_ALG_SHA256,
199}
200
201
202class UnknownAlgorithmIdError(Exception):
203 def __init__(self, alg):
204 self.alg = alg
205
206 def __str__(self):
207 return '0x%0x' % (alg)
208
209
210class UnknownAlgorithmNameError(Exception):
211 def __init__(self, name):
212 self.name = name
213
214 def __str__(self):
215 return name
216
217
218class UnknownPCRBankError(Exception):
219 def __init__(self, alg):
220 self.alg = alg
221
222 def __str__(self):
223 return '0x%0x' % (alg)
224
225
226class ProtocolError(Exception):
227 def __init__(self, cc, rc):
228 self.cc = cc
229 self.rc = rc
230
231 if (rc & RC_FMT1) == RC_FMT1:
232 self.name = TPM2_FMT1_ERRORS.get(rc & 0x3f, "TPM_RC_UNKNOWN")
233 elif (rc & RC_WARN) == RC_WARN:
234 self.name = TPM2_WARN_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
235 elif (rc & RC_VER1) == RC_VER1:
236 self.name = TPM2_VER1_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
237 else:
238 self.name = TPM2_VER0_ERRORS.get(rc & 0x7f, "TPM_RC_UNKNOWN")
239
240 def __str__(self):
241 if self.cc:
242 return '%s: cc=0x%08x, rc=0x%08x' % (self.name, self.cc, self.rc)
243 else:
244 return '%s: rc=0x%08x' % (self.name, self.rc)
245
246
247class AuthCommand(object):
248 """TPMS_AUTH_COMMAND"""
249
250 def __init__(self, session_handle=TPM2_RS_PW, nonce=bytes(),
251 session_attributes=0, hmac=bytes()):
252 self.session_handle = session_handle
253 self.nonce = nonce
254 self.session_attributes = session_attributes
255 self.hmac = hmac
256
257 def __bytes__(self):
258 fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
259 return struct.pack(fmt, self.session_handle, len(self.nonce),
260 self.nonce, self.session_attributes, len(self.hmac),
261 self.hmac)
262
263 def __len__(self):
264 fmt = '>I H%us B H%us' % (len(self.nonce), len(self.hmac))
265 return struct.calcsize(fmt)
266
267
268class SensitiveCreate(object):
269 """TPMS_SENSITIVE_CREATE"""
270
271 def __init__(self, user_auth=bytes(), data=bytes()):
272 self.user_auth = user_auth
273 self.data = data
274
275 def __bytes__(self):
276 fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
277 return struct.pack(fmt, len(self.user_auth), self.user_auth,
278 len(self.data), self.data)
279
280 def __len__(self):
281 fmt = '>H%us H%us' % (len(self.user_auth), len(self.data))
282 return struct.calcsize(fmt)
283
284
285class Public(object):
286 """TPMT_PUBLIC"""
287
288 FIXED_TPM = (1 << 1)
289 FIXED_PARENT = (1 << 4)
290 SENSITIVE_DATA_ORIGIN = (1 << 5)
291 USER_WITH_AUTH = (1 << 6)
292 RESTRICTED = (1 << 16)
293 DECRYPT = (1 << 17)
294
295 def __fmt(self):
296 return '>HHIH%us%usH%us' % \
297 (len(self.auth_policy), len(self.parameters), len(self.unique))
298
299 def __init__(self, object_type, name_alg, object_attributes,
300 auth_policy=bytes(), parameters=bytes(),
301 unique=bytes()):
302 self.object_type = object_type
303 self.name_alg = name_alg
304 self.object_attributes = object_attributes
305 self.auth_policy = auth_policy
306 self.parameters = parameters
307 self.unique = unique
308
309 def __bytes__(self):
310 return struct.pack(self.__fmt(),
311 self.object_type,
312 self.name_alg,
313 self.object_attributes,
314 len(self.auth_policy),
315 self.auth_policy,
316 self.parameters,
317 len(self.unique),
318 self.unique)
319
320 def __len__(self):
321 return struct.calcsize(self.__fmt())
322
323
324def get_digest_size(alg):
325 ds = ALG_DIGEST_SIZE_MAP.get(alg)
326 if not ds:
327 raise UnknownAlgorithmIdError(alg)
328 return ds
329
330
331def get_hash_function(alg):
332 f = ALG_HASH_FUNCTION_MAP.get(alg)
333 if not f:
334 raise UnknownAlgorithmIdError(alg)
335 return f
336
337
338def get_algorithm(name):
339 alg = NAME_ALG_MAP.get(name)
340 if not alg:
341 raise UnknownAlgorithmNameError(name)
342 return alg
343
344
345def hex_dump(d):
346 d = [format(ord(x), '02x') for x in d]
347 d = [d[i: i + 16] for i in range(0, len(d), 16)]
348 d = [' '.join(x) for x in d]
349 d = os.linesep.join(d)
350
351 return d
352
353class Client:
354 FLAG_DEBUG = 0x01
355 FLAG_SPACE = 0x02
356 FLAG_NONBLOCK = 0x04
357 TPM_IOC_NEW_SPACE = 0xa200
358
359 def __init__(self, flags = 0):
360 self.flags = flags
361
362 if (self.flags & Client.FLAG_SPACE) == 0:
363 self.tpm = open('/dev/tpm0', 'r+b', buffering=0)
364 else:
365 self.tpm = open('/dev/tpmrm0', 'r+b', buffering=0)
366
367 if (self.flags & Client.FLAG_NONBLOCK):
368 flags = fcntl.fcntl(self.tpm, fcntl.F_GETFL)
369 flags |= os.O_NONBLOCK
370 fcntl.fcntl(self.tpm, fcntl.F_SETFL, flags)
371 self.tpm_poll = select.poll()
372
373 def close(self):
374 self.tpm.close()
375
376 def send_cmd(self, cmd):
377 self.tpm.write(cmd)
378
379 if (self.flags & Client.FLAG_NONBLOCK):
380 self.tpm_poll.register(self.tpm, select.POLLIN)
381 self.tpm_poll.poll(10000)
382
383 rsp = self.tpm.read()
384
385 if (self.flags & Client.FLAG_NONBLOCK):
386 self.tpm_poll.unregister(self.tpm)
387
388 if (self.flags & Client.FLAG_DEBUG) != 0:
389 sys.stderr.write('cmd' + os.linesep)
390 sys.stderr.write(hex_dump(cmd) + os.linesep)
391 sys.stderr.write('rsp' + os.linesep)
392 sys.stderr.write(hex_dump(rsp) + os.linesep)
393
394 rc = struct.unpack('>I', rsp[6:10])[0]
395 if rc != 0:
396 cc = struct.unpack('>I', cmd[6:10])[0]
397 raise ProtocolError(cc, rc)
398
399 return rsp
400
401 def read_pcr(self, i, bank_alg = TPM2_ALG_SHA1):
402 pcrsel_len = max((i >> 3) + 1, 3)
403 pcrsel = [0] * pcrsel_len
404 pcrsel[i >> 3] = 1 << (i & 7)
405 pcrsel = ''.join(map(chr, pcrsel)).encode()
406
407 fmt = '>HII IHB%us' % (pcrsel_len)
408 cmd = struct.pack(fmt,
409 TPM2_ST_NO_SESSIONS,
410 struct.calcsize(fmt),
411 TPM2_CC_PCR_READ,
412 1,
413 bank_alg,
414 pcrsel_len, pcrsel)
415
416 rsp = self.send_cmd(cmd)
417
418 pcr_update_cnt, pcr_select_cnt = struct.unpack('>II', rsp[10:18])
419 assert pcr_select_cnt == 1
420 rsp = rsp[18:]
421
422 alg2, pcrsel_len2 = struct.unpack('>HB', rsp[:3])
423 assert bank_alg == alg2 and pcrsel_len == pcrsel_len2
424 rsp = rsp[3 + pcrsel_len:]
425
426 digest_cnt = struct.unpack('>I', rsp[:4])[0]
427 if digest_cnt == 0:
428 return None
429 rsp = rsp[6:]
430
431 return rsp
432
433 def extend_pcr(self, i, dig, bank_alg = TPM2_ALG_SHA1):
434 ds = get_digest_size(bank_alg)
435 assert(ds == len(dig))
436
437 auth_cmd = AuthCommand()
438
439 fmt = '>HII I I%us IH%us' % (len(auth_cmd), ds)
440 cmd = struct.pack(
441 fmt,
442 TPM2_ST_SESSIONS,
443 struct.calcsize(fmt),
444 TPM2_CC_PCR_EXTEND,
445 i,
446 len(auth_cmd),
447 bytes(auth_cmd),
448 1, bank_alg, dig)
449
450 self.send_cmd(cmd)
451
452 def start_auth_session(self, session_type, name_alg = TPM2_ALG_SHA1):
453 fmt = '>HII IIH16sHBHH'
454 cmd = struct.pack(fmt,
455 TPM2_ST_NO_SESSIONS,
456 struct.calcsize(fmt),
457 TPM2_CC_START_AUTH_SESSION,
458 TPM2_RH_NULL,
459 TPM2_RH_NULL,
460 16,
461 ('\0' * 16).encode(),
462 0,
463 session_type,
464 TPM2_ALG_NULL,
465 name_alg)
466
467 return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
468
469 def __calc_pcr_digest(self, pcrs, bank_alg = TPM2_ALG_SHA1,
470 digest_alg = TPM2_ALG_SHA1):
471 x = []
472 f = get_hash_function(digest_alg)
473
474 for i in pcrs:
475 pcr = self.read_pcr(i, bank_alg)
476 if pcr is None:
477 return None
478 x += pcr
479
480 return f(bytearray(x)).digest()
481
482 def policy_pcr(self, handle, pcrs, bank_alg = TPM2_ALG_SHA1,
483 name_alg = TPM2_ALG_SHA1):
484 ds = get_digest_size(name_alg)
485 dig = self.__calc_pcr_digest(pcrs, bank_alg, name_alg)
486 if not dig:
487 raise UnknownPCRBankError(bank_alg)
488
489 pcrsel_len = max((max(pcrs) >> 3) + 1, 3)
490 pcrsel = [0] * pcrsel_len
491 for i in pcrs:
492 pcrsel[i >> 3] |= 1 << (i & 7)
493 pcrsel = ''.join(map(chr, pcrsel)).encode()
494
495 fmt = '>HII IH%usIHB3s' % ds
496 cmd = struct.pack(fmt,
497 TPM2_ST_NO_SESSIONS,
498 struct.calcsize(fmt),
499 TPM2_CC_POLICY_PCR,
500 handle,
501 len(dig),
502 bytes(dig),
503 1,
504 bank_alg,
505 pcrsel_len, pcrsel)
506
507 self.send_cmd(cmd)
508
509 def policy_password(self, handle):
510 fmt = '>HII I'
511 cmd = struct.pack(fmt,
512 TPM2_ST_NO_SESSIONS,
513 struct.calcsize(fmt),
514 TPM2_CC_POLICY_PASSWORD,
515 handle)
516
517 self.send_cmd(cmd)
518
519 def get_policy_digest(self, handle):
520 fmt = '>HII I'
521 cmd = struct.pack(fmt,
522 TPM2_ST_NO_SESSIONS,
523 struct.calcsize(fmt),
524 TPM2_CC_POLICY_GET_DIGEST,
525 handle)
526
527 return self.send_cmd(cmd)[12:]
528
529 def flush_context(self, handle):
530 fmt = '>HIII'
531 cmd = struct.pack(fmt,
532 TPM2_ST_NO_SESSIONS,
533 struct.calcsize(fmt),
534 TPM2_CC_FLUSH_CONTEXT,
535 handle)
536
537 self.send_cmd(cmd)
538
539 def create_root_key(self, auth_value = bytes()):
540 attributes = \
541 Public.FIXED_TPM | \
542 Public.FIXED_PARENT | \
543 Public.SENSITIVE_DATA_ORIGIN | \
544 Public.USER_WITH_AUTH | \
545 Public.RESTRICTED | \
546 Public.DECRYPT
547
548 auth_cmd = AuthCommand()
549 sensitive = SensitiveCreate(user_auth=auth_value)
550
551 public_parms = struct.pack(
552 '>HHHHHI',
553 TPM2_ALG_AES,
554 128,
555 TPM2_ALG_CFB,
556 TPM2_ALG_NULL,
557 2048,
558 0)
559
560 public = Public(
561 object_type=TPM2_ALG_RSA,
562 name_alg=TPM2_ALG_SHA1,
563 object_attributes=attributes,
564 parameters=public_parms)
565
566 fmt = '>HIII I%us H%us H%us HI' % \
567 (len(auth_cmd), len(sensitive), len(public))
568 cmd = struct.pack(
569 fmt,
570 TPM2_ST_SESSIONS,
571 struct.calcsize(fmt),
572 TPM2_CC_CREATE_PRIMARY,
573 TPM2_RH_OWNER,
574 len(auth_cmd),
575 bytes(auth_cmd),
576 len(sensitive),
577 bytes(sensitive),
578 len(public),
579 bytes(public),
580 0, 0)
581
582 return struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
583
584 def seal(self, parent_key, data, auth_value, policy_dig,
585 name_alg = TPM2_ALG_SHA1):
586 ds = get_digest_size(name_alg)
587 assert(not policy_dig or ds == len(policy_dig))
588
589 attributes = 0
590 if not policy_dig:
591 attributes |= Public.USER_WITH_AUTH
592 policy_dig = bytes()
593
594 auth_cmd = AuthCommand()
595 sensitive = SensitiveCreate(user_auth=auth_value, data=data)
596
597 public = Public(
598 object_type=TPM2_ALG_KEYEDHASH,
599 name_alg=name_alg,
600 object_attributes=attributes,
601 auth_policy=policy_dig,
602 parameters=struct.pack('>H', TPM2_ALG_NULL))
603
604 fmt = '>HIII I%us H%us H%us HI' % \
605 (len(auth_cmd), len(sensitive), len(public))
606 cmd = struct.pack(
607 fmt,
608 TPM2_ST_SESSIONS,
609 struct.calcsize(fmt),
610 TPM2_CC_CREATE,
611 parent_key,
612 len(auth_cmd),
613 bytes(auth_cmd),
614 len(sensitive),
615 bytes(sensitive),
616 len(public),
617 bytes(public),
618 0, 0)
619
620 rsp = self.send_cmd(cmd)
621
622 return rsp[14:]
623
624 def unseal(self, parent_key, blob, auth_value, policy_handle):
625 private_len = struct.unpack('>H', blob[0:2])[0]
626 public_start = private_len + 2
627 public_len = struct.unpack('>H', blob[public_start:public_start + 2])[0]
628 blob = blob[:private_len + public_len + 4]
629
630 auth_cmd = AuthCommand()
631
632 fmt = '>HII I I%us %us' % (len(auth_cmd), len(blob))
633 cmd = struct.pack(
634 fmt,
635 TPM2_ST_SESSIONS,
636 struct.calcsize(fmt),
637 TPM2_CC_LOAD,
638 parent_key,
639 len(auth_cmd),
640 bytes(auth_cmd),
641 blob)
642
643 data_handle = struct.unpack('>I', self.send_cmd(cmd)[10:14])[0]
644
645 if policy_handle:
646 auth_cmd = AuthCommand(session_handle=policy_handle, hmac=auth_value)
647 else:
648 auth_cmd = AuthCommand(hmac=auth_value)
649
650 fmt = '>HII I I%us' % (len(auth_cmd))
651 cmd = struct.pack(
652 fmt,
653 TPM2_ST_SESSIONS,
654 struct.calcsize(fmt),
655 TPM2_CC_UNSEAL,
656 data_handle,
657 len(auth_cmd),
658 bytes(auth_cmd))
659
660 try:
661 rsp = self.send_cmd(cmd)
662 finally:
663 self.flush_context(data_handle)
664
665 data_len = struct.unpack('>I', rsp[10:14])[0] - 2
666
667 return rsp[16:16 + data_len]
668
669 def reset_da_lock(self):
670 auth_cmd = AuthCommand()
671
672 fmt = '>HII I I%us' % (len(auth_cmd))
673 cmd = struct.pack(
674 fmt,
675 TPM2_ST_SESSIONS,
676 struct.calcsize(fmt),
677 TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET,
678 TPM2_RH_LOCKOUT,
679 len(auth_cmd),
680 bytes(auth_cmd))
681
682 self.send_cmd(cmd)
683
684 def __get_cap_cnt(self, cap, pt, cnt):
685 handles = []
686 fmt = '>HII III'
687
688 cmd = struct.pack(fmt,
689 TPM2_ST_NO_SESSIONS,
690 struct.calcsize(fmt),
691 TPM2_CC_GET_CAPABILITY,
692 cap, pt, cnt)
693
694 rsp = self.send_cmd(cmd)[10:]
695 more_data, cap, cnt = struct.unpack('>BII', rsp[:9])
696 rsp = rsp[9:]
697
698 for i in range(0, cnt):
699 handle = struct.unpack('>I', rsp[:4])[0]
700 handles.append(handle)
701 rsp = rsp[4:]
702
703 return handles, more_data
704
705 def get_cap(self, cap, pt):
706 handles = []
707
708 more_data = True
709 while more_data:
710 next_handles, more_data = self.__get_cap_cnt(cap, pt, 1)
711 handles += next_handles
712 pt += 1
713
714 return handles