* [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
@ 2015-01-15 9:21 Quan Xu
2015-01-15 9:21 ` [PATCH v4 01/14] vTPM/TPM2: Add TPM 2.0 data structures and commands definition Quan Xu
` (15 more replies)
0 siblings, 16 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
This series of patch enable the virtual Trusted Platform Module (vTPM)
subsystem for Xen on TPM 2.0.
Noted, functionality for a virtual guest operating system (a DomU) is still
TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The challenge is that
TPM 2.0 is not backward compatible with TPM 1.2.
------------------------------
DESIGN OVERVIEW
------------------------------
The architecture of vTPM subsystem on TPM 2.0 is described below:
+------------------+
| Linux DomU | ...
| | ^ |
| v | |
| xen-tpmfront |
+------------------+
| ^
v |
+------------------+
| mini-os/tpmback |
| | ^ |
| v | |
| vtpm-stubdom | ...
| | ^ |
| v | |
| mini-os/tpmfront |
+------------------+
| ^
v |
+------------------+
| mini-os/tpmback |
| | ^ |
| v | |
| vtpmmgr-stubdom |
| | ^ |
| v | |
| mini-os/tpm2_tis |
+------------------+
| ^
v |
+------------------+
| Hardware TPM 2.0 |
+------------------+
* Linux DomU: The Linux based guest that wants to use a vTPM. There many be
more than one of these.
* xen-tpmfront.ko: Linux kernel virtual TPM frontend driver. This driver
provides vTPM access to a para-virtualized Linux based DomU.
* mini-os/tpmback: Mini-os TPM backend driver. The Linux frontend driver
connects to this backend driver to facilitate
communications between the Linux DomU and its vTPM. This
driver is also used by vtpmmgr-stubdom to communicate with
vtpm-stubdom.
* vtpm-stubdom: A mini-os stub domain that implements a vTPM. There is a
one to one mapping between running vtpm-stubdom instances and
logical vtpms on the system. The vTPM Platform Configuration
Registers (PCRs) are all initialized to zero.
* mini-os/tpmfront: Mini-os TPM frontend driver. The vTPM mini-os domain
vtpm-stubdom uses this driver to communicate with
vtpmmgr-stubdom. This driver could also be used separately to
implement a mini-os domain that wishes to use a vTPM of
its own.
* vtpmmgr-stubdom: A mini-os domain that implements the vTPM manager.
There is only one vTPM manager and it should be running during
the entire lifetime of the machine. This domain regulates
access to the physical TPM on the system and secures the
persistent state of each vTPM.
* mini-os/tpm2_tis: Mini-os TPM version 2.0 TPM Interface Specification (TIS)
driver. This driver used by vtpmmgr-stubdom to talk directly
to the hardware TPM 2.0. Communication is facilitated by mapping
hardware memory pages into vtpmmgr-stubdom.
* Hardware TPM 2.0: The physical TPM 2.0 that is soldered onto the motherboard.
------------------------------
Key Hierarchy
------------------------------
+------------------+
| vTPM's secrets | ...
+------------------+
| ^
| |(Bind / Unbind)
- - - - - -v |- - - - - - - - TPM 2.0
+------------------+
| SK +
+------------------+
| ^
v |
+------------------+
| SRK |
+------------------+
| ^
v |
+------------------+
| TPM 2.0 Storage |
| Primary Seed |
+------------------+
Now the secrets for the vTPMs are only being bound to the presence of thephysical
TPM 2.0. Since using PCRs to seal the data can be an important security feature
that users of the vtpmmgr rely on. I will replace TPM2_Bind/TPM2_Unbind with
TPM2_Seal/TPM2_Unseal to provide as much security as it did for TPM 1.2 in later
series of patch.
------------------------------
INSTALLATION
------------------------------
Prerequisites:
--------------
You must have an x86 machine with a TPM on the motherboard. The only extra
software requirement for compiling vTPM is cmake. You must use libxl to manage
domains with vTPMs; 'xm' is deprecated and does not support vTPMs.
Compiling the Xen tree:
-----------------------
Compile and install the Xen tree as usual; be sure that the vTPM domains are
enabled when you run configure.
Compiling the LINUX dom0 kernel:
--------------------------------
Because the TPM manager uses direct access to the physical TPM, it may interfere
with access to the TPM by dom0. The simplest solution for this is to prevent
dom0 from accessing the physical TPM by compiling the kernel without a driver or
blacklisting the module.
Compiling the LINUX domU kernel:
--------------------------------
The domU kernel used by domains with vtpms must include the xen-tpmfront.ko
driver. It can be built directly into the kernel or as a module; however, some
features such as IMA require the TPM to be built in to the kernel.
CONFIG_TCG_TPM=y
CONFIG_TCG_XEN=y
------------------------------
VTPM MANAGER SETUP
------------------------------
Manager disk image setup:
-------------------------
The vTPM Manager requires a disk image to store its encrypted data. The image
does not require a filesystem and can live anywhere on the host disk. The image
is not large; the Xen 4.5 vtpmmgr is limited to using the first 2MB of the image
but can support more than 20,000 vTPMs.
dd if=/dev/zero of=/home/vtpm2/vmgr bs=16M count=1
Manager config file:
--------------------
The vTPM Manager domain (vtpmmgr-stubdom) must be started like any other Xen
virtual machine and requires a config file. The manager requires a disk image
for storage and permission to access the hardware memory pages for the TPM. The
disk must be presented as "hda", and the TPM memory pages are passed using the
iomem configuration parameter. The TPM TIS uses 5 pages of IO memory (one per
locality) that start at physical address 0xfed40000. By default, the TPM manager
uses locality 0 (so only the page at 0xfed40 is needed).
Add:
..
extra="tpm2"
..
extra option to launch vtpmmgr-stubdom domain on TPM 2.0, and ignore it on TPM
1.x. for example:
kernel="/usr/lib/xen/boot/vtpmmgr-stubdom.gz"
memory=128
disk=["file:/home/vtpm2/vmgr,hda,w"]
name="vtpmmgr"
iomem=["fed40,5"]
extra="tpm2"
------------------------------
VTPM AND LINUX PVM SETUP
------------------------------
vTPM disk image setup:
----------------------
The vTPM requires a disk image to store its persistent data (RSA keys, NVRAM,
etc). The image does not require a filesystem. The image does not need to be
large; 2 Mb should be sufficient.
dd if=/dev/zero of=/home/vtpm2/vtpm0 bs=2M count=1
vTPM config file:
-----------------
The vTPM domain requires a configuration file like any other domain. The vTPM
requires a disk image for storage and a TPM frontend driver to communicate with
the manager. You are required to generate a uuid for this vtpm, which is
specified on the "vtpm=" line that describes its connection to the vTPM Manager.
for example:
kernel="/usr/lib/xen/boot/vtpm-stubdom.gz"
memory=8
disk=["file:/home/vtpm2/vtpm0,hda,w"]
name="vtpm0"
vtpm=["backend=vtpmmgr,uuid=914fe389-e2c5-44e6-993f-2189637cf1de"]
If you wish to clear the vTPM data you can either recreate the disk image or
change the uuid.
Linux Guest config file:
------------------------
The Linux guest config file needs to be modified to include the Linux tpmfront
driver. Add the following line:
vtpm=["backend=vtpm0"]
Currently only Linux guests are supported (PV or HVM with PV drivers). My series
of patch for HVM virtual mahcine are still being reviewed and modifcated.
Using the vTPM in the guest:
----------------------------
If xen-tpmfront was compiled as a module, it must be loaded it in the guest.
# modprobe xen-tpmfront
After the Linux domain boots and the xen-tpmfront driver is loaded, you should
see the following on the vtpm console:
Info: VTPM attached to Frontend X/Y
You can quickly test the vTPM by using the sysfs interface:
# cat /sys/devices/vtpm-0/pubek
# cat /sys/devices/vtpm-0/pcrs
If you have trousers and tpm_tools installed on the guest, the tpm_version
command should return the following:
The version command should return the following:
TPM 1.2 Version Info:
Chip Version: 1.2.0.7
Spec Level: 2
Errata Revision: 1
TPM Vendor ID: ETHZ
TPM Version: 01010000
Manufacturer Info: 4554485a
You should also see the command being sent to the vtpm console as well as the
vtpm saving its state. You should see the vtpm key being encrypted and stored on
the vtpmmgr console.
You may wish to write a script to start your vtpm and guest together and to
destroy the vtpm when the guest shuts down.
------------------------------
INTEGRATION WITH PV-GRUB
------------------------------
The vTPM currently starts up with all PCRs set to their default values (all
zeros for the lower 16). This means that any decisions about the
trustworthiness of the created domain must be made based on the environment that
created the vTPM and the domU; for example, a system that only constructs images
using a trusted configuration and guest kernel be able to provide guarantees
about the guests and any measurements done that kernel (such as the IMA TCB
log). Guests wishing to use a custom kernel in such a secure environment are
often started using the pv-grub bootloader as the kernel, which then can load
the untrusted kernel without needing to parse an untrusted filesystem and kernel
in dom0. If the pv-grub stub domain succeeds in connecting to a vTPM, it will
extend the hash of the kernel that it boots into PCR #4, and will extend the
command line and initrd into PCR #5 before booting so that a domU booted in this
way can attest to its early boot state.
------------------------------
REFERENCES
------------------------------
Berlios TPM Emulator:
http://tpm-emulator.berlios.de/
Xen docs/misc/vtpm.txt
Xen docs/misc/vtpm-platforms.txt
Xen docs/misc/vtpmmgr.txt
--Changes in V4:
1. Change extra option from 'tpm2' to 'tpm2=1'
2. Remove test code.
3. Make a note of limitation in the documentation for TPM 2.0 in
the 'Key Hierarchy' section of docs/misc/vtpmmgr.txt
--Changes in V3:
1. Add 'olen' parameter in 'stubdom/vtpmmgr/disk_read.c', which is lost in v2.
--Changes in V2:
1. Record some infomation in docs/misc/vtpmmgr.txt.
2. Add TPM 2.0 PCRs read.
3. Bind/Unbind the measurements of the hypervisor and other
TCB components.
4. Change extra option from '--tpm2' to 'tpm2'
Quan Xu (14):
vTPM/TPM2: Add TPM 2.0 data structures and commands definition
vTPM/TPM2: TPM 2.0 data structures marshal
vTPM/TPM2: Add global data in vtpm_globals{}
vTPM/TPM2: Add TPM 2.0 Exposed APIs
vTPM/TPM2: TPM 2.0 takes ownership and create SRK
vTPM/TPM2: Create and load SK on TPM 2.0
vTPM/TPM2: TPM2.0 TIS initialization and self test.
vTPM/TPM2: Add main entrance vtpmmgr2_init()
vTPM/TPM2: Support 'tpm2' extra command line.
vTPM/TPM2: TPM 2.0 PCRs read
vTPM/TPM2: Support TPM 2.0 bind and unbind data
vTPM/TPM2: Bind group keys and sectors data on disk
vTPM/TPM2: Unind group keys and sectors data on disk
vTPM/TPM2: Record some infomation in docs/misc/vtpmmgr.txt about
docs/misc/vtpmmgr.txt | 155 ++++++-
extras/mini-os/include/tpm_tis.h | 1 +
extras/mini-os/tpm_tis.c | 156 +++++++
stubdom/vtpmmgr/Makefile | 2 +-
stubdom/vtpmmgr/disk_read.c | 17 +-
stubdom/vtpmmgr/disk_tpm.c | 42 +-
stubdom/vtpmmgr/disk_tpm.h | 4 +
stubdom/vtpmmgr/disk_write.c | 13 +-
stubdom/vtpmmgr/init.c | 279 +++++++++++
stubdom/vtpmmgr/tpm2.c | 455 ++++++++++++++++++
stubdom/vtpmmgr/tpm2.h | 104 +++++
stubdom/vtpmmgr/tpm2_marshal.h | 673 +++++++++++++++++++++++++++
stubdom/vtpmmgr/tpm2_types.h | 980 +++++++++++++++++++++++++++++++++++++++
stubdom/vtpmmgr/vtpmmgr.c | 46 +-
stubdom/vtpmmgr/vtpmmgr.h | 29 ++
15 files changed, 2942 insertions(+), 14 deletions(-)
create mode 100644 stubdom/vtpmmgr/tpm2.c
create mode 100644 stubdom/vtpmmgr/tpm2.h
create mode 100644 stubdom/vtpmmgr/tpm2_marshal.h
create mode 100644 stubdom/vtpmmgr/tpm2_types.h
--
1.8.3.2
^ permalink raw reply [flat|nested] 30+ messages in thread
* [PATCH v4 01/14] vTPM/TPM2: Add TPM 2.0 data structures and commands definition
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 02/14] vTPM/TPM2: TPM 2.0 data structures marshal Quan Xu
` (14 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Add TPM 2.0 data structures on Trusted Platform Module Library Part 2:
Structures and Trust Platform Module Library Part 3: Commands.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/tpm2_types.h | 978 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 978 insertions(+)
create mode 100644 stubdom/vtpmmgr/tpm2_types.h
diff --git a/stubdom/vtpmmgr/tpm2_types.h b/stubdom/vtpmmgr/tpm2_types.h
new file mode 100644
index 0000000..214335c
--- /dev/null
+++ b/stubdom/vtpmmgr/tpm2_types.h
@@ -0,0 +1,978 @@
+#ifndef __TPM2_TYPES_H__
+#define __TPM2_TYPES_H__
+
+#include <stdlib.h>
+#include <stdint.h>
+
+// "implementation.h"
+// Table 212 -- Logic Values
+#define YES 1
+#define NO 0
+#ifndef TRUE
+#define TRUE 1
+#endif
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef true
+#define true 1
+#endif
+#ifndef false
+#define false 0
+#endif
+#define SET 1
+#define CLEAR 0
+
+
+// Table 214 -- Implemented Algorithms
+#define ALG_RSA YES // 1
+#define ALG_DES NO // 0
+#define ALG__3DES NO // 0
+#define ALG_SHA1 YES // 1
+#define ALG_HMAC YES // 1
+#define ALG_AES YES // 1
+#define ALG_MGF1 YES // 1
+#define ALG_XOR YES // 1
+#define ALG_KEYEDHASH YES // 1
+#define ALG_SHA256 YES // 1
+#define ALG_SHA384 YES // 0
+#define ALG_SHA512 YES // 0
+#define ALG_WHIRLPOOL512 YES // 0
+#define ALG_SM3_256 YES // 1
+#define ALG_SM4 YES // 1
+#define ALG_RSASSA YES // 1
+#define ALG_RSAES YES // 1
+#define ALG_RSAPSS YES // 1
+#define ALG_OAEP YES // 1
+#define ALG_ECC YES // 1
+#define ALG_CFB YES // 1
+#define ALG_ECDH YES // 1
+#define ALG_ECDSA YES // 1
+#define ALG_ECDAA YES // 1
+#define ALG_SM2 YES // 1
+#define ALG_ECSCHNORR YES // 1
+#define ALG_SYMCIPHER YES // 1
+#define ALG_KDF1_SP800_56a YES // 1
+#define ALG_KDF2 NO // 0
+#define ALG_KDF1_SP800_108 YES // 1
+#define ALG_CTR YES // 1
+#define ALG_OFB YES // 1
+#define ALG_CBC YES // 1
+
+#define HASH_COUNT (ALG_SHA1+ALG_SHA256+ALG_SHA384+ALG_SHA512+ALG_WHIRLPOOL512+ALG_SM3_256)
+
+// Table 216 -- RSA Algorithm Constants
+#define RSA_KEY_SIZES_BITS 2048 // {1024,2048}
+#define MAX_RSA_KEY_BITS 2048
+#define MAX_RSA_KEY_BYTES ((MAX_RSA_KEY_BITS + 7) / 8) // 256
+
+// Table 218 -- AES Algorithm Constants
+#define AES_KEY_SIZES_BITS 128
+#define MAX_AES_KEY_BITS 128
+#define MAX_AES_BLOCK_SIZE_BYTES 16
+#define MAX_AES_KEY_BYTES ((MAX_AES_KEY_BITS + 7) / 8) // 16
+
+
+// Table 220 -- Symmetric Algorithm Constants
+#define MAX_SYM_KEY_BITS MAX_AES_KEY_BITS // 128
+#define MAX_SYM_KEY_BYTES MAX_AES_KEY_BYTES // 16
+#define MAX_SYM_BLOCK_SIZE MAX_AES_BLOCK_SIZE_BYTES // 16
+
+#define MAX_SYM_DATA 128
+#define MAX_ECC_KEY_BITS 256
+#define MAX_ECC_KEY_BYTES ((MAX_ECC_KEY_BITS + 7) / 8)
+
+
+typedef unsigned char BYTE;
+typedef unsigned char BOOL;
+typedef uint8_t UINT8;
+typedef uint16_t UINT16;
+typedef uint32_t UINT32;
+typedef uint64_t UINT64;
+
+// TPM2 command code
+
+typedef UINT32 TPM_CC;
+#define TPM_CC_FIRST (TPM_CC)(0x0000011F)
+#define TPM_CC_PP_FIRST (TPM_CC)(0x0000011F)
+#define TPM_CC_NV_UndefineSpaceSpecial (TPM_CC)(0x0000011F)
+#define TPM_CC_EvictControl (TPM_CC)(0x00000120)
+#define TPM_CC_HierarchyControl (TPM_CC)(0x00000121)
+#define TPM_CC_NV_UndefineSpace (TPM_CC)(0x00000122)
+#define TPM_CC_ChangeEPS (TPM_CC)(0x00000124)
+#define TPM_CC_ChangePPS (TPM_CC)(0x00000125)
+#define TPM_CC_Clear (TPM_CC)(0x00000126)
+#define TPM_CC_ClearControl (TPM_CC)(0x00000127)
+#define TPM_CC_ClockSet (TPM_CC)(0x00000128)
+#define TPM_CC_HierarchyChangeAuth (TPM_CC)(0x00000129)
+#define TPM_CC_NV_DefineSpace (TPM_CC)(0x0000012A)
+#define TPM_CC_PCR_Allocate (TPM_CC)(0x0000012B)
+#define TPM_CC_PCR_SetAuthPolicy (TPM_CC)(0x0000012C)
+#define TPM_CC_PP_Commands (TPM_CC)(0x0000012D)
+#define TPM_CC_SetPrimaryPolicy (TPM_CC)(0x0000012E)
+#define TPM_CC_FieldUpgradeStart (TPM_CC)(0x0000012F)
+#define TPM_CC_ClockRateAdjust (TPM_CC)(0x00000130)
+#define TPM_CC_CreatePrimary (TPM_CC)(0x00000131)
+#define TPM_CC_NV_GlobalWriteLock (TPM_CC)(0x00000132)
+#define TPM_CC_PP_LAST (TPM_CC)(0x00000132)
+#define TPM_CC_GetCommandAuditDigest (TPM_CC)(0x00000133)
+#define TPM_CC_NV_Increment (TPM_CC)(0x00000134)
+#define TPM_CC_NV_SetBits (TPM_CC)(0x00000135)
+#define TPM_CC_NV_Extend (TPM_CC)(0x00000136)
+#define TPM_CC_NV_Write (TPM_CC)(0x00000137)
+#define TPM_CC_NV_WriteLock (TPM_CC)(0x00000138)
+#define TPM_CC_DictionaryAttackLockReset (TPM_CC)(0x00000139)
+#define TPM_CC_DictionaryAttackParameters (TPM_CC)(0x0000013A)
+#define TPM_CC_NV_ChangeAuth (TPM_CC)(0x0000013B)
+#define TPM_CC_PCR_Event (TPM_CC)(0x0000013C)
+#define TPM_CC_PCR_Reset (TPM_CC)(0x0000013D)
+#define TPM_CC_SequenceComplete (TPM_CC)(0x0000013E)
+#define TPM_CC_SetAlgorithmSet (TPM_CC)(0x0000013F)
+#define TPM_CC_SetCommandCodeAuditStatus (TPM_CC)(0x00000140)
+#define TPM_CC_FieldUpgradeData (TPM_CC)(0x00000141)
+#define TPM_CC_IncrementalSelfTest (TPM_CC)(0x00000142)
+#define TPM_CC_SelfTest (TPM_CC)(0x00000143)
+#define TPM_CC_Startup (TPM_CC)(0x00000144)
+#define TPM_CC_Shutdown (TPM_CC)(0x00000145)
+#define TPM_CC_StirRandom (TPM_CC)(0x00000146)
+#define TPM_CC_ActivateCredential (TPM_CC)(0x00000147)
+#define TPM_CC_Certify (TPM_CC)(0x00000148)
+#define TPM_CC_PolicyNV (TPM_CC)(0x00000149)
+#define TPM_CC_CertifyCreation (TPM_CC)(0x0000014A)
+#define TPM_CC_Duplicate (TPM_CC)(0x0000014B)
+#define TPM_CC_GetTime (TPM_CC)(0x0000014C)
+#define TPM_CC_GetSessionAuditDigest (TPM_CC)(0x0000014D)
+#define TPM_CC_NV_Read (TPM_CC)(0x0000014E)
+#define TPM_CC_NV_ReadLock (TPM_CC)(0x0000014F)
+#define TPM_CC_ObjectChangeAuth (TPM_CC)(0x00000150)
+#define TPM_CC_PolicySecret (TPM_CC)(0x00000151)
+#define TPM_CC_Rewrap (TPM_CC)(0x00000152)
+#define TPM_CC_Create (TPM_CC)(0x00000153)
+#define TPM_CC_ECDH_ZGen (TPM_CC)(0x00000154)
+#define TPM_CC_HMAC (TPM_CC)(0x00000155)
+#define TPM_CC_Import (TPM_CC)(0x00000156)
+#define TPM_CC_Load (TPM_CC)(0x00000157)
+#define TPM_CC_Quote (TPM_CC)(0x00000158)
+#define TPM_CC_RSA_Decrypt (TPM_CC)(0x00000159)
+#define TPM_CC_HMAC_Start (TPM_CC)(0x0000015B)
+#define TPM_CC_SequenceUpdate (TPM_CC)(0x0000015C)
+#define TPM_CC_Sign (TPM_CC)(0x0000015D)
+#define TPM_CC_Unseal (TPM_CC)(0x0000015E)
+#define TPM_CC_PolicySigned (TPM_CC)(0x00000160)
+#define TPM_CC_ContextLoad (TPM_CC)(0x00000161)
+#define TPM_CC_ContextSave (TPM_CC)(0x00000162)
+#define TPM_CC_ECDH_KeyGen (TPM_CC)(0x00000163)
+#define TPM_CC_EncryptDecrypt (TPM_CC)(0x00000164)
+#define TPM_CC_FlushContext (TPM_CC)(0x00000165)
+#define TPM_CC_LoadExternal (TPM_CC)(0x00000167)
+#define TPM_CC_MakeCredential (TPM_CC)(0x00000168)
+#define TPM_CC_NV_ReadPublic (TPM_CC)(0x00000169)
+#define TPM_CC_PolicyAuthorize (TPM_CC)(0x0000016A)
+#define TPM_CC_PolicyAuthValue (TPM_CC)(0x0000016B)
+#define TPM_CC_PolicyCommandCode (TPM_CC)(0x0000016C)
+#define TPM_CC_PolicyCounterTimer (TPM_CC)(0x0000016D)
+#define TPM_CC_PolicyCpHash (TPM_CC)(0x0000016E)
+#define TPM_CC_PolicyLocality (TPM_CC)(0x0000016F)
+#define TPM_CC_PolicyNameHash (TPM_CC)(0x00000170)
+#define TPM_CC_PolicyOR (TPM_CC)(0x00000171)
+#define TPM_CC_PolicyTicket (TPM_CC)(0x00000172)
+#define TPM_CC_ReadPublic (TPM_CC)(0x00000173)
+#define TPM_CC_RSA_Encrypt (TPM_CC)(0x00000174)
+#define TPM_CC_StartAuthSession (TPM_CC)(0x00000176)
+#define TPM_CC_VerifySignature (TPM_CC)(0x00000177)
+#define TPM_CC_ECC_Parameters (TPM_CC)(0x00000178)
+#define TPM_CC_FirmwareRead (TPM_CC)(0x00000179)
+#define TPM_CC_GetCapability (TPM_CC)(0x0000017A)
+#define TPM_CC_GetRandom (TPM_CC)(0x0000017B)
+#define TPM_CC_GetTestResult (TPM_CC)(0x0000017C)
+#define TPM_CC_Hash (TPM_CC)(0x0000017D)
+#define TPM_CC_PCR_Read (TPM_CC)(0x0000017E)
+#define TPM_CC_PolicyPCR (TPM_CC)(0x0000017F)
+#define TPM_CC_PolicyRestart (TPM_CC)(0x00000180)
+#define TPM_CC_ReadClock (TPM_CC)(0x00000181)
+#define TPM_CC_PCR_Extend (TPM_CC)(0x00000182)
+#define TPM_CC_PCR_SetAuthValue (TPM_CC)(0x00000183)
+#define TPM_CC_NV_Certify (TPM_CC)(0x00000184)
+#define TPM_CC_EventSequenceComplete (TPM_CC)(0x00000185)
+#define TPM_CC_HashSequenceStart (TPM_CC)(0x00000186)
+#define TPM_CC_PolicyPhysicalPresence (TPM_CC)(0x00000187)
+#define TPM_CC_PolicyDuplicationSelect (TPM_CC)(0x00000188)
+#define TPM_CC_PolicyGetDigest (TPM_CC)(0x00000189)
+#define TPM_CC_TestParms (TPM_CC)(0x0000018A)
+#define TPM_CC_Commit (TPM_CC)(0x0000018B)
+#define TPM_CC_PolicyPassword (TPM_CC)(0x0000018C)
+#define TPM_CC_SM2_ZGen (TPM_CC)(0x0000018D)
+#define TPM_CC_LAST (TPM_CC)(0x0000018D)
+
+
+//TPM_RC
+typedef UINT32 TPM_RC;
+
+// TPM_ST Constants
+typedef UINT16 TPM_ST;
+#define TPM_ST_NULL (TPM_ST)(0X8000)
+#define TPM_ST_NO_SESSIONS (TPM_ST)(0x8001)
+#define TPM_ST_SESSIONS (TPM_ST)(0x8002)
+
+
+// TPM Handle types
+typedef UINT32 TPM_HANDLE;
+typedef UINT8 TPM_HT;
+
+
+// TPM_RH Constants
+typedef UINT32 TPM_RH;
+
+#define TPM_RH_FIRST (TPM_RH)(0x40000000)
+#define TPM_RH_SRK (TPM_RH)(0x40000000)
+#define TPM_RH_OWNER (TPM_RH)(0x40000001)
+#define TPM_RS_PW (TPM_RH)(0x40000009)
+#define TPM_RH_LOCKOUT (TPM_RH)(0x4000000A)
+#define TPM_RH_ENDORSEMENT (TPM_RH)(0x4000000B)
+#define TPM_RH_PLATFORM (TPM_RH)(0x4000000C)
+#define TPM_RH_LAST (TPM_RH)(0x4000000C)
+
+// Table 4 -- DocumentationClarity Types <I/O>
+typedef UINT32 TPM_ALGORITHM_ID;
+typedef UINT32 TPM_MODIFIER_INDICATOR;
+typedef UINT32 TPM_SESSION_OFFSET;
+typedef UINT16 TPM_KEY_SIZE;
+typedef UINT16 TPM_KEY_BITS;
+typedef UINT64 TPM_SYSTEM_ADDRESS;
+typedef UINT32 TPM_SPEC;
+
+// Table 29 -- TPMA_ALGORITHM Bits <I/O>
+typedef struct {
+ unsigned int asymmetric:1;
+ unsigned int symmetric:1;
+ unsigned int hash:1;
+ unsigned int object:1;
+ unsigned int reserved5:4;
+ unsigned int signing:1;
+ unsigned int encrypting:1;
+ unsigned int method:1;
+ unsigned int reserved9:21;
+} TPMA_ALGORITHM;
+
+typedef UINT32 TPMA_OBJECT;
+typedef BYTE TPMA_SESSION;
+typedef BYTE TPMA_LOCALITY;
+
+// Table 37 -- TPMI_YES_NO Type <I/O>
+typedef BYTE TPMI_YES_NO;
+
+typedef TPM_HANDLE TPMI_RH_HIERARCHY_AUTH;
+
+// Table 38 -- TPMI_DH_OBJECT Type <I/O>
+typedef TPM_HANDLE TPMI_DH_OBJECT;
+
+// Table 39 -- TPMI_DH_PERSISTENT Type <I/O>
+typedef TPM_HANDLE TPMI_DH_PERSISTENT;
+
+// Table 42 -- TPMI_SH_AUTH_SESSION Type <I/O>
+typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
+
+// Table 40 -- TPMI_DH_ENTITY Type <I>
+typedef TPM_HANDLE TPMI_DH_ENTITY;
+
+// Table 45 -- TPMI_DH_CONTEXT Type <I/O>
+typedef TPM_HANDLE TPMI_DH_CONTEXT;
+
+// Table 46 -- TPMI_RH_HIERARCHY Type <I/O>
+typedef TPM_HANDLE TPMI_RH_HIERARCHY;
+
+// Table 47 -- TPMI_RH_HIERARCHY_AUTH Type <I>
+typedef TPM_HANDLE TPMI_RH_HIERARCHY_AUTH;
+
+// Table 48 -- TPMI_RH_PLATFORM Type <I>
+typedef TPM_HANDLE TPMI_RH_PLATFORM;
+
+// Table 49 -- TPMI_RH_OWNER Type <I>
+typedef TPM_HANDLE TPMI_RH_OWNER;
+
+// Table 50 -- TPMI_RH_ENDORSEMENT Type <I>
+typedef TPM_HANDLE TPMI_RH_ENDORSEMENT;
+
+// Table 51 -- TPMI_RH_PROVISION Type <I>
+typedef TPM_HANDLE TPMI_RH_PROVISION;
+
+// Table 52 -- TPMI_RH_CLEAR Type <I>
+typedef TPM_HANDLE TPMI_RH_CLEAR;
+
+// Table 54 -- TPMI_RH_LOCKOUT Type <I>
+typedef TPM_HANDLE TPMI_RH_LOCKOUT;
+
+// Table 7 -- TPM_ALG_ID
+typedef UINT16 TPM_ALG_ID;
+typedef UINT16 TPM_ALG_ID;
+
+#define TPM2_ALG_ERROR (TPM_ALG_ID)(0x0000) // a: ; D:
+#define TPM2_ALG_FIRST (TPM_ALG_ID)(0x0001) // a: ; D:
+#if ALG_RSA == YES || ALG_ALL == YES
+#define TPM2_ALG_RSA (TPM_ALG_ID)(0x0001) // a: A O; D:
+#endif
+#if ALG_DES == YES || ALG_ALL == YES
+#define TPM2_ALG_DES (TPM_ALG_ID)(0x0002) // a: S; D:
+#endif
+#define TPM2_ALG_SHA1 (TPM_ALG_ID)(0x0004) // a: H; D:
+#if ALG_HMAC == YES || ALG_ALL == YES
+#define TPM2_ALG_HMAC (TPM_ALG_ID)(0x0005) // a: H X; D:
+#endif
+#if ALG_AES == YES || ALG_ALL == YES
+#define TPM2_ALG_AES (TPM_ALG_ID)(0x0006) // a: S; D:
+#endif
+#if ALG_XOR == YES || ALG_ALL == YES
+#define TPM2_ALG_XOR (TPM_ALG_ID)(0x000A) // a: H S; D:
+#endif
+#if ALG_MGF1 == YES || ALG_ALL == YES
+#define TPM2_ALG_MGF1 (TPM_ALG_ID)(0x0007) // a: H M; D:
+#endif
+#if ALG_KEYEDHASH == YES || ALG_ALL == YES
+#define TPM2_ALG_KEYEDHASH (TPM_ALG_ID)(0x0008) // a: H E X O; D:
+#endif
+#if ALG_SHA256 == YES || ALG_ALL == YES
+#define TPM2_ALG_SHA256 (TPM_ALG_ID)(0x000B) // a: H; D:
+#endif
+#define TPM2_ALG_NULL (TPM_ALG_ID)(0x0010) // a: ; D:
+#if ALG_OAEP == YES || ALG_ALL == YES
+#define TPM2_ALG_OAEP (TPM_ALG_ID)(0x0017) // a: A E; D: RSA
+#endif
+#if ALG_ECC == YES || ALG_ALL == YES
+#define TPM2_ALG_ECC (TPM_ALG_ID)(0x0023) // a: A O; D:
+#endif
+#if ALG_SM4 == YES || ALG_ALL == YES
+#define TPM2_ALG_SM4 (TPM_ALG_ID)(0x0013) // a: S; D:
+#endif
+#if ALG_SYMCIPHER == YES || ALG_ALL == YES
+#define TPM2_ALG_SYMCIPHER (TPM_ALG_ID)(0x0025) // a: O; D:
+#endif
+#if ALG_CFB == YES || ALG_ALL == YES
+#define TPM2_ALG_CFB (TPM_ALG_ID)(0x0043) // a: S E; D:
+#endif
+#define TPM2_ALG_LAST (TPM_ALG_ID)(0x0044)
+
+#define SHA1_DIGEST_SIZE 20
+#define SHA1_BLOCK_SIZE 64
+#define SHA256_DIGEST_SIZE 32
+#define SHA256_BLOCK_SIZE 64
+
+// Table 57 -- TPMI_ALG_ASYM Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_ASYM;
+
+// Table 56 -- TPMI_ALG_HASH Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_HASH;
+
+// Table 58 -- TPMI_ALG_SYM Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_SYM;
+
+// Table 59 -- TPMI_ALG_SYM_OBJECT Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_SYM_OBJECT;
+
+// Table 60 -- TPMI_ALG_SYM_MODE Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_SYM_MODE;
+
+// Table 61 -- TPMI_ALG_KDF Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_KDF;
+
+// Table 62 -- TPMI_ALG_SIG_SCHEME Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME;
+
+// Table 65 -- TPMU_HA Union <I/O,S>
+typedef union {
+#ifdef TPM2_ALG_SHA1
+ BYTE sha1[SHA1_DIGEST_SIZE];
+#endif
+#ifdef TPM2_ALG_SHA256
+ BYTE sha256[SHA256_DIGEST_SIZE];
+#endif
+#ifdef TPM2_ALG_SM3_256
+ BYTE sm3_256[SM3_256_DIGEST_SIZE];
+#endif
+#ifdef TPM2_ALG_SHA384
+ BYTE sha384[SHA384_DIGEST_SIZE];
+#endif
+#ifdef TPM2_ALG_SHA512
+ BYTE sha512[SHA512_DIGEST_SIZE];
+#endif
+#ifdef TPM2_ALG_WHIRLPOOL512
+ BYTE whirlpool[WHIRLPOOL512_DIGEST_SIZE];
+#endif
+
+} TPMU_HA;
+
+// Table 67 -- TPM2B_DIGEST Structure <I/O>
+typedef struct {
+ UINT16 size;
+ BYTE buffer[sizeof(TPMU_HA)];
+} TPM2B_DIGEST;
+
+// Table 69 -- TPM2B_NONCE Types <I/O>
+typedef TPM2B_DIGEST TPM2B_NONCE;
+
+typedef TPM2B_DIGEST TPM2B_DATA;
+
+// Table 70 -- TPM2B_AUTH Types <I/O>
+typedef TPM2B_DIGEST TPM2B_AUTH;
+
+// Table 71 -- TPM2B_OPERAND Types <I/O>
+typedef TPM2B_DIGEST TPM2B_OPERAND;
+
+// Table 66 -- TPMT_HA Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+ TPMU_HA digest;
+} TPMT_HA;
+
+//Table 80 -- TPM2B_NAME Structure
+typedef struct {
+ UINT16 size;
+ BYTE name[sizeof(TPMT_HA)];
+} TPM2B_NAME;
+
+#define IMPLEMENTATION_PCR 24
+#define PLATFORM_PCR 24
+#define PCR_SELECT_MAX ((IMPLEMENTATION_PCR+7)/8)
+
+//Table 79 -- TPMS_PCR_SELECT Structure <I/O>
+typedef struct {
+ UINT8 sizeofSelect;
+ BYTE pcrSelect[PCR_SELECT_MAX];
+} TPMS_PCR_SELECT;
+
+// Table 80 -- TPMS_PCR_SELECTION Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hash;
+ UINT8 sizeofSelect;
+ BYTE pcrSelect[PCR_SELECT_MAX];
+} TPMS_PCR_SELECTION;
+
+// Table 83 -- TPMT_TK_CREATION Structure <I/O>
+typedef struct {
+ TPM_ST tag;
+ TPMI_RH_HIERARCHY hierarchy;
+ TPM2B_DIGEST digest;
+} TPMT_TK_CREATION;
+
+// Table 96 -- Definition of TPML_DIGEST Structure <I/O>
+typedef struct {
+ UINT32 count;
+ TPM2B_DIGEST digests[8];
+}TPML_DIGEST;
+
+// Table 97 -- TPML_PCR_SELECTION Structure <I/O>
+typedef struct {
+ UINT32 count;
+ TPMS_PCR_SELECTION pcrSelections[HASH_COUNT];
+} TPML_PCR_SELECTION;
+
+// Table 119 -- TPMI_AES_KEY_BITS Type <I/O>
+typedef TPM_KEY_BITS TPMI_AES_KEY_BITS;
+
+// Table 120 -- TPMI_SM4_KEY_BITS Type <I/O>
+typedef TPM_KEY_BITS TPMI_SM4_KEY_BITS;
+
+// Table 121 -- TPMU_SYM_KEY_BITS Union <I/O>
+typedef union {
+#ifdef TPM2_ALG_AES
+ TPMI_AES_KEY_BITS aes;
+#endif
+#ifdef TPM2_ALG_SM4
+ TPMI_SM4_KEY_BITS SM4;
+#endif
+ TPM_KEY_BITS sym;
+#ifdef TPM2_ALG_XOR
+ TPMI_ALG_HASH xor;
+#endif
+
+} TPMU_SYM_KEY_BITS;
+
+// Table 122 -- TPMU_SYM_MODE Union <I/O>
+typedef union {
+#ifdef TPM2_ALG_AES
+ TPMI_ALG_SYM_MODE aes;
+#endif
+#ifdef TPM2_ALG_SM4
+ TPMI_ALG_SYM_MODE SM4;
+#endif
+ TPMI_ALG_SYM_MODE sym;
+} TPMU_SYM_MODE ;
+
+// Table 124 -- TPMT_SYM_DEF Structure <I/O>
+typedef struct {
+ TPMI_ALG_SYM algorithm;
+ TPMU_SYM_KEY_BITS keyBits;
+ TPMU_SYM_MODE mode;
+} TPMT_SYM_DEF;
+
+// Table 125 -- TPMT_SYM_DEF_OBJECT Structure <I/O>
+typedef struct {
+ TPMI_ALG_SYM_OBJECT algorithm;
+ TPMU_SYM_KEY_BITS keyBits;
+ TPMU_SYM_MODE mode;
+} TPMT_SYM_DEF_OBJECT;
+
+// Table 126 -- TPM2B_SYM_KEY Structure <I/O>
+typedef struct {
+ UINT16 size;
+ BYTE buffer[MAX_SYM_KEY_BYTES];
+} TPM2B_SYM_KEY;
+
+// Table 127 -- TPMS_SYMCIPHER_PARMS Structure <I/O>
+typedef struct {
+ TPMT_SYM_DEF_OBJECT sym;
+} TPMS_SYMCIPHER_PARMS;
+
+// Table 128 -- TPM2B_SENSITIVE_DATA Structure <I/O>
+typedef struct {
+ UINT16 size;
+ BYTE buffer[MAX_SYM_DATA];
+} TPM2B_SENSITIVE_DATA;
+
+// Table 129 -- TPMS_SENSITIVE_CREATE Structure <I>
+typedef struct {
+ TPM2B_AUTH userAuth;
+ TPM2B_SENSITIVE_DATA data;
+} TPMS_SENSITIVE_CREATE;
+
+// Table 130 -- TPM2B_SENSITIVE_CREATE Structure <I,S>
+typedef struct {
+ UINT16 size;
+ TPMS_SENSITIVE_CREATE sensitive;
+} TPM2B_SENSITIVE_CREATE;
+
+// Table 131 -- TPMS_SCHEME_SIGHASH Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+} TPMS_SCHEME_SIGHASH;
+
+// Table 132 -- TPMI_ALG_KEYEDHASH_SCHEME Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_KEYEDHASH_SCHEME;
+
+// Table 133 -- HMAC_SIG_SCHEME Types <I/O>
+typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_HMAC;
+
+// Table 134 -- TPMS_SCHEME_XOR Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+ TPMI_ALG_KDF kdf;
+} TPMS_SCHEME_XOR;
+
+// Table 135 -- TPMU_SCHEME_KEYEDHASH Union <I/O,S>
+typedef union {
+#ifdef TPM2_ALG_HMAC
+ TPMS_SCHEME_HMAC hmac;
+#endif
+#ifdef TPM2_ALG_XOR
+ TPMS_SCHEME_XOR xor;
+#endif
+
+} TPMU_SCHEME_KEYEDHASH ;
+
+// Table 136 -- TPMT_KEYEDHASH_SCHEME Structure <I/O>
+typedef struct {
+ TPMI_ALG_KEYEDHASH_SCHEME scheme;
+ TPMU_SCHEME_KEYEDHASH details;
+} TPMT_KEYEDHASH_SCHEME;
+
+// Table 137 -- RSA_SIG_SCHEMES Types <I/O>
+typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_RSASSA;
+typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_RSAPSS;
+
+// Table 138 -- ECC_SIG_SCHEMES Types <I/O>
+typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_ECDSA;
+typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_SM2;
+
+// Table 139 -- TPMS_SCHEME_ECDAA Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+ UINT16 count;
+} TPMS_SCHEME_ECDAA;
+
+// Table 140 -- TPMS_SCHEME_ECSCHNORR Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+ UINT16 count;
+} TPMS_SCHEME_ECSCHNORR;
+
+// Table 141 -- TPMU_SIG_SCHEME Union <I/O,S>
+typedef union {
+#ifdef TPM2_ALG_RSASSA
+ TPMS_SCHEME_RSASSA rsassa;
+#endif
+#ifdef TPM2_ALG_RSAPSS
+ TPMS_SCHEME_RSAPSS rsapss;
+#endif
+#ifdef TPM2_ALG_ECDSA
+ TPMS_SCHEME_ECDSA ecdsa;
+#endif
+#ifdef TPM2_ALG_SM2
+ TPMS_SCHEME_SM2 sm2;
+#endif
+#ifdef TPM2_ALG_ECDAA
+ TPMS_SCHEME_ECDAA ecdaa;
+#endif
+#ifdef TPM2_ALG_ECSCHNORR
+ TPMS_SCHEME_ECSCHNORR ecSchnorr;
+#endif
+#ifdef TPM2_ALG_HMAC
+ TPMS_SCHEME_HMAC hmac;
+#endif
+ TPMS_SCHEME_SIGHASH any;
+} TPMU_SIG_SCHEME;
+
+// Table 142 -- TPMT_SIG_SCHEME Structure <I/O>
+typedef struct {
+ TPMI_ALG_SIG_SCHEME scheme;
+ TPMU_SIG_SCHEME details;
+} TPMT_SIG_SCHEME;
+
+// Table 143 -- TPMS_SCHEME_OAEP Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+} TPMS_SCHEME_OAEP;
+
+// Table 144 -- TPMS_SCHEME_ECDH Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+} TPMS_SCHEME_ECDH;
+
+// Table 145 -- TPMS_SCHEME_MGF1 Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+} TPMS_SCHEME_MGF1;
+
+// Table 146 -- TPMS_SCHEME_KDF1_SP800_56a Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+} TPMS_SCHEME_KDF1_SP800_56a;
+
+// Table 147 -- TPMS_SCHEME_KDF2 Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+} TPMS_SCHEME_KDF2;
+
+// Table 148 -- TPMS_SCHEME_KDF1_SP800_108 Structure <I/O>
+typedef struct {
+ TPMI_ALG_HASH hashAlg;
+} TPMS_SCHEME_KDF1_SP800_108;
+
+// Table 149 -- TPMU_KDF_SCHEME Union <I/O,S>
+typedef union {
+#ifdef TPM2_ALG_MGF1
+ TPMS_SCHEME_MGF1 mgf1;
+#endif
+#ifdef TPM2_ALG_KDF1_SP800_56a
+ TPMS_SCHEME_KDF1_SP800_56a kdf1_SP800_56a;
+#endif
+#ifdef TPM2_ALG_KDF2
+ TPMS_SCHEME_KDF2 kdf2;
+#endif
+#ifdef TPM2_ALG_KDF1_SP800_108
+ TPMS_SCHEME_KDF1_SP800_108 kdf1_sp800_108;
+#endif
+
+} TPMU_KDF_SCHEME;
+
+// Table 150 -- TPMT_KDF_SCHEME Structure <I/O>
+typedef struct {
+ TPMI_ALG_KDF scheme;
+ TPMU_KDF_SCHEME details;
+} TPMT_KDF_SCHEME;
+typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME;
+
+// Table 152 -- TPMU_ASYM_SCHEME Union <I/O>
+typedef union {
+#ifdef TPM2_ALG_RSASSA
+ TPMS_SCHEME_RSASSA rsassa;
+#endif
+#ifdef TPM2_ALG_RSAPSS
+ TPMS_SCHEME_RSAPSS rsapss;
+#endif
+#ifdef TPM2_ALG_OAEP
+ TPMS_SCHEME_OAEP oaep;
+#endif
+#ifdef TPM2_ALG_ECDSA
+ TPMS_SCHEME_ECDSA ecdsa;
+#endif
+#ifdef TPM2_ALG_SM2
+ TPMS_SCHEME_SM2 sm2;
+#endif
+#ifdef TPM2_ALG_ECDAA
+ TPMS_SCHEME_ECDAA ecdaa;
+#endif
+#ifdef TPM2_ALG_ECSCHNORR
+ TPMS_SCHEME_ECSCHNORR ecSchnorr;
+#endif
+ TPMS_SCHEME_SIGHASH anySig;
+} TPMU_ASYM_SCHEME;
+
+typedef struct {
+ TPMI_ALG_ASYM_SCHEME scheme;
+ TPMU_ASYM_SCHEME details;
+} TPMT_ASYM_SCHEME;
+
+// Table 154 -- TPMI_ALG_RSA_SCHEME Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME;
+
+// Table 155 -- TPMT_RSA_SCHEME Structure <I/O>
+typedef struct {
+ TPMI_ALG_RSA_SCHEME scheme;
+ TPMU_ASYM_SCHEME details;
+} TPMT_RSA_SCHEME;
+
+// Table 156 -- TPMI_ALG_RSA_DECRYPT Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_RSA_DECRYPT;
+
+// Table 157 -- TPMT_RSA_DECRYPT Structure <I/O>
+typedef struct {
+ TPMI_ALG_RSA_DECRYPT scheme;
+ TPMU_ASYM_SCHEME details;
+} TPMT_RSA_DECRYPT;
+
+// Table 158 -- TPM2B_PUBLIC_KEY_RSA Structure <I/O>
+typedef struct {
+ UINT16 size;
+ BYTE buffer[MAX_RSA_KEY_BYTES];
+} TPM2B_PUBLIC_KEY_RSA;
+
+// Table 159 -- TPMI_RSA_KEY_BITS Type <I/O>
+typedef TPM_KEY_BITS TPMI_RSA_KEY_BITS;
+
+// Table 160 -- TPM2B_PRIVATE_KEY_RSA Structure <I/O>
+typedef struct {
+ UINT16 size;
+ BYTE buffer[MAX_RSA_KEY_BYTES/2];
+} TPM2B_PRIVATE_KEY_RSA;
+
+// Table 162 -- TPM2B_ECC_PARAMETER
+typedef struct {
+ UINT16 size;
+ BYTE buffer[MAX_ECC_KEY_BYTES];
+} TPM2B_ECC_PARAMETER;
+
+// Table 163 -- TPMS_ECC_POINT Structure <I/O>
+typedef struct {
+ TPM2B_ECC_PARAMETER x;
+ TPM2B_ECC_PARAMETER y;
+} TPMS_ECC_POINT;
+
+// Table 164 -- TPMI_ALG_ECC_SCHEME Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME;
+
+typedef UINT16 TPM_ECC_CURVE;
+
+// Table 165 -- TPMI_ECC_CURVE Type <I/O>
+typedef TPM_ECC_CURVE TPMI_ECC_CURVE;
+
+// Table 166 -- TPMT_ECC_SCHEME Structure <I/O>
+typedef struct {
+ TPMI_ALG_ECC_SCHEME scheme;
+ TPMU_SIG_SCHEME details;
+} TPMT_ECC_SCHEME;
+
+// Table 175 -- TPMI_ALG_PUBLIC Type <I/O>
+typedef TPM_ALG_ID TPMI_ALG_PUBLIC;
+
+// Table 176 -- TPMU_PUBLIC_ID Union <I/O,S>
+typedef union {
+#ifdef TPM2_ALG_KEYEDHASH
+ TPM2B_DIGEST keyedHash;
+#endif
+#ifdef TPM2_ALG_SYMCIPHER
+ TPM2B_DIGEST sym;
+#endif
+#ifdef TPM2_ALG_RSA
+ TPM2B_PUBLIC_KEY_RSA rsa;
+#endif
+#ifdef TPM2_ALG_ECC
+ TPMS_ECC_POINT ecc;
+#endif
+} TPMU_PUBLIC_ID;
+
+// Table 177 -- TPMS_KEYEDHASH_PARMS Structure <I/O>
+typedef struct {
+ TPMT_KEYEDHASH_SCHEME scheme;
+} TPMS_KEYEDHASH_PARMS;
+typedef struct {
+ TPMT_SYM_DEF_OBJECT symmetric;
+ TPMT_ASYM_SCHEME scheme;
+} TPMS_ASYM_PARMS;
+
+// Table 179 -- TPMS_RSA_PARMS Structure <I/O>
+typedef struct {
+ TPMT_SYM_DEF_OBJECT symmetric;
+ TPMT_RSA_SCHEME scheme;
+ TPMI_RSA_KEY_BITS keyBits;
+ UINT32 exponent;
+} TPMS_RSA_PARMS;
+
+// Table 180 -- TPMS_ECC_PARMS Structure <I/O>
+typedef struct {
+ TPMT_SYM_DEF_OBJECT symmetric;
+ TPMT_ECC_SCHEME scheme;
+ TPMI_ECC_CURVE curveID;
+ TPMT_KDF_SCHEME kdf;
+} TPMS_ECC_PARMS;
+
+// Table 181 -- TPMU_PUBLIC_PARMS Union <I/O,S>
+typedef union {
+#ifdef TPM2_ALG_KEYEDHASH
+ TPMS_KEYEDHASH_PARMS keyedHashDetail;
+#endif
+#ifdef TPM2_ALG_SYMCIPHER
+ TPMT_SYM_DEF_OBJECT symDetail;
+#endif
+#ifdef TPM2_ALG_RSA
+ TPMS_RSA_PARMS rsaDetail;
+#endif
+#ifdef TPM2_ALG_ECC
+ TPMS_ECC_PARMS eccDetail;
+#endif
+ TPMS_ASYM_PARMS asymDetail;
+} TPMU_PUBLIC_PARMS;
+
+// Table 182 -- TPMT_PUBLIC_PARMS Structure <I/O>
+typedef struct {
+ TPMI_ALG_PUBLIC type;
+ TPMU_PUBLIC_PARMS parameters;
+} TPMT_PUBLIC_PARMS;
+
+// Table 183 -- TPMT_PUBLIC Structure <I/O>
+typedef struct {
+ TPMI_ALG_PUBLIC type;
+ TPMI_ALG_HASH nameAlg;
+ TPMA_OBJECT objectAttributes;
+ TPM2B_DIGEST authPolicy;
+ TPMU_PUBLIC_PARMS parameters;
+ TPMU_PUBLIC_ID unique;
+} TPMT_PUBLIC;
+
+// Table 184 -- TPM2B_PUBLIC
+typedef struct {
+ UINT16 size;
+ TPMT_PUBLIC publicArea;
+} TPM2B_PUBLIC;
+
+// Table 185 -- TPMU_SENSITIVE_COMPOSITE Union <I/O,S>
+typedef union {
+#ifdef TPM2_ALG_RSA
+ TPM2B_PRIVATE_KEY_RSA rsa;
+#endif
+#ifdef TPM2_ALG_ECC
+ TPM2B_ECC_PARAMETER ecc;
+#endif
+#ifdef TPM2_ALG_KEYEDHASH
+ TPM2B_SENSITIVE_DATA bits;
+#endif
+#ifdef TPM2_ALG_SYMCIPHER
+ TPM2B_SYM_KEY sym;
+#endif
+ TPM2B_SENSITIVE_DATA any;
+} TPMU_SENSITIVE_COMPOSITE;
+
+// Table 186 -- TPMT_SENSITIVE Structure <I/O>
+typedef struct {
+ TPMI_ALG_PUBLIC sensitiveType;
+ TPM2B_AUTH authValue;
+ TPM2B_DIGEST seedValue;
+ TPMU_SENSITIVE_COMPOSITE sensitive;
+} TPMT_SENSITIVE;
+
+// Table 187 -- TPM2B_SENSITIVE Structure <I/O>
+typedef struct {
+ UINT16 size;
+ TPMT_SENSITIVE sensitiveArea;
+} TPM2B_SENSITIVE;
+
+typedef struct {
+ TPM2B_DIGEST integrityOuter;
+ TPM2B_DIGEST integrityInner;
+ TPMT_SENSITIVE sensitive;
+} _PRIVATE;
+
+// Table 189 -- TPM2B_PRIVATE Structure <I/O,S>
+typedef struct {
+ UINT16 size;
+ BYTE buffer[sizeof(_PRIVATE)];
+} TPM2B_PRIVATE;
+
+// Table 204 -- TPMS_CREATION_DATA <OUT>
+typedef struct {
+ TPML_PCR_SELECTION pcrSelect;
+ TPM2B_DIGEST pcrDigest;
+ TPMA_LOCALITY locality;
+ TPM_ALG_ID parentNameAlg;
+ TPM2B_NAME parentName;
+ TPM2B_NAME parentQualifiedName;
+ TPM2B_DATA outsideInfo;
+} TPMS_CREATION_DATA;
+
+// Table 205 -- TPM2B_CREATION_DATA <OUT>
+typedef struct {
+ UINT16 size;
+ TPMS_CREATION_DATA creationData;
+} TPM2B_CREATION_DATA;
+
+/* the following structs is not part of standard struct defined in TPM2 spec */
+typedef struct {
+ UINT32 size;
+ TPM_RH sessionHandle;
+ TPM2B_NONCE nonce;
+ TPMA_SESSION sessionAttributes;
+ TPM2B_AUTH auth;
+} TPM_AuthArea;
+
+typedef struct {
+ TPM2B_SENSITIVE_CREATE inSensitive;
+ TPM2B_PUBLIC inPublic;
+ TPM2B_DATA outsideInfo;
+ TPML_PCR_SELECTION creationPCR;
+} TPM2_Create_Params_in;
+
+typedef TPM2_Create_Params_in TPM2_CreatePrimary_Params_in;
+
+typedef struct {
+ TPM2B_PUBLIC outPublic;
+ TPM2B_CREATION_DATA creationData;
+ TPM2B_DIGEST creationHash;
+ TPMT_TK_CREATION creationTicket;
+ TPM2B_NAME name;
+} TPM2_CreatePrimary_Params_out;
+
+typedef struct {
+ TPM2B_PRIVATE outPrivate;
+ TPM2B_PUBLIC outPublic;
+ TPM2B_CREATION_DATA creationData;
+ TPM2B_DIGEST creationHash;
+ TPMT_TK_CREATION creationTicket;
+} TPM2_Create_Params_out;
+typedef struct {
+ TPM2B_PRIVATE Private;
+ TPM2B_PUBLIC Public;
+} TPM2_RSA_KEY;
+
+/*
+ * TPM 2.0 Objects
+ */
+
+#define TPM_HT_TRANSIENT 0x80
+#define HR_SHIFT 24
+#define HR_PERMANENT (TPM_HT_TRANSIENT << HR_SHIFT)
+#define TRANSIENT_FIRST (HR_PERMANENT)
+#define MAX_LOADED_OBJECTS 3
+#define TRANSIENT_LAST (TRANSIENT_FIRST+MAX_LOADED_OBJECTS-1)
+/*
+ * TPMA_OBJECT Bits
+ */
+#define fixedTPM ((1 << 1))
+#define stClear ((1 << 2))
+#define fixedParent ((1 << 4))
+#define sensitiveDataOrigin ((1 << 5))
+#define userWithAuth ((1 << 6))
+#define adminWithPolicy ((1 << 7))
+#define noDA ((1 << 10))
+#define encryptedDuplication ((1 << 11))
+#define restricted ((1 << 16))
+#define decrypt ((1 << 17))
+#define sign ((1 << 18))
+#endif
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 02/14] vTPM/TPM2: TPM 2.0 data structures marshal
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
2015-01-15 9:21 ` [PATCH v4 01/14] vTPM/TPM2: Add TPM 2.0 data structures and commands definition Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 03/14] vTPM/TPM2: Add global data in vtpm_globals{} Quan Xu
` (13 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Add TPM 2.0 data structure marshal for packing and unpacking TPM
2.0 data structures.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/tpm2_marshal.h | 673 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 673 insertions(+)
create mode 100644 stubdom/vtpmmgr/tpm2_marshal.h
diff --git a/stubdom/vtpmmgr/tpm2_marshal.h b/stubdom/vtpmmgr/tpm2_marshal.h
new file mode 100644
index 0000000..aaa4464
--- /dev/null
+++ b/stubdom/vtpmmgr/tpm2_marshal.h
@@ -0,0 +1,673 @@
+/*
+ * Copyright (c) 2014 Intel Corporation.
+ *
+ * Authors:
+ * Quan Xu <quan.xu@intel.com>
+ *
+ * Copyright (c) 2010-2012 United States Government, as represented by
+ * the Secretary of Defense. All rights reserved.
+ *
+ * based off of the original tools/vtpm_manager code base which is:
+ * Copyright (c) 2005, Intel Corp.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef TPM2_MARSHAL_H
+#define TPM2_MARSHAL_H
+
+#include <stdlib.h>
+#include <mini-os/byteorder.h>
+#include <mini-os/endian.h>
+#include "tcg.h"
+#include "tpm2_types.h"
+#include <assert.h>
+
+#define pack_TPM_BUFFER(ptr, buf, size) pack_BUFFER(ptr, buf, size)
+#define unpack_TPM_BUFFER(ptr, buf, size) unpack_BUFFER(ptr, buf, size)
+
+inline BYTE* pack_BYTE_ARRAY(BYTE* ptr, const BYTE* array, UINT32 size)
+{
+ int i;
+ for (i = 0; i < size; i++)
+ ptr = pack_BYTE(ptr, array[i]);
+ return ptr;
+}
+
+inline BYTE* pack_TPMA_SESSION(BYTE* ptr, const TPMA_SESSION *attr)
+{
+ return pack_BYTE(ptr, (BYTE)(*attr));
+}
+
+inline BYTE* unpack_TPMA_SESSION(BYTE* ptr, TPMA_SESSION *attr)
+{
+ return unpack_BYTE(ptr, (BYTE *)attr);
+}
+
+inline BYTE* pack_TPMI_ALG_HASH(BYTE* ptr, const TPMI_ALG_HASH *hash)
+{
+ return pack_UINT16(ptr, *hash);
+}
+
+inline BYTE* unpack_TPMI_ALG_HASH(BYTE *ptr, TPMI_ALG_HASH *hash)
+{
+ return unpack_UINT16(ptr, hash);
+}
+
+#define pack_TPMA_OBJECT(ptr, t) pack_UINT32(ptr, (UINT32)(*t))
+#define unpack_TPMA_OBJECT(ptr, t) unpack_UINT32(ptr, (UINT32 *)(t))
+#define pack_TPM_RH(ptr, t) pack_UINT32(ptr, (UINT32)(*t))
+#define unpack_TPM_RH(ptr, t) unpack_UINT32(ptr, (UINT32 *)(t))
+#define pack_TPMA_LOCALITY(ptr, locality) pack_BYTE(ptr, (BYTE)*locality)
+#define unpack_TPMA_LOCALITY(ptr, locality) unpack_BYTE(ptr, (BYTE *)locality)
+#define pack_TPM_ST(ptr, tag) pack_UINT16(ptr, *tag)
+#define unpack_TPM_ST(ptr, tag) unpack_UINT16(ptr, tag)
+#define pack_TPM_KEY_BITS(ptr, t) pack_UINT16(ptr, *t)
+#define unpack_TPM_KEY_BITS(ptr, t) unpack_UINT16(ptr, t)
+#define pack_TPMI_AES_KEY_BITS(ptr, t) pack_TPM_KEY_BITS(ptr, t)
+#define unpack_TPMI_AES_KEY_BITS(ptr, t) unpack_TPM_KEY_BITS(ptr, t)
+#define pack_TPMI_RSA_KEY_BITS(ptr, t) pack_TPM_KEY_BITS(ptr, t)
+#define unpack_TPMI_RSA_KEY_BITS(ptr, t) unpack_TPM_KEY_BITS(ptr, t)
+#define pack_TPM_ALG_ID(ptr, id) pack_UINT16(ptr, *id)
+#define unpack_TPM_ALG_ID(ptr, id) unpack_UINT16(ptr, id)
+#define pack_TPM_ALG_SYM(ptr, t) pack_TPM_ALG_ID(ptr, t)
+#define unpack_TPM_ALG_SYM(ptr, t) unpack_TPM_ALG_ID(ptr, t)
+#define pack_TPMI_ALG_ASYM(ptr, asym) pack_TPM_ALG_ID(ptr, asym)
+#define unpack_TPMI_ALG_ASYM(ptr, asym) unpack_TPM_ALG_ID(ptr, asym)
+#define pack_TPMI_ALG_SYM_OBJECT(ptr, t) pack_TPM_ALG_ID(ptr, t)
+#define unpack_TPMI_ALG_SYM_OBJECT(ptr, t) unpack_TPM_ALG_ID(ptr, t)
+#define pack_TPMI_ALG_SYM_MODE(ptr, t) pack_TPM_ALG_ID(ptr, t)
+#define unpack_TPMI_ALG_SYM_MODE(ptr, t) unpack_TPM_ALG_ID(ptr, t)
+#define pack_TPMI_ALG_KDF(ptr, t) pack_TPM_ALG_ID(ptr, t)
+#define unpack_TPMI_ALG_KDF(ptr, t) unpack_TPM_ALG_ID(ptr, t)
+#define pack_TPMI_ALG_PUBLIC(ptr, t) pack_TPM_ALG_ID(ptr, t)
+#define unpack_TPMI_ALG_PUBLIC(ptr, t) unpack_TPM_ALG_ID(ptr, t)
+#define pack_TPM2_HANDLE(ptr, h) pack_UINT32(ptr, *h)
+#define unpack_TPM2_HANDLE(ptr, h) unpack_UINT32(ptr, h)
+#define pack_TPMI_ALG_RSA_SCHEME(ptr, t) pack_TPM_ALG_ID(ptr, t)
+#define unpack_TPMI_ALG_RSA_SCHEME(ptr, t) unpack_TPM_ALG_ID(ptr, t)
+#define pack_TPMI_DH_OBJECT(ptr, o) pack_TPM2_HANDLE(ptr, o)
+#define unpack_TPMI_DH_OBJECT(PTR, O) unpack_TPM2_HANDLE(ptr, o)
+#define pack_TPMI_RH_HIERACHY(ptr, h) pack_TPM2_HANDLE(ptr, h)
+#define unpack_TPMI_RH_HIERACHY(ptr, h) unpack_TPM2_HANDLE(ptr, h)
+#define pack_TPMI_RH_PLATFORM(ptr, p) pack_TPM2_HANDLE(ptr, p)
+#define unpack_TPMI_RH_PLATFORM(ptr, p) unpack_TPM2_HANDLE(ptr, p)
+#define pack_TPMI_RH_OWNER(ptr, o) pack_TPM2_HANDLE(ptr, o)
+#define unpack_TPMI_RH_OWNER(ptr, o) unpack_TPM2_HANDLE(ptr, o)
+#define pack_TPMI_RH_ENDORSEMENT(ptr, e) pack_TPM2_HANDLE(ptr, e)
+#define unpack_TPMI_RH_ENDORSEMENT(ptr, e) unpack_TPM2_HANDLE(ptr, e)
+#define pack_TPMI_RH_LOCKOUT(ptr, l) pack_TPM2_HANDLE(ptr, l)
+#define unpack_TPMI_RH_LOCKOUT(ptr, l) unpack_TPM2_HANDLE(ptr, l)
+
+inline BYTE* pack_TPM2B_DIGEST(BYTE* ptr, const TPM2B_DIGEST *digest)
+{
+ ptr = pack_UINT16(ptr, digest->size);
+ ptr = pack_BUFFER(ptr, digest->buffer, digest->size);
+ return ptr;
+}
+
+inline BYTE* unpack_TPM2B_DIGEST(BYTE* ptr, TPM2B_DIGEST *digest)
+{
+ ptr = unpack_UINT16(ptr, &digest->size);
+ ptr = unpack_BUFFER(ptr, digest->buffer, digest->size);
+ return ptr;
+}
+
+inline BYTE* pack_TPMT_TK_CREATION(BYTE* ptr,const TPMT_TK_CREATION *ticket )
+{
+ ptr = pack_TPM_ST(ptr , &ticket->tag);
+ ptr = pack_TPMI_RH_HIERACHY(ptr , &ticket->hierarchy);
+ ptr = pack_TPM2B_DIGEST(ptr, &ticket->digest);
+ return ptr;
+}
+
+inline BYTE* unpack_TPMT_TK_CREATION(BYTE* ptr, TPMT_TK_CREATION *ticket )
+{
+ ptr = unpack_TPM_ST(ptr, &ticket->tag);
+ ptr = unpack_TPMI_RH_HIERACHY(ptr, &ticket->hierarchy);
+ ptr = unpack_TPM2B_DIGEST(ptr, &ticket->digest);
+ return ptr;
+}
+
+inline BYTE* pack_TPM2B_NAME(BYTE* ptr,const TPM2B_NAME *name )
+{
+ ptr = pack_UINT16(ptr, name->size);
+ ptr = pack_TPM_BUFFER(ptr, name->name, name->size);
+ return ptr;
+}
+
+inline BYTE* unpack_TPM2B_NAME(BYTE* ptr, TPM2B_NAME *name)
+{
+ ptr = unpack_UINT16(ptr, &name->size);
+ ptr = unpack_TPM_BUFFER(ptr, name->name, name->size);
+ return ptr;
+}
+
+inline BYTE* pack_TPM2B_NONCE(BYTE* ptr, const TPM2B_NONCE *nonce)
+{
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)nonce);
+}
+
+#define unpack_TPM2B_NONCE(ptr, nonce) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)nonce)
+
+inline BYTE* pack_TPM2B_AUTH(BYTE* ptr, const TPM2B_AUTH *auth)
+{
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)auth);
+}
+
+#define unpack_TPM2B_AUTH(ptr, auth) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)auth)
+
+inline BYTE* pack_TPM2B_DATA(BYTE* ptr, const TPM2B_DATA *data)
+{
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)data);
+}
+
+#define unpack_TPM2B_DATA(ptr, data) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)data)
+
+inline BYTE* pack_TPM2B_SENSITIVE_DATA(BYTE* ptr, const TPM2B_SENSITIVE_DATA *data)
+{
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)data);
+}
+
+#define unpack_TPM2B_SENSITIVE_DATA(ptr, data) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)data)
+
+inline BYTE* pack_TPM2B_PUBLIC_KEY_RSA(BYTE* ptr, const TPM2B_PUBLIC_KEY_RSA *rsa)
+{
+ return pack_TPM2B_DIGEST(ptr, (const TPM2B_DIGEST*)rsa);
+}
+
+#define unpack_TPM2B_PUBLIC_KEY_RSA(ptr, rsa) unpack_TPM2B_DIGEST(ptr, (TPM2B_DIGEST*)rsa)
+
+inline BYTE* pack_TPM2B_PRIVATE(BYTE* ptr, const TPM2B_PRIVATE *Private)
+{
+ ptr = pack_UINT16(ptr, Private->size);
+ ptr = pack_TPM_BUFFER(ptr, Private->buffer, Private->size);
+ return ptr;
+}
+
+inline BYTE* unpack_TPM2B_PRIVATE(BYTE* ptr, TPM2B_PRIVATE *Private)
+{
+ ptr = unpack_UINT16(ptr, &Private->size);
+ ptr = unpack_BUFFER(ptr, Private->buffer, Private->size);
+ return ptr;
+}
+
+inline BYTE* pack_TPMS_PCR_SELECTION_ARRAY(BYTE* ptr, const TPMS_PCR_SELECTION *sel, UINT32 count)
+{
+ int i;
+ for (i = 0; i < count; i++) {
+ ptr = pack_TPMI_ALG_HASH(ptr, &sel[i].hash);
+ ptr = pack_BYTE(ptr, sel[i].sizeofSelect);
+ ptr = pack_BUFFER(ptr, sel[i].pcrSelect, sel[i].sizeofSelect);
+ }
+ return ptr;
+}
+
+inline BYTE* unpack_TPMS_PCR_SELECTION_ARRAY(BYTE* ptr, TPMS_PCR_SELECTION *sel, UINT32 count)
+{
+ int i;
+ for (i = 0; i < count; i++) {
+ ptr = unpack_TPMI_ALG_HASH(ptr, &sel[i].hash);
+ ptr = unpack_BYTE(ptr, &sel[i].sizeofSelect);
+ ptr = unpack_BUFFER(ptr, sel[i].pcrSelect, sel[i].sizeofSelect);
+ }
+ return ptr;
+}
+
+inline BYTE* pack_TPML_PCR_SELECTION(BYTE* ptr, const TPML_PCR_SELECTION *sel)
+{
+ ptr = pack_UINT32(ptr, sel->count);
+ ptr = pack_TPMS_PCR_SELECTION_ARRAY(ptr, sel->pcrSelections, sel->count);
+ return ptr;
+}
+
+inline BYTE* unpack_TPML_PCR_SELECTION(BYTE* ptr, TPML_PCR_SELECTION *sel)
+{
+ ptr = unpack_UINT32(ptr, &sel->count);
+ ptr = unpack_TPMS_PCR_SELECTION_ARRAY(ptr, sel->pcrSelections, sel->count);
+ return ptr;
+}
+
+inline BYTE* unpack_TPML_DIGEST(BYTE* ptr,TPML_DIGEST *digest)
+{
+ int i;
+ ptr = unpack_UINT32(ptr, &digest->count);
+ for (i=0;i<digest->count;i++)
+ {
+ ptr = unpack_TPM2B_DIGEST(ptr, &digest->digests[i]);
+ }
+ return ptr;
+}
+
+inline BYTE* pack_TPMS_CREATION_DATA(BYTE* ptr,const TPMS_CREATION_DATA *data)
+{
+ ptr = pack_TPML_PCR_SELECTION(ptr, &data->pcrSelect);
+ ptr = pack_TPM2B_DIGEST(ptr, &data->pcrDigest);
+ ptr = pack_TPMA_LOCALITY(ptr, &data->locality);
+ ptr = pack_TPM_ALG_ID(ptr, &data->parentNameAlg);
+ ptr = pack_TPM2B_NAME(ptr, &data->parentQualifiedName);
+ ptr = pack_TPM2B_DATA(ptr, &data->outsideInfo);
+ return ptr;
+}
+
+inline BYTE* unpack_TPMS_CREATION_DATA(BYTE* ptr, TPMS_CREATION_DATA *data)
+{
+ ptr = unpack_TPML_PCR_SELECTION(ptr, &data->pcrSelect);
+ ptr = unpack_TPM2B_DIGEST(ptr, &data->pcrDigest);
+ ptr = unpack_TPMA_LOCALITY(ptr, &data->locality);
+ ptr = unpack_TPM_ALG_ID(ptr, &data->parentNameAlg);
+ ptr = unpack_TPM2B_NAME(ptr, &data->parentName);
+ ptr = unpack_TPM2B_NAME(ptr, &data->parentQualifiedName);
+ ptr = unpack_TPM2B_DATA(ptr, &data->outsideInfo);
+ return ptr;
+}
+
+inline BYTE* pack_TPM2B_CREATION_DATA(BYTE* ptr, const TPM2B_CREATION_DATA *data )
+{
+ ptr = pack_UINT16(ptr, data->size);
+ ptr = pack_TPMS_CREATION_DATA(ptr, &data->creationData);
+ return ptr;
+}
+
+inline BYTE* unpack_TPM2B_CREATION_DATA(BYTE* ptr, TPM2B_CREATION_DATA * data)
+{
+ ptr = unpack_UINT16(ptr, &data->size);
+ ptr = unpack_TPMS_CREATION_DATA(ptr, &data->creationData);
+ return ptr;
+}
+
+inline BYTE* pack_TPMS_SENSITIVE_CREATE(BYTE* ptr, const TPMS_SENSITIVE_CREATE *create)
+{
+ ptr = pack_TPM2B_AUTH(ptr, &create->userAuth);
+ ptr = pack_TPM2B_SENSITIVE_DATA(ptr, &create->data);
+ return ptr;
+}
+
+inline BYTE* pack_TPM2B_SENSITIVE_CREATE(BYTE* ptr, const TPM2B_SENSITIVE_CREATE *create)
+{
+ BYTE* sizePtr = ptr;
+ ptr += 2;
+ ptr = pack_TPMS_SENSITIVE_CREATE(ptr, &create->sensitive);
+ pack_UINT16(sizePtr, (UINT16)(ptr - sizePtr - 2));
+ return ptr;
+}
+
+inline BYTE* pack_TPMU_SYM_MODE(BYTE* ptr, const TPMU_SYM_MODE *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+{
+ switch(*sel) {
+ case TPM2_ALG_AES:
+ ptr = pack_TPMI_ALG_SYM_MODE(ptr, &p->aes);
+ break;
+ case TPM2_ALG_SM4:
+ assert(false);
+ break;
+ case TPM2_ALG_NULL:
+ case TPM2_ALG_XOR:
+ break;
+ default:
+ ptr = pack_TPMI_ALG_SYM_MODE(ptr, &p->sym);
+ }
+ return ptr;
+}
+inline BYTE* unpack_TPMU_SYM_MODE(BYTE* ptr, TPMU_SYM_MODE *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+{
+ switch(*sel) {
+ case TPM2_ALG_AES:
+ ptr = unpack_TPMI_ALG_SYM_MODE(ptr, &p->aes);
+ break;
+ case TPM2_ALG_SM4:
+ assert(false);
+ break;
+ case TPM2_ALG_NULL:
+ case TPM2_ALG_XOR:
+ break;
+ default:
+ ptr = unpack_TPMI_ALG_SYM_MODE(ptr, &p->sym);
+ }
+ return ptr;
+}
+
+inline BYTE* pack_TPMU_SYM_KEY_BITS(BYTE* ptr, const TPMU_SYM_KEY_BITS *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+{
+ switch(*sel) {
+ case TPM2_ALG_AES:
+ ptr = pack_TPMI_AES_KEY_BITS(ptr, &p->aes);
+ break;
+ case TPM2_ALG_SM4:
+ assert(false);
+ break;
+ case TPM2_ALG_XOR:
+ assert(false);
+ break;
+ case TPM2_ALG_NULL:
+ break;
+ default:
+ ptr = pack_TPM_KEY_BITS(ptr, &p->sym);
+ }
+ return ptr;
+}
+
+inline BYTE* unpack_TPMU_SYM_KEY_BITS(BYTE* ptr, TPMU_SYM_KEY_BITS *p,
+ const TPMI_ALG_SYM_OBJECT *sel)
+{
+ switch(*sel) {
+ case TPM2_ALG_AES:
+ ptr = unpack_TPMI_AES_KEY_BITS(ptr, &p->aes);
+ break;
+ case TPM2_ALG_SM4:
+ assert(false);
+ break;
+ case TPM2_ALG_XOR:
+ assert(false);
+ break;
+ case TPM2_ALG_NULL:
+ break;
+ default:
+ ptr = unpack_TPM_KEY_BITS(ptr, &p->sym);
+ }
+ return ptr;
+}
+
+inline BYTE* pack_TPMT_SYM_DEF_OBJECT(BYTE* ptr, const TPMT_SYM_DEF_OBJECT *p)
+{
+ ptr = pack_TPMI_ALG_SYM_OBJECT(ptr, &p->algorithm);
+ ptr = pack_TPMU_SYM_KEY_BITS(ptr, &p->keyBits, &p->algorithm);
+ ptr = pack_TPMU_SYM_MODE(ptr, &p->mode, &p->algorithm);
+ return ptr;
+}
+
+inline BYTE* unpack_TPMT_SYM_DEF_OBJECT(BYTE *ptr, TPMT_SYM_DEF_OBJECT *p)
+{
+ ptr = unpack_TPMI_ALG_SYM_OBJECT(ptr, &p->algorithm);
+ ptr = unpack_TPMU_SYM_KEY_BITS(ptr, &p->keyBits, &p->algorithm);
+ ptr = unpack_TPMU_SYM_MODE(ptr, &p->mode, &p->algorithm);
+ return ptr;
+}
+
+#define pack_TPMS_SCHEME_OAEP(p, t) pack_TPMI_ALG_HASH(p, &((t)->hashAlg))
+#define unpack_TPMS_SCHEME_OAEP(p, t) unpack_TPMI_ALG_HASH(p, &((t)->hashAlg))
+
+inline BYTE* pack_TPMU_ASYM_SCHEME(BYTE *ptr, const TPMU_ASYM_SCHEME *p,
+ const TPMI_ALG_RSA_SCHEME *s)
+{
+ switch(*s) {
+#ifdef TPM2_ALG_RSASSA
+ case TPM2_ALG_RSASSA:
+ assert(false || "TPM2_ALG_RSASSA");
+ break;
+#endif
+#ifdef TPM2_ALG_OAEP
+ case TPM2_ALG_OAEP:
+ ptr = pack_TPMS_SCHEME_OAEP(ptr, &p->oaep);
+ break;
+#endif
+ case TPM2_ALG_NULL:
+ break;
+ default:
+ assert(false || "DEFAULT");
+ }
+ return ptr;
+}
+
+inline BYTE* unpack_TPMU_ASYM_SCHEME(BYTE *ptr, TPMU_ASYM_SCHEME *p,
+ const TPMI_ALG_RSA_SCHEME *s)
+{
+ switch(*s) {
+ #ifdef TPM2_ALG_RSASSA
+ case TPM2_ALG_RSASSA:
+ printf("not support TPM_ALG_RSASSA\n");
+ assert(false);
+ break;
+ #endif
+ #ifdef TPM2_ALG_OAEP
+ case TPM2_ALG_OAEP:
+ ptr = unpack_TPMS_SCHEME_OAEP(ptr, &p->oaep);
+ break;
+ #endif
+ case TPM2_ALG_NULL:
+ break;
+ default:
+ printf("default TPMI_ALG_RSA_SCHEME 0x%X\n", (UINT32)*s);
+ ptr = unpack_TPMI_ALG_HASH(ptr, &p->anySig.hashAlg);
+ }
+ return ptr;
+}
+
+inline BYTE* pack_TPMT_RSA_SCHEME(BYTE* ptr, const TPMT_RSA_SCHEME *p)
+{
+ ptr = pack_TPMI_ALG_RSA_SCHEME(ptr, &p->scheme);
+ ptr = pack_TPMU_ASYM_SCHEME(ptr, &p->details, &p->scheme);
+ return ptr;
+}
+
+inline BYTE* unpack_TPMT_RSA_SCHEME(BYTE* ptr, TPMT_RSA_SCHEME *p)
+{
+ ptr = unpack_TPMI_ALG_RSA_SCHEME(ptr, &p->scheme);
+ ptr = unpack_TPMU_ASYM_SCHEME(ptr, &p->details, &p->scheme);
+ return ptr;
+}
+
+inline BYTE* pack_TPMT_RSA_DECRYPT(BYTE* ptr, const TPMT_RSA_DECRYPT *p)
+{
+ ptr = pack_TPMI_ALG_RSA_SCHEME(ptr, &p->scheme);
+ ptr = pack_TPMU_ASYM_SCHEME(ptr, &p->details, &p->scheme);
+ return ptr;
+}
+
+inline BYTE* pack_TPMS_RSA_PARMS(BYTE* ptr, const TPMS_RSA_PARMS *p)
+{
+ ptr = pack_TPMT_SYM_DEF_OBJECT(ptr, &p->symmetric);
+ ptr = pack_TPMT_RSA_SCHEME(ptr, &p->scheme);
+ ptr = pack_TPMI_RSA_KEY_BITS(ptr, &p->keyBits);
+ ptr = pack_UINT32(ptr, p->exponent);
+ return ptr;
+}
+
+inline BYTE* unpack_TPMS_RSA_PARMS(BYTE *ptr, TPMS_RSA_PARMS *p)
+{
+ ptr = unpack_TPMT_SYM_DEF_OBJECT(ptr, &p->symmetric);
+ ptr = unpack_TPMT_RSA_SCHEME(ptr, &p->scheme);
+ ptr = unpack_TPMI_RSA_KEY_BITS(ptr, &p->keyBits);
+ ptr = unpack_UINT32(ptr, &p->exponent);
+ return ptr;
+}
+
+inline BYTE* pack_TPMU_PUBLIC_PARMS(BYTE* ptr, const TPMU_PUBLIC_PARMS *param,
+ const TPMI_ALG_PUBLIC *selector)
+{
+ switch(*selector) {
+ case TPM2_ALG_KEYEDHASH:
+ assert(false);
+ case TPM2_ALG_SYMCIPHER:
+ assert(false);
+ case TPM2_ALG_RSA:
+ return pack_TPMS_RSA_PARMS(ptr, ¶m->rsaDetail);
+ case TPM2_ALG_ECC:
+ assert(false);
+ }
+ assert(false);
+ return NULL;
+}
+
+inline BYTE* unpack_TPMU_PUBLIC_PARMS(BYTE* ptr, TPMU_PUBLIC_PARMS *param,
+ const TPMI_ALG_PUBLIC *selector)
+{
+ switch(*selector) {
+ case TPM2_ALG_KEYEDHASH:
+ assert(false);
+ case TPM2_ALG_SYMCIPHER:
+ assert(false);
+ case TPM2_ALG_RSA:
+ return unpack_TPMS_RSA_PARMS(ptr, ¶m->rsaDetail);
+ case TPM2_ALG_ECC:
+ assert(false);
+ }
+ assert(false);
+ return NULL;
+}
+
+inline BYTE* pack_TPMS_ECC_POINT(BYTE* ptr, const TPMS_ECC_POINT *point)
+{
+ assert(false);
+ return ptr;
+}
+
+inline BYTE* unpack_TPMS_ECC_POINT(BYTE* ptr, TPMS_ECC_POINT *point)
+{
+ assert(false);
+ return ptr;
+}
+
+inline BYTE* pack_TPMU_PUBLIC_ID(BYTE* ptr, const TPMU_PUBLIC_ID *id,
+ const TPMI_ALG_PUBLIC *selector)
+{
+ switch (*selector) {
+ case TPM2_ALG_KEYEDHASH:
+ return pack_TPM2B_DIGEST(ptr, &id->keyedHash);
+ case TPM2_ALG_SYMCIPHER:
+ return pack_TPM2B_DIGEST(ptr, &id->sym);
+ case TPM2_ALG_RSA:
+ return pack_TPM2B_PUBLIC_KEY_RSA(ptr, &id->rsa);
+ case TPM2_ALG_ECC:
+ return pack_TPMS_ECC_POINT(ptr, &id->ecc);
+ }
+ assert(false);
+ return NULL;
+}
+
+inline BYTE* unpack_TPMU_PUBLIC_ID(BYTE* ptr, TPMU_PUBLIC_ID *id, TPMI_ALG_PUBLIC *selector)
+{
+ switch (*selector) {
+ case TPM2_ALG_KEYEDHASH:
+ return unpack_TPM2B_DIGEST(ptr, &id->keyedHash);
+ case TPM2_ALG_SYMCIPHER:
+ return unpack_TPM2B_DIGEST(ptr, &id->sym);
+ case TPM2_ALG_RSA:
+ return unpack_TPM2B_PUBLIC_KEY_RSA(ptr, &id->rsa);
+ case TPM2_ALG_ECC:
+ return unpack_TPMS_ECC_POINT(ptr, &id->ecc);
+ }
+ assert(false);
+ return NULL;
+}
+
+inline BYTE* pack_TPMT_PUBLIC(BYTE* ptr, const TPMT_PUBLIC *public)
+{
+ ptr = pack_TPMI_ALG_PUBLIC(ptr, &public->type);
+ ptr = pack_TPMI_ALG_HASH(ptr, &public->nameAlg);
+ ptr = pack_TPMA_OBJECT(ptr, &public->objectAttributes);
+ ptr = pack_TPM2B_DIGEST(ptr, &public->authPolicy);
+ ptr = pack_TPMU_PUBLIC_PARMS(ptr, &public->parameters, &public->type);
+ ptr = pack_TPMU_PUBLIC_ID(ptr, &public->unique, &public->type);
+ return ptr;
+}
+
+inline BYTE* unpack_TPMT_PUBLIC(BYTE* ptr, TPMT_PUBLIC *public)
+{
+ ptr = unpack_TPMI_ALG_PUBLIC(ptr, &public->type);
+ ptr = unpack_TPMI_ALG_HASH(ptr, &public->nameAlg);
+ ptr = unpack_TPMA_OBJECT(ptr, &public->objectAttributes);
+ ptr = unpack_TPM2B_DIGEST(ptr, &public->authPolicy);
+ ptr = unpack_TPMU_PUBLIC_PARMS(ptr, &public->parameters, &public->type);
+ ptr = unpack_TPMU_PUBLIC_ID(ptr, &public->unique, &public->type);
+ return ptr;
+}
+
+inline BYTE* pack_TPM2B_PUBLIC(BYTE* ptr, const TPM2B_PUBLIC *public)
+{
+ BYTE *sizePtr = ptr;
+ ptr += 2;
+ ptr = pack_TPMT_PUBLIC(ptr, &public->publicArea);
+ pack_UINT16(sizePtr, (UINT16)(ptr - sizePtr - 2));
+ return ptr;
+}
+
+inline BYTE* unpack_TPM2B_PUBLIC(BYTE* ptr, TPM2B_PUBLIC *public)
+{
+ ptr = unpack_UINT16(ptr, &public->size);
+ ptr = unpack_TPMT_PUBLIC(ptr, &public->publicArea);
+ return ptr;
+}
+
+inline BYTE* pack_TPMS_PCR_SELECTION(BYTE* ptr, const TPMS_PCR_SELECTION *selection)
+{
+ ptr = pack_TPMI_ALG_HASH(ptr, &selection->hash);
+ ptr = pack_BYTE(ptr, selection->sizeofSelect);
+ ptr = pack_BYTE_ARRAY(ptr, selection->pcrSelect, selection->sizeofSelect);
+ return ptr;
+}
+
+inline BYTE* pack_TPMS_PCR_SELECTION_Array(BYTE* ptr, const TPMS_PCR_SELECTION *selections,
+ const UINT32 cnt)
+{
+ int i;
+ for (i = 0; i < cnt; i++)
+ ptr = pack_TPMS_PCR_SELECTION(ptr, selections + i);
+ return ptr;
+}
+
+inline BYTE* pack_TPM_AuthArea(BYTE* ptr, const TPM_AuthArea *auth)
+{
+ BYTE* sizePtr = ptr;
+ ptr += sizeof(UINT32);
+ ptr = pack_TPM_RH(ptr, &auth->sessionHandle);
+ ptr = pack_TPM2B_NONCE(ptr, &auth->nonce);
+ ptr = pack_TPMA_SESSION(ptr, &auth->sessionAttributes);
+ ptr = pack_TPM2B_AUTH(ptr, &auth->auth);
+ pack_UINT32(sizePtr, ptr - sizePtr - sizeof(UINT32));
+ return ptr;
+}
+
+inline BYTE* unpack_TPM_AuthArea(BYTE* ptr, TPM_AuthArea *auth)
+{
+ ptr = unpack_UINT32(ptr, &auth->size);
+ ptr = unpack_TPM_RH(ptr, &auth->sessionHandle);
+ ptr = unpack_TPM2B_NONCE(ptr, &auth->nonce);
+ ptr = unpack_TPMA_SESSION(ptr, &auth->sessionAttributes);
+ ptr = unpack_TPM2B_AUTH(ptr, &auth->auth);
+ return ptr;
+}
+
+inline BYTE* pack_TPM2_RSA_KEY(BYTE* ptr, const TPM2_RSA_KEY *key)
+{
+ ptr = pack_TPM2B_PRIVATE(ptr, &key->Private);
+ ptr = pack_TPM2B_PUBLIC(ptr, &key->Public);
+ return ptr;
+}
+
+inline BYTE* unpack_TPM2_RSA_KEY(BYTE* ptr, TPM2_RSA_KEY *key)
+{
+ ptr = unpack_TPM2B_PRIVATE(ptr, &key->Private);
+ ptr = unpack_TPM2B_PUBLIC(ptr, &key->Public);
+ return ptr;
+}
+#endif
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 03/14] vTPM/TPM2: Add global data in vtpm_globals{}
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
2015-01-15 9:21 ` [PATCH v4 01/14] vTPM/TPM2: Add TPM 2.0 data structures and commands definition Quan Xu
2015-01-15 9:21 ` [PATCH v4 02/14] vTPM/TPM2: TPM 2.0 data structures marshal Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 04/14] vTPM/TPM2: Add TPM 2.0 Exposed APIs Quan Xu
` (12 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
These data is for the Mini-os to access TPM 2.0 hardware.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/vtpmmgr.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/stubdom/vtpmmgr/vtpmmgr.h b/stubdom/vtpmmgr/vtpmmgr.h
index 2d9d153..0d0c604 100644
--- a/stubdom/vtpmmgr/vtpmmgr.h
+++ b/stubdom/vtpmmgr/vtpmmgr.h
@@ -44,6 +44,7 @@
#include "uuid.h"
#include "tcg.h"
#include "vtpm_manager.h"
+#include "tpm2_types.h"
#define RSA_KEY_SIZE 0x0800
#define RSA_CIPHER_SIZE (RSA_KEY_SIZE / 8)
@@ -59,6 +60,14 @@ struct vtpm_globals {
ctr_drbg_context ctr_drbg;
int hw_locality;
+
+ /* TPM 2.0 */
+ TPM_AuthArea pw_auth;
+ TPM_AuthArea srk_auth_area;
+ TPM_HANDLE srk_handle;
+ TPM_HANDLE sk_handle;
+ TPM2B_NAME sk_name;
+ TPM2_RSA_KEY tpm2_storage_key;
};
struct tpm_opaque {
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 04/14] vTPM/TPM2: Add TPM 2.0 Exposed APIs
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (2 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 03/14] vTPM/TPM2: Add global data in vtpm_globals{} Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 05/14] vTPM/TPM2: TPM 2.0 takes ownership and create SRK Quan Xu
` (11 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
These TPM 2.0 Exposed APIs for the Mini-os to access TPM 2.0
hardware.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/Makefile | 2 +-
stubdom/vtpmmgr/tpm2.c | 455 +++++++++++++++++++++++++++++++++++++++++++++++
stubdom/vtpmmgr/tpm2.h | 104 +++++++++++
3 files changed, 560 insertions(+), 1 deletion(-)
create mode 100644 stubdom/vtpmmgr/tpm2.c
create mode 100644 stubdom/vtpmmgr/tpm2.h
diff --git a/stubdom/vtpmmgr/Makefile b/stubdom/vtpmmgr/Makefile
index c5e17c5..6dae034 100644
--- a/stubdom/vtpmmgr/Makefile
+++ b/stubdom/vtpmmgr/Makefile
@@ -12,7 +12,7 @@
XEN_ROOT=../..
TARGET=vtpmmgr.a
-OBJS=vtpmmgr.o vtpm_cmd_handler.o init.o tpmrsa.o tpm.o log.o
+OBJS=vtpmmgr.o vtpm_cmd_handler.o init.o tpmrsa.o tpm.o tpm2.o log.o
OBJS += vtpm_disk.o disk_tpm.o disk_io.o disk_crypto.o disk_read.o disk_write.o
OBJS += mgmt_authority.o
diff --git a/stubdom/vtpmmgr/tpm2.c b/stubdom/vtpmmgr/tpm2.c
new file mode 100644
index 0000000..1903e27
--- /dev/null
+++ b/stubdom/vtpmmgr/tpm2.c
@@ -0,0 +1,455 @@
+/*
+ * Copyright (c) 2014 Intel Corporation.
+ *
+ * Authors:
+ * Quan Xu <quan.xu@intel.com>
+ *
+ * Copyright (c) 2010-2012 United States Government, as represented by
+ * the Secretary of Defense. All rights reserved.
+ *
+ * based off of the original tools/vtpm_manager code base which is:
+ * Copyright (c) 2005/2006, Intel Corp.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <malloc.h>
+#include <unistd.h>
+#include <errno.h>
+#include <polarssl/sha1.h>
+
+#include "tcg.h"
+#include "tpm.h"
+#include "tpm2.h"
+#include "log.h"
+#include "marshal.h"
+#include "tpm2_marshal.h"
+#include "tpmrsa.h"
+#include "vtpmmgr.h"
+
+#define TCPA_MAX_BUFFER_LENGTH 0x2000
+#define TPM_BEGIN(TAG, ORD) \
+ const TPM_TAG intag = TAG;\
+ TPM_TAG tag = intag;\
+ UINT32 paramSize;\
+ const TPM_COMMAND_CODE ordinal = ORD;\
+ TPM_RESULT status = TPM_SUCCESS;\
+ BYTE in_buf[TCPA_MAX_BUFFER_LENGTH];\
+ BYTE out_buf[TCPA_MAX_BUFFER_LENGTH];\
+ UINT32 out_len = sizeof(out_buf);\
+ BYTE* ptr = in_buf;\
+ /*Print a log message */\
+ vtpmloginfo(VTPM_LOG_TPM, "%s\n", __func__);\
+ /* Pack the header*/\
+ ptr = pack_TPM_TAG(ptr, tag);\
+ ptr += sizeof(UINT32);\
+ ptr = pack_TPM_COMMAND_CODE(ptr, ordinal)\
+
+#define TPM_AUTH_BEGIN() \
+ sha1_context sha1_ctx;\
+ BYTE* authbase = ptr - sizeof(TPM_COMMAND_CODE);\
+ TPM_DIGEST paramDigest;\
+ sha1_starts(&sha1_ctx)
+
+#define TPM_AUTH1_GEN(HMACkey, auth) do {\
+ sha1_finish(&sha1_ctx, paramDigest.digest);\
+ generateAuth(¶mDigest, HMACkey, auth);\
+ ptr = pack_TPM_AUTH_SESSION(ptr, auth);\
+} while(0)
+
+#define TPM_AUTH2_GEN(HMACkey, auth) do {\
+ generateAuth(¶mDigest, HMACkey, auth);\
+ ptr = pack_TPM_AUTH_SESSION(ptr, auth);\
+} while(0)
+
+#define TPM_TRANSMIT() do {\
+ /* Pack the command size */\
+ paramSize = ptr - in_buf;\
+ pack_UINT32(in_buf + sizeof(TPM_TAG), paramSize);\
+ if ((status = TPM_TransmitData(in_buf, paramSize, out_buf, &out_len)) != TPM_SUCCESS) {\
+ goto abort_egress;\
+ }\
+} while(0)
+
+#define TPM_AUTH_VERIFY_BEGIN() do {\
+ UINT32 buf[2] = { cpu_to_be32(status), cpu_to_be32(ordinal) };\
+ sha1_starts(&sha1_ctx);\
+ sha1_update(&sha1_ctx, (unsigned char*)buf, sizeof(buf));\
+ authbase = ptr;\
+} while(0)
+
+#define TPM_AUTH1_VERIFY(HMACkey, auth) do {\
+ sha1_finish(&sha1_ctx, paramDigest.digest);\
+ ptr = unpack_TPM_AUTH_SESSION(ptr, auth);\
+ if ((status = verifyAuth(¶mDigest, HMACkey, auth)) != TPM_SUCCESS) {\
+ goto abort_egress;\
+ }\
+} while(0)
+
+#define TPM_AUTH2_VERIFY(HMACkey, auth) do {\
+ ptr = unpack_TPM_AUTH_SESSION(ptr, auth);\
+ if ((status = verifyAuth(¶mDigest, HMACkey, auth)) != TPM_SUCCESS) {\
+ goto abort_egress;\
+ }\
+} while(0)
+
+#define TPM_UNPACK_VERIFY() do { \
+ ptr = out_buf;\
+ ptr = unpack_TPM_RSP_HEADER(ptr, \
+ &(tag), &(paramSize), &(status));\
+ if ((status) != TPM_SUCCESS){ \
+ vtpmlogerror(VTPM_LOG_TPM, "Failed with return code %s\n", tpm_get_error_name(status));\
+ goto abort_egress;\
+ }\
+} while(0)
+
+#define TPM_AUTH_HASH() do {\
+ sha1_update(&sha1_ctx, authbase, ptr - authbase);\
+ authbase = ptr;\
+} while(0)
+
+#define TPM_AUTH_SKIP() do {\
+ authbase = ptr;\
+} while(0)
+
+TPM_RC TPM2_PCR_Read(TPML_PCR_SELECTION pcrSelectionIn,
+ UINT32 *pcrUpdateCounter,
+ TPML_PCR_SELECTION *pcrSelectionOut,
+ TPML_DIGEST *pcrValues)
+{
+ TPM_BEGIN(TPM_ST_NO_SESSIONS,TPM_CC_PCR_Read);
+
+ /*pack in*/
+ ptr = pack_TPML_PCR_SELECTION(ptr, &pcrSelectionIn);
+
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+ /*unpack out*/
+ ptr = unpack_UINT32(ptr, pcrUpdateCounter);
+ ptr = unpack_TPML_PCR_SELECTION(ptr, pcrSelectionOut);
+ ptr = unpack_TPML_DIGEST(ptr, pcrValues);
+
+ goto egress;
+abort_egress:
+egress:
+ return status;
+}
+
+TPM_RC TPM2_Load(TPMI_DH_OBJECT parentHandle,
+ TPM2B_PRIVATE *inPrivate, /* in */
+ TPM2B_PUBLIC *inPublic, /* in */
+ TPM_HANDLE *objectHandle, /* out */
+ TPM2B_NAME *name /* out */)
+{
+ TPM_BEGIN(TPM_ST_SESSIONS, TPM_CC_Load);
+
+ /* pack handle of parent for new object */
+ ptr = pack_UINT32(ptr, parentHandle);
+
+ ptr = pack_TPM_AuthArea(ptr, &vtpm_globals.srk_auth_area);
+ ptr = pack_TPM2B_PRIVATE(ptr, inPrivate);
+ ptr = pack_TPM2B_PUBLIC(ptr, inPublic);
+
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+ if (objectHandle != NULL) {
+ ptr = unpack_TPM_HANDLE(ptr, objectHandle);
+ } else {
+ TPM_HANDLE tmp;
+ ptr = unpack_TPM_HANDLE(ptr, &tmp);
+ }
+
+ if (name != NULL)
+ ptr = unpack_TPM2B_NAME(ptr, name);
+ goto egress;
+
+abort_egress:
+egress:
+ return status;
+}
+
+TPM_RC TPM2_Create(TPMI_DH_OBJECT parentHandle,
+ TPM2_Create_Params_in *in,
+ TPM2_Create_Params_out *out)
+{
+ UINT32 param_size;
+ TPM_BEGIN(TPM_ST_SESSIONS, TPM_CC_Create);
+
+ /* pack handle of parent for new object */
+ ptr = pack_UINT32(ptr, parentHandle);
+
+ /* pack Auth Area */
+ ptr = pack_TPM_AuthArea(ptr, &vtpm_globals.srk_auth_area);
+
+ /* pack inSensitive */
+ ptr = pack_TPM2B_SENSITIVE_CREATE(ptr, &in->inSensitive);
+
+ /* pack inPublic */
+ ptr = pack_TPM2B_PUBLIC(ptr, &in->inPublic);
+
+ /* pack outside Info */
+ ptr = pack_TPM2B_DATA(ptr, &in->outsideInfo);
+
+ /* pack createPCR */
+ ptr = pack_TPML_PCR_SELECTION(ptr, &in->creationPCR);
+
+ /* Send the command to the tpm */
+ TPM_TRANSMIT();
+
+ /* Unpack and validate the header */
+ TPM_UNPACK_VERIFY();
+
+ ptr = unpack_UINT32(ptr, ¶m_size);
+ if (out != NULL) {
+ ptr = unpack_TPM2B_PRIVATE(ptr, &vtpm_globals.tpm2_storage_key.Private);
+ ptr = unpack_TPM2B_PUBLIC(ptr, &vtpm_globals.tpm2_storage_key.Public);
+ ptr = unpack_TPM2B_CREATION_DATA(ptr, &out->creationData);
+ ptr = unpack_TPM2B_DIGEST(ptr, &out->creationHash);
+ ptr = unpack_TPMT_TK_CREATION(ptr, &out->creationTicket);
+ } else {
+ ptr += param_size;
+ }
+ goto egress;
+
+abort_egress:
+egress:
+ return status;
+}
+
+TPM_RC TPM2_CreatePrimary(TPMI_RH_HIERARCHY primaryHandle,
+ TPM2_Create_Params_in *in,
+ TPM_HANDLE *objHandle,
+ TPM2_Create_Params_out *out)
+{
+ UINT32 param_size;
+ TPM_BEGIN(TPM_ST_SESSIONS, TPM_CC_CreatePrimary);
+
+ /* pack primary handle */
+ ptr = pack_UINT32(ptr, primaryHandle);
+
+ /* pack Auth Area */
+ ptr = pack_TPM_AuthArea(ptr, &vtpm_globals.pw_auth);
+
+ /* pack inSenstive */
+ ptr = pack_TPM2B_SENSITIVE_CREATE(ptr, &in->inSensitive);
+
+ /* pack inPublic */
+ ptr = pack_TPM2B_PUBLIC(ptr, &in->inPublic);
+
+ /* pack outsideInfo */
+ ptr = pack_TPM2B_DATA(ptr, &in->outsideInfo);
+
+ /* pack creationPCR */
+ ptr = pack_TPML_PCR_SELECTION(ptr, &in->creationPCR);
+
+ /* Send the command to the tpm */
+ TPM_TRANSMIT();
+
+ /* Unpack and validate the header */
+ TPM_UNPACK_VERIFY();
+
+ if (objHandle != NULL)
+ ptr = unpack_TPM_HANDLE(ptr, objHandle);
+ else {
+ TPM_HANDLE handle;
+ ptr = unpack_TPM_HANDLE(ptr, &handle);
+ }
+ ptr = unpack_UINT32(ptr, ¶m_size);
+
+ if (out != NULL) {
+ ptr = unpack_TPM2B_PUBLIC(ptr, &out->outPublic);
+ ptr = unpack_TPM2B_CREATION_DATA(ptr, &out->creationData);
+ ptr = unpack_TPM2B_DIGEST(ptr, &out->creationHash);
+ ptr = unpack_TPMT_TK_CREATION(ptr, &out->creationTicket);
+ } else {
+ ptr += param_size;
+ }
+
+goto egress;
+
+abort_egress:
+egress:
+ return status;
+}
+
+TPM_RC TPM2_HierachyChangeAuth(TPMI_RH_HIERARCHY_AUTH authHandle, TPM2B_AUTH *newAuth)
+{
+ TPM_BEGIN(TPM_ST_SESSIONS, TPM_CC_HierarchyChangeAuth);
+ ptr = pack_UINT32(ptr, authHandle);
+ ptr = pack_TPM_AuthArea(ptr, &vtpm_globals.pw_auth);
+ ptr = pack_TPM2B_AUTH(ptr, newAuth);
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+abort_egress:
+ return status;
+}
+
+TPM_RC TPM2_RSA_ENCRYPT(TPMI_DH_OBJECT keyHandle,
+ TPM2B_PUBLIC_KEY_RSA *message,
+ TPMT_RSA_DECRYPT *inScheme,
+ TPM2B_DATA *label,
+ TPM2B_PUBLIC_KEY_RSA *outData)
+{
+ TPM_BEGIN(TPM_ST_NO_SESSIONS, TPM_CC_RSA_Encrypt);
+
+ ptr = pack_UINT32(ptr, keyHandle);
+ ptr = pack_TPM2B_PUBLIC_KEY_RSA(ptr, message);
+ ptr = pack_TPMT_RSA_DECRYPT(ptr, inScheme);
+ ptr = pack_TPM2B_DATA(ptr, label);
+
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+ if (outData != NULL)
+ unpack_TPM2B_PUBLIC_KEY_RSA(ptr, outData);
+abort_egress:
+ return status;
+}
+
+TPM_RC TPM2_Bind(TPMI_DH_OBJECT keyHandle,
+ void *buf,
+ UINT32 len,
+ void *out)
+{
+ TPM_RC status = TPM_SUCCESS;
+ TPM2B_PUBLIC_KEY_RSA message;
+ TPMT_RSA_DECRYPT inScheme;
+ TPM2B_DATA label;
+ TPM2B_PUBLIC_KEY_RSA outData;
+
+ message.size = len;
+ memcpy(message.buffer, buf, len);
+ inScheme.scheme = TPM2_ALG_NULL;
+ label.size = 0;
+ TPMTRYRETURN(TPM2_RSA_ENCRYPT(keyHandle, &message, &inScheme, &label, &outData));
+ memcpy(out, outData.buffer, outData.size);
+
+abort_egress:
+ return status;
+}
+
+TPM_RC TPM2_RSA_Decrypt(TPMI_DH_OBJECT keyHandle,
+ TPM2B_PUBLIC_KEY_RSA *cipherText,
+ TPMT_RSA_DECRYPT *inScheme,
+ TPM2B_DATA *label,
+ TPM2B_PUBLIC_KEY_RSA *message)
+{
+ UINT32 param_size;
+
+ TPM_BEGIN(TPM_ST_SESSIONS, TPM_CC_RSA_Decrypt);
+ ptr = pack_UINT32(ptr, keyHandle);
+ ptr = pack_TPM_AuthArea(ptr, &vtpm_globals.srk_auth_area);
+ ptr = pack_TPM2B_PUBLIC_KEY_RSA(ptr, cipherText);
+ ptr = pack_TPMT_RSA_DECRYPT(ptr, inScheme);
+ ptr = pack_TPM2B_DATA(ptr, label);
+
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+ ptr = unpack_UINT32(ptr, ¶m_size);
+
+ if (message)
+ ptr = unpack_TPM2B_PUBLIC_KEY_RSA(ptr, message);
+
+abort_egress:
+ return status;
+}
+
+TPM_RC TPM2_UnBind(TPMI_DH_OBJECT keyHandle,
+ UINT32 ilen,
+ void *in,
+ UINT32 *olen,
+ void *out)
+{
+ UINT32 status;
+ TPM2B_PUBLIC_KEY_RSA cipher, message;
+ TPMT_RSA_DECRYPT inScheme;
+ TPM2B_DATA label;
+
+ cipher.size = ilen;
+ memcpy(cipher.buffer, in, ilen);
+ inScheme.scheme = TPM2_ALG_NULL;
+ label.size = 0;
+
+ TPMTRYRETURN(TPM2_RSA_Decrypt(keyHandle, &cipher, &inScheme, &label, &message));
+
+ *olen = message.size;
+ memcpy(out, message.buffer, *olen);
+
+abort_egress:
+ return status;
+}
+
+TPM_RC TPM2_CLEAR(void)
+{
+ TPM_BEGIN(TPM_ST_SESSIONS, TPM_CC_Clear);
+
+ ptr = pack_UINT32(ptr, TPM_RH_PLATFORM);
+ ptr = pack_TPM_AuthArea(ptr, &vtpm_globals.pw_auth);
+
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+abort_egress:
+ return status;
+}
+
+TPM_RC TPM2_GetRandom(UINT32 * bytesRequested, BYTE * randomBytes)
+{
+ TPM_BEGIN(TPM_ST_NO_SESSIONS, TPM_CC_GetRandom);
+
+ ptr = pack_UINT16(ptr, (UINT16)*bytesRequested);
+
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+ ptr = unpack_UINT16(ptr, (UINT16 *)bytesRequested);
+ ptr = unpack_TPM_BUFFER(ptr, randomBytes, *bytesRequested);
+
+abort_egress:
+ return status;
+}
+
+TPM_RC TPM2_FlushContext(TPMI_DH_CONTEXT flushHandle)
+{
+ TPM_BEGIN(TPM_ST_NO_SESSIONS, TPM_CC_FlushContext);
+
+ ptr = pack_UINT32(ptr, flushHandle);
+
+ TPM_TRANSMIT();
+ TPM_UNPACK_VERIFY();
+
+abort_egress:
+ return status;
+}
diff --git a/stubdom/vtpmmgr/tpm2.h b/stubdom/vtpmmgr/tpm2.h
new file mode 100644
index 0000000..9f597ee
--- /dev/null
+++ b/stubdom/vtpmmgr/tpm2.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2014 Intel Corporation.
+ *
+ * Authors:
+ * Quan Xu <quan.xu@intel.com>
+ *
+ * Copyright (c) 2010-2012 United States Government, as represented by
+ * the Secretary of Defense. All rights reserved.
+ *
+ * based off of the original tools/vtpm_manager code base which is:
+ * Copyright (c) 2005/2006, Intel Corp.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef __TPM2_H__
+#define __TPM2_H__
+
+#include "tcg.h"
+#include "tpm2_types.h"
+
+// ------------------------------------------------------------------
+// TPM 2.0 Exposed API
+// ------------------------------------------------------------------
+
+TPM_RC TPM2_PCR_Read(TPML_PCR_SELECTION pcrSelectionIn,
+ UINT32 *pcrUpdateCounter,
+ TPML_PCR_SELECTION *pcrSelectionOut,
+ TPML_DIGEST *pcrValues);
+
+TPM_RC TPM2_Load(TPMI_DH_OBJECT parentHandle,
+ TPM2B_PRIVATE *inPrivate,
+ TPM2B_PUBLIC *inPublic,
+ TPM_HANDLE *objectHandle,
+ TPM2B_NAME *name);
+
+TPM_RC TPM2_Create(TPMI_DH_OBJECT parentHandle,
+ TPM2_Create_Params_in *in,
+ TPM2_Create_Params_out *out);
+
+TPM_RC TPM2_CreatePrimary(TPMI_RH_HIERARCHY primaryHandle,
+ TPM2_Create_Params_in *objHandle,
+ TPM_HANDLE *in,
+ TPM2_Create_Params_out *out);
+
+TPM_RC TPM2_HierachyChangeAuth(TPMI_RH_HIERARCHY_AUTH authHandle,
+ TPM2B_AUTH *newAuth);
+
+TPM_RC TPM2_RSA_ENCRYPT(TPMI_DH_OBJECT keyHandle,
+ TPM2B_PUBLIC_KEY_RSA *message,
+ TPMT_RSA_DECRYPT *inScheme,
+ TPM2B_DATA *label,
+ TPM2B_PUBLIC_KEY_RSA *outData);
+
+TPM_RC TPM2_Bind(TPMI_DH_OBJECT keyHandle,
+ void *buf,
+ UINT32 len,
+ void *out);
+
+TPM_RC TPM2_RSA_Decrypt(TPMI_DH_OBJECT keyHandle,
+ TPM2B_PUBLIC_KEY_RSA *cipherText,
+ TPMT_RSA_DECRYPT *inScheme,
+ TPM2B_DATA *label,
+ TPM2B_PUBLIC_KEY_RSA *message);
+
+TPM_RC TPM2_UnBind(TPMI_DH_OBJECT keyHandle,
+ UINT32 ilen,
+ void *in,
+ UINT32 *olen,
+ void *out);
+
+TPM_RESULT TPM2_GetRandom(UINT32* bytesRequested,
+ BYTE* randomBytes);
+
+TPM_RC TPM2_CLEAR(void);
+
+TPM_RC TPM2_FlushContext(TPMI_DH_CONTEXT);
+#endif //TPM2_H
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 05/14] vTPM/TPM2: TPM 2.0 takes ownership and create SRK
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (3 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 04/14] vTPM/TPM2: Add TPM 2.0 Exposed APIs Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 06/14] vTPM/TPM2: Create and load SK on TPM 2.0 Quan Xu
` (10 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
TPM2_CreatePrimary is used to create a Primary Object under one of
the Primary Seeds or a Temporary Object under TPM_RH_NULL. The command
uses a TPM2B_PUBLIC as a template for the object to be created. The
command will create and load a Primary Object. The sensitive area is
not returned. Any type of object and attributes combination that is
allowed by TPM2_Create() may be created by this command. The constraints
on templates and parameters are the same as TPM2_Create() except that a
Primary Storage Key and a Temporary Storage Key are not constrained to
use the algorithms of their parents.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/init.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++
stubdom/vtpmmgr/vtpmmgr.h | 3 ++
2 files changed, 74 insertions(+)
diff --git a/stubdom/vtpmmgr/init.c b/stubdom/vtpmmgr/init.c
index f3aa02f..c654071 100644
--- a/stubdom/vtpmmgr/init.c
+++ b/stubdom/vtpmmgr/init.c
@@ -51,6 +51,7 @@
#include "vtpm_disk.h"
#include "tpm.h"
#include "marshal.h"
+#include "tpm2.h"
struct Opts {
enum {
@@ -509,3 +510,73 @@ void vtpmmgr_shutdown(void)
vtpmloginfo(VTPM_LOG_VTPM, "VTPM Manager stopped.\n");
}
+
+/* TPM 2.0 */
+
+static void tpm2_AuthArea_ctor(const char *authValue, UINT32 authLen,
+ TPM_AuthArea *auth)
+{
+ auth->sessionHandle = TPM_RS_PW;
+ auth->nonce.size = 0;
+ auth->sessionAttributes = 1;
+ auth->auth.size = authLen;
+ memcpy(auth->auth.buffer, authValue, authLen);
+ auth->size = 9 + authLen;
+}
+
+TPM_RC tpm2_take_ownership(void)
+{
+ TPM_RC status = TPM_SUCCESS;
+
+ tpm2_AuthArea_ctor(NULL, 0, &vtpm_globals.pw_auth);
+
+ /* create SRK */
+ TPM2_CreatePrimary_Params_in in = {
+ .inSensitive = {
+ .size = 4,
+ .sensitive = {
+ .userAuth.size = 0,
+ .userAuth.buffer = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
+ .data.size = 0,
+ },
+ },
+ .inPublic = {
+ .size = 60,
+ .publicArea = {
+ .type = TPM2_ALG_RSA,
+ .nameAlg = TPM2_ALG_SHA256,
+#define SRK_OBJ_ATTR (fixedTPM | fixedParent | userWithAuth | \
+ sensitiveDataOrigin | restricted | decrypt)
+ .objectAttributes = SRK_OBJ_ATTR,
+ .authPolicy.size = 0,
+ .parameters.rsaDetail = {
+ .symmetric = {
+ .algorithm = TPM2_ALG_AES,
+ .keyBits.aes = AES_KEY_SIZES_BITS,
+ .mode.aes = TPM2_ALG_CFB,
+ },
+ .scheme = { TPM2_ALG_NULL },
+ .keyBits = RSA_KEY_SIZES_BITS,
+ .exponent = 0,
+ },
+ .unique.rsa.size = 0,
+ },
+ },
+ .outsideInfo.size = 0,
+ .creationPCR.count = 0,
+ };
+
+ TPMTRYRETURN(TPM2_CreatePrimary(TPM_RH_OWNER,&in,
+ &vtpm_globals.srk_handle, NULL));
+ vtpmloginfo(VTPM_LOG_VTPM, "SRK handle: 0x%X\n", vtpm_globals.srk_handle);
+ {
+ const char data[20] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+ tpm2_AuthArea_ctor(data, 20, &vtpm_globals.srk_auth_area);
+ }
+ /*end create SRK*/
+
+abort_egress:
+ return status;
+}
diff --git a/stubdom/vtpmmgr/vtpmmgr.h b/stubdom/vtpmmgr/vtpmmgr.h
index 0d0c604..95519ba 100644
--- a/stubdom/vtpmmgr/vtpmmgr.h
+++ b/stubdom/vtpmmgr/vtpmmgr.h
@@ -93,4 +93,7 @@ inline TPM_RESULT vtpmmgr_rand(unsigned char* bytes, size_t num_bytes) {
return ctr_drbg_random(&vtpm_globals.ctr_drbg, bytes, num_bytes) == 0 ? 0 : TPM_FAIL;
}
+/* TPM 2.0 */
+TPM_RC tpm2_take_ownership(void);
+
#endif
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 06/14] vTPM/TPM2: Create and load SK on TPM 2.0
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (4 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 05/14] vTPM/TPM2: TPM 2.0 takes ownership and create SRK Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 07/14] vTPM/TPM2: TPM2.0 TIS initialization and self test Quan Xu
` (9 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
TPM2_Create is used to create an object that can be loaded into a
TPM using TPM2_Load(). If the command completes successfully, the
TPM will create the new object and return the object’s creation.
data (creationData), its public area (outPublic), and its encrypted
sensitive area (outPrivate). Preservation of the returned data is
the responsibility of the caller. The object will need to be loaded
(TPM2_Load()).
TPM2_Load is used to load objects into the TPM. This command is used
when both a TPM2B_PUBLIC and TPM2B_PRIVATE are to be loaded. If only
a TPM2B_PUBLIC is to be loaded, the TPM2_LoadExternal command is used.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/init.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++
stubdom/vtpmmgr/vtpmmgr.h | 1 +
2 files changed, 66 insertions(+)
diff --git a/stubdom/vtpmmgr/init.c b/stubdom/vtpmmgr/init.c
index c654071..43ba693 100644
--- a/stubdom/vtpmmgr/init.c
+++ b/stubdom/vtpmmgr/init.c
@@ -580,3 +580,68 @@ TPM_RC tpm2_take_ownership(void)
abort_egress:
return status;
}
+
+TPM_RESULT vtpmmgr2_create(void)
+{
+ TPM_RESULT status = TPM_SUCCESS;
+
+ TPMTRYRETURN(tpm2_take_ownership());
+
+ /* create SK */
+ TPM2_Create_Params_out out;
+ TPM2_Create_Params_in in = {
+ .inSensitive = {
+ .size = 4 + 20,
+ .sensitive = {
+ .userAuth.size = 20,
+ .userAuth.buffer = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
+ .data.size = 0,
+ },
+ },
+ .inPublic = {
+ .size = (60),
+ .publicArea = {
+ .type = TPM2_ALG_RSA,
+ .nameAlg = TPM2_ALG_SHA256,
+#define SK_OBJ_ATTR (fixedTPM | fixedParent | userWithAuth |\
+ sensitiveDataOrigin |decrypt)
+ .objectAttributes = SK_OBJ_ATTR,
+ .authPolicy.size = 0,
+ .parameters.rsaDetail = {
+ .symmetric = {
+ .algorithm = TPM2_ALG_NULL,
+ },
+ .scheme = {
+ TPM2_ALG_OAEP,
+ .details.oaep.hashAlg = TPM2_ALG_SHA256,
+ },
+ .keyBits = RSA_KEY_SIZES_BITS,
+ .exponent = 0,
+ },
+ .unique.rsa.size = 0,
+ },
+ },
+ .outsideInfo.size = 0,
+ .creationPCR.count = 0,
+ };/*end in */
+
+ TPMTRYRETURN(TPM2_Create(vtpm_globals.srk_handle, &in, &out));
+ TPMTRYRETURN(TPM2_Load(vtpm_globals.srk_handle,
+ &vtpm_globals.tpm2_storage_key.Private,
+ &vtpm_globals.tpm2_storage_key.Public,
+ &vtpm_globals.sk_handle,
+ &vtpm_globals.sk_name));
+
+ vtpmloginfo(VTPM_LOG_VTPM, "SK HANDLE: 0x%X\n", vtpm_globals.sk_handle);
+
+ /*Create new disk image*/
+ TPMTRYRETURN(vtpm_new_disk());
+
+ goto egress;
+
+abort_egress:
+egress:
+ vtpmloginfo(VTPM_LOG_VTPM, "Finished initialized new VTPM manager\n");
+ return status;
+}
diff --git a/stubdom/vtpmmgr/vtpmmgr.h b/stubdom/vtpmmgr/vtpmmgr.h
index 95519ba..9889feb 100644
--- a/stubdom/vtpmmgr/vtpmmgr.h
+++ b/stubdom/vtpmmgr/vtpmmgr.h
@@ -95,5 +95,6 @@ inline TPM_RESULT vtpmmgr_rand(unsigned char* bytes, size_t num_bytes) {
/* TPM 2.0 */
TPM_RC tpm2_take_ownership(void);
+TPM_RESULT vtpmmgr2_create(void);
#endif
--
1.8.3.2
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 07/14] vTPM/TPM2: TPM2.0 TIS initialization and self test.
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (5 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 06/14] vTPM/TPM2: Create and load SK on TPM 2.0 Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 08/14] vTPM/TPM2: Add main entrance vtpmmgr2_init() Quan Xu
` (8 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
call the TPM 2.0 various registers that allow communication between
the TPM 2.0 and platform hardware and software. TPM2_SelfTest causes
the TPM 2.0 to perform a test of its capabilities.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
| 1 +
| 156 +++++++++++++++++++++++++++++++++++++++
2 files changed, 157 insertions(+)
--git a/extras/mini-os/include/tpm_tis.h b/extras/mini-os/include/tpm_tis.h
index 1faca0d..86e83f1 100644
--- a/extras/mini-os/include/tpm_tis.h
+++ b/extras/mini-os/include/tpm_tis.h
@@ -36,6 +36,7 @@
struct tpm_chip;
struct tpm_chip* init_tpm_tis(unsigned long baseaddr, int localities, unsigned int irq);
+struct tpm_chip* init_tpm2_tis(unsigned long baseaddr, int localities, unsigned int irq);
void shutdown_tpm_tis(struct tpm_chip* tpm);
int tpm_tis_request_locality(struct tpm_chip* tpm, int locality);
--git a/extras/mini-os/tpm_tis.c b/extras/mini-os/tpm_tis.c
index d78c465..debcc43 100644
--- a/extras/mini-os/tpm_tis.c
+++ b/extras/mini-os/tpm_tis.c
@@ -1363,5 +1363,161 @@ int tpm_tis_posix_fstat(int fd, struct stat* buf)
return 0;
}
+/* TPM 2.0 */
+/*TPM2.0 Selftest*/
+static void tpm2_selftest(struct tpm_chip* chip)
+{
+ uint8_t data[] = {
+ 0x80, 0x1,
+ 0x0, 0x0, 0x0, 0xb,
+ 0x0, 0x0, 0x1, 0x43,
+ 0x1,
+ };
+
+ tpm_transmit(chip, data, sizeof(data));
+}
+
+struct tpm_chip* init_tpm2_tis(unsigned long baseaddr, int localities, unsigned int irq)
+{
+ int i;
+ unsigned long addr;
+ struct tpm_chip* tpm = NULL;
+ uint32_t didvid;
+ uint32_t intfcaps;
+ uint32_t intmask;
+
+ printk("============= Init TPM2 TIS Driver ==============\n");
+
+ /*Sanity check the localities input */
+ if (localities & ~TPM_TIS_EN_LOCLALL) {
+ printk("init_tpm2_tis Invalid locality specification! %X\n", localities);
+ goto abort_egress;
+ }
+
+ printk("IOMEM Machine Base Address: %lX\n", baseaddr);
+
+ /* Create the tpm data structure */
+ tpm = malloc(sizeof(struct tpm_chip));
+ __init_tpm_chip(tpm);
+
+ /* Set the enabled localities - if 0 we leave default as all enabled */
+ if (localities != 0) {
+ tpm->enabled_localities = localities;
+ }
+ printk("Enabled Localities: ");
+ for (i = 0; i < 5; ++i) {
+ if (locality_enabled(tpm, i)) {
+ printk("%d ", i);
+ }
+ }
+ printk("\n");
+
+ /* Set the base machine address */
+ tpm->baseaddr = baseaddr;
+
+ /* Set default timeouts */
+ tpm->timeout_a = MILLISECS(TIS_SHORT_TIMEOUT);
+ tpm->timeout_b = MILLISECS(TIS_LONG_TIMEOUT);
+ tpm->timeout_c = MILLISECS(TIS_SHORT_TIMEOUT);
+ tpm->timeout_d = MILLISECS(TIS_SHORT_TIMEOUT);
+
+ /*Map the mmio pages */
+ addr = tpm->baseaddr;
+ for (i = 0; i < 5; ++i) {
+ if (locality_enabled(tpm, i)) {
+
+ /* Map the page in now */
+ if ((tpm->pages[i] = ioremap_nocache(addr, PAGE_SIZE)) == NULL) {
+ printk("Unable to map iomem page a address %p\n", addr);
+ goto abort_egress;
+ }
+
+ /* Set default locality to the first enabled one */
+ if (tpm->locality < 0) {
+ if (tpm_tis_request_locality(tpm, i) < 0) {
+ printk("Unable to request locality %d??\n", i);
+ goto abort_egress;
+ }
+ }
+ }
+ addr += PAGE_SIZE;
+ }
+
+ /* Get the vendor and device ids */
+ didvid = ioread32(TPM_DID_VID(tpm, tpm->locality));
+ tpm->did = didvid >> 16;
+ tpm->vid = didvid & 0xFFFF;
+
+ /* Get the revision id */
+ tpm->rid = ioread8(TPM_RID(tpm, tpm->locality));
+ printk("2.0 TPM (device-id=0x%X vendor-id = %X rev-id = %X)\n",
+ tpm->did, tpm->vid, tpm->rid);
+
+ intfcaps = ioread32(TPM_INTF_CAPS(tpm, tpm->locality));
+ printk("TPM interface capabilities (0x%x):\n", intfcaps);
+ if (intfcaps & TPM_INTF_BURST_COUNT_STATIC)
+ printk("\tBurst Count Static\n");
+ if (intfcaps & TPM_INTF_CMD_READY_INT)
+ printk("\tCommand Ready Int Support\n");
+ if (intfcaps & TPM_INTF_INT_EDGE_FALLING)
+ printk("\tInterrupt Edge Falling\n");
+ if (intfcaps & TPM_INTF_INT_EDGE_RISING)
+ printk("\tInterrupt Edge Rising\n");
+ if (intfcaps & TPM_INTF_INT_LEVEL_LOW)
+ printk("\tInterrupt Level Low\n");
+ if (intfcaps & TPM_INTF_INT_LEVEL_HIGH)
+ printk("\tInterrupt Level High\n");
+ if (intfcaps & TPM_INTF_LOCALITY_CHANGE_INT)
+ printk("\tLocality Change Int Support\n");
+ if (intfcaps & TPM_INTF_STS_VALID_INT)
+ printk("\tSts Valid Int Support\n");
+ if (intfcaps & TPM_INTF_DATA_AVAIL_INT)
+ printk("\tData Avail Int Support\n");
+
+ /*Interupt setup */
+ intmask = ioread32(TPM_INT_ENABLE(tpm, tpm->locality));
+
+ intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT |
+ TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT;
+
+ iowrite32(TPM_INT_ENABLE(tpm, tpm->locality), intmask);
+
+ /*If interupts are enabled, handle it */
+ if (irq) {
+ if (irq != TPM_PROBE_IRQ) {
+ tpm->irq = irq;
+ } else {
+ /*FIXME add irq probing feature later */
+ printk("IRQ probing not implemented\n");
+ }
+ }
+
+ if (tpm->irq) {
+ iowrite8(TPM_INT_VECTOR(tpm, tpm->locality), tpm->irq);
+ if (bind_pirq(tpm->irq, 1, tpm_tis_irq_handler, tpm) != 0) {
+ printk("Unabled to request irq: %u for use\n", tpm->irq);
+ printk("Will use polling mode\n");
+ tpm->irq = 0;
+ } else {
+
+ /* Clear all existing */
+ iowrite32(TPM_INT_STATUS(tpm, tpm->locality),
+ ioread32(TPM_INT_STATUS(tpm, tpm->locality)));
+
+ /* Turn on interrupts */
+ iowrite32(TPM_INT_ENABLE(tpm, tpm->locality),
+ intmask | TPM_GLOBAL_INT_ENABLE);
+ }
+ }
+
+ tpm2_selftest(tpm);
+ return tpm;
+
+abort_egress:
+ if (tpm != NULL) {
+ shutdown_tpm_tis(tpm);
+ }
+ return NULL;
+}
#endif
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 08/14] vTPM/TPM2: Add main entrance vtpmmgr2_init()
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (6 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 07/14] vTPM/TPM2: TPM2.0 TIS initialization and self test Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 09/14] vTPM/TPM2: Support 'tpm2' extra command line Quan Xu
` (7 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Accept commands from the vtpm-stubdom domains via the mini-os TPM
backend driver. The vTPM manager communicates directly with hardware
TPM 2.0 using the mini-os tpm2_tis driver.
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/init.c | 109 ++++++++++++++++++++++++++++++++++++++++++++++
stubdom/vtpmmgr/vtpmmgr.h | 1 +
2 files changed, 110 insertions(+)
diff --git a/stubdom/vtpmmgr/init.c b/stubdom/vtpmmgr/init.c
index 43ba693..980f622 100644
--- a/stubdom/vtpmmgr/init.c
+++ b/stubdom/vtpmmgr/init.c
@@ -645,3 +645,112 @@ egress:
vtpmloginfo(VTPM_LOG_VTPM, "Finished initialized new VTPM manager\n");
return status;
}
+
+static int tpm2_entropy_source(void* dummy, unsigned char* data,
+ size_t len, size_t* olen)
+{
+ UINT32 sz = len;
+ TPM_RESULT rc = TPM2_GetRandom(&sz, data);
+ *olen = sz;
+ return rc == TPM_SUCCESS ? 0 : POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
+}
+
+/*TPM 2.0 Objects flush */
+static TPM_RC flush_tpm2(void)
+{
+ int i;
+
+ for (i = TRANSIENT_FIRST; i < TRANSIENT_LAST; i++)
+ TPM2_FlushContext(i);
+
+ return TPM_SUCCESS;
+}
+
+TPM_RESULT vtpmmgr2_init(int argc, char** argv)
+{
+ TPM_RESULT status = TPM_SUCCESS;
+
+ /* Default commandline options */
+ struct Opts opts = {
+ .tpmdriver = TPMDRV_TPM_TIS,
+ .tpmiomem = TPM_BASEADDR,
+ .tpmirq = 0,
+ .tpmlocality = 0,
+ .gen_owner_auth = 0,
+ };
+
+ if (parse_cmdline_opts(argc, argv, &opts) != 0) {
+ vtpmlogerror(VTPM_LOG_VTPM, "Command line parsing failed! exiting..\n");
+ status = TPM_BAD_PARAMETER;
+ goto abort_egress;
+ }
+
+ /*Setup storage system*/
+ if (vtpm_storage_init() != 0) {
+ vtpmlogerror(VTPM_LOG_VTPM, "Unable to initialize storage subsystem!\n");
+ status = TPM_IOERROR;
+ goto abort_egress;
+ }
+
+ /*Setup tpmback device*/
+ init_tpmback(set_opaque, free_opaque);
+
+ /*Setup tpm access*/
+ switch(opts.tpmdriver) {
+ case TPMDRV_TPM_TIS:
+ {
+ struct tpm_chip* tpm;
+ if ((tpm = init_tpm2_tis(opts.tpmiomem, TPM_TIS_LOCL_INT_TO_FLAG(opts.tpmlocality),
+ opts.tpmirq)) == NULL) {
+ vtpmlogerror(VTPM_LOG_VTPM, "Unable to initialize tpmfront device\n");
+ status = TPM_IOERROR;
+ goto abort_egress;
+ }
+ printk("init_tpm2_tis() ...ok\n");
+ vtpm_globals.tpm_fd = tpm_tis_open(tpm);
+ tpm_tis_request_locality(tpm, opts.tpmlocality);
+ }
+ break;
+ case TPMDRV_TPMFRONT:
+ {
+ struct tpmfront_dev* tpmfront_dev;
+ if ((tpmfront_dev = init_tpmfront(NULL)) == NULL) {
+ vtpmlogerror(VTPM_LOG_VTPM, "Unable to initialize tpmfront device\n");
+ status = TPM_IOERROR;
+ goto abort_egress;
+ }
+ vtpm_globals.tpm_fd = tpmfront_open(tpmfront_dev);
+ }
+ break;
+ }
+ printk("TPM 2.0 access ...ok\n");
+ /* Blow away all stale handles left in the tpm*/
+ if (flush_tpm2() != TPM_SUCCESS) {
+ vtpmlogerror(VTPM_LOG_VTPM, "VTPM_FlushResources failed, continuing anyway..\n");
+ }
+
+ /* Initialize the rng */
+ entropy_init(&vtpm_globals.entropy);
+ entropy_add_source(&vtpm_globals.entropy, tpm2_entropy_source, NULL, 0);
+ entropy_gather(&vtpm_globals.entropy);
+ ctr_drbg_init(&vtpm_globals.ctr_drbg, entropy_func, &vtpm_globals.entropy, NULL, 0);
+ ctr_drbg_set_prediction_resistance( &vtpm_globals.ctr_drbg, CTR_DRBG_PR_OFF );
+
+ /* Generate Auth for Owner*/
+ if (opts.gen_owner_auth) {
+ vtpmmgr_rand(vtpm_globals.owner_auth, sizeof(TPM_AUTHDATA));
+ }
+
+ /* Load the Manager data, if it fails create a new manager */
+ if (vtpm_load_disk()) {
+ vtpmloginfo(VTPM_LOG_VTPM, "Assuming first time initialization.\n");
+ TPMTRYRETURN(vtpmmgr2_create());
+ }
+
+ goto egress;
+
+abort_egress:
+ vtpmmgr_shutdown();
+egress:
+ return status;
+}
diff --git a/stubdom/vtpmmgr/vtpmmgr.h b/stubdom/vtpmmgr/vtpmmgr.h
index 9889feb..c479443 100644
--- a/stubdom/vtpmmgr/vtpmmgr.h
+++ b/stubdom/vtpmmgr/vtpmmgr.h
@@ -96,5 +96,6 @@ inline TPM_RESULT vtpmmgr_rand(unsigned char* bytes, size_t num_bytes) {
/* TPM 2.0 */
TPM_RC tpm2_take_ownership(void);
TPM_RESULT vtpmmgr2_create(void);
+TPM_RESULT vtpmmgr2_init(int argc, char** argv);
#endif
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 09/14] vTPM/TPM2: Support 'tpm2' extra command line.
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (7 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 08/14] vTPM/TPM2: Add main entrance vtpmmgr2_init() Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 10/14] vTPM/TPM2: TPM 2.0 PCRs read Quan Xu
` (6 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Make vtpm-stubdom domain compatible to launch on TPM 1.x / TPM 2.0.
Add:
..
extra="tpm2=1"
..
to launch vtpm-stubdom domain on TPM 2.0, ignore it on TPM 1.x. for
example,
vtpm-stubdom domain configuration on TPM 2.0:
kernel="/usr/lib/xen/boot/vtpmmgr-stubdom.gz"
memory=16
disk=["file:/var/scale/vdisk/vmgr,hda,w"]
name="vtpmmgr"
iomem=["fed40,5"]
extra="tpm2=1"
vtpm-stubdom domain configuration on TPM 1.x:
kernel="/usr/lib/xen/boot/vtpmmgr-stubdom.gz"
memory=16
disk=["file:/var/scale/vdisk/vmgr,hda,w"]
name="vtpmmgr"
iomem=["fed40,5"]
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/vtpmmgr.c | 46 ++++++++++++++++++++++++++++++++++++++++------
stubdom/vtpmmgr/vtpmmgr.h | 14 ++++++++++++++
2 files changed, 54 insertions(+), 6 deletions(-)
diff --git a/stubdom/vtpmmgr/vtpmmgr.c b/stubdom/vtpmmgr/vtpmmgr.c
index 270ca8a..9fddaa2 100644
--- a/stubdom/vtpmmgr/vtpmmgr.c
+++ b/stubdom/vtpmmgr/vtpmmgr.c
@@ -45,6 +45,27 @@
#include "vtpmmgr.h"
#include "tcg.h"
+struct tpm_hardware_version hardware_version = {
+ .hw_version = TPM1_HARDWARE,
+};
+
+int parse_cmdline_hw(int argc, char** argv)
+{
+ int i;
+
+ for (i = 1; i < argc; ++i) {
+ if (!strcmp(argv[i], TPM2_EXTRA_OPT)) {
+ hardware_version.hw_version = TPM2_HARDWARE;
+ break;
+ }
+ }
+ return 0;
+}
+
+int hw_is_tpm2(void)
+{
+ return (hardware_version.hw_version == TPM2_HARDWARE) ? 1 : 0;
+}
void main_loop(void) {
tpmcmd_t* tpmcmd;
@@ -74,12 +95,25 @@ int main(int argc, char** argv)
sleep(2);
vtpmloginfo(VTPM_LOG_VTPM, "Starting vTPM manager domain\n");
- /* Initialize the vtpm manager */
- if(vtpmmgr_init(argc, argv) != TPM_SUCCESS) {
- vtpmlogerror(VTPM_LOG_VTPM, "Unable to initialize vtpmmgr domain!\n");
- rc = -1;
- goto exit;
- }
+ /*Parse TPM hardware in extra command line*/
+ parse_cmdline_hw(argc, argv);
+
+ /* Initialize the vtpm manager */
+ if (hw_is_tpm2()) {
+ vtpmloginfo(VTPM_LOG_VTPM, "Hardware : --- TPM 2.0 ---\n");
+ if (vtpmmgr2_init(argc, argv) != TPM_SUCCESS) {
+ vtpmlogerror(VTPM_LOG_VTPM, "Unable to initialize vtpmmgr domain!\n");
+ rc = -1;
+ goto exit;
+ }
+ }else{
+ vtpmloginfo(VTPM_LOG_VTPM, "Hardware : --- TPM 1.x ---\n");
+ if (vtpmmgr_init(argc, argv) != TPM_SUCCESS) {
+ vtpmlogerror(VTPM_LOG_VTPM, "Unable to initialize vtpmmgr domain!\n");
+ rc = -1;
+ goto exit;
+ }
+ }
main_loop();
diff --git a/stubdom/vtpmmgr/vtpmmgr.h b/stubdom/vtpmmgr/vtpmmgr.h
index c479443..c8cd073 100644
--- a/stubdom/vtpmmgr/vtpmmgr.h
+++ b/stubdom/vtpmmgr/vtpmmgr.h
@@ -46,9 +46,21 @@
#include "vtpm_manager.h"
#include "tpm2_types.h"
+#define TPM2_EXTRA_OPT "tpm2=1"
#define RSA_KEY_SIZE 0x0800
#define RSA_CIPHER_SIZE (RSA_KEY_SIZE / 8)
+enum {
+ TPM1_HARDWARE = 1,
+ TPM2_HARDWARE,
+} tpm_version;
+
+struct tpm_hardware_version {
+ int hw_version;
+};
+
+extern struct tpm_hardware_version hardware_version;
+
struct vtpm_globals {
int tpm_fd;
TPM_AUTH_SESSION oiap; // OIAP session for storageKey
@@ -97,5 +109,7 @@ inline TPM_RESULT vtpmmgr_rand(unsigned char* bytes, size_t num_bytes) {
TPM_RC tpm2_take_ownership(void);
TPM_RESULT vtpmmgr2_create(void);
TPM_RESULT vtpmmgr2_init(int argc, char** argv);
+int parse_cmdline_hw(int argc, char** argv);
+int hw_is_tpm2(void);
#endif
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 10/14] vTPM/TPM2: TPM 2.0 PCRs read
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (8 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 09/14] vTPM/TPM2: Support 'tpm2' extra command line Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 11/14] vTPM/TPM2: Support TPM 2.0 bind and unbind data Quan Xu
` (5 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/init.c | 34 ++++++++++++++++++++++++++++++++++
stubdom/vtpmmgr/tpm2_types.h | 2 ++
stubdom/vtpmmgr/vtpmmgr.h | 1 +
3 files changed, 37 insertions(+)
diff --git a/stubdom/vtpmmgr/init.c b/stubdom/vtpmmgr/init.c
index 980f622..1506735 100644
--- a/stubdom/vtpmmgr/init.c
+++ b/stubdom/vtpmmgr/init.c
@@ -51,6 +51,7 @@
#include "vtpm_disk.h"
#include "tpm.h"
#include "marshal.h"
+#include "tpm2_marshal.h"
#include "tpm2.h"
struct Opts {
@@ -754,3 +755,36 @@ abort_egress:
egress:
return status;
}
+
+TPM_RC tpm2_pcr_read(int index, uint8_t *buf)
+{
+ TPM_RESULT status = TPM_SUCCESS;
+ TPML_PCR_SELECTION pcrSelectionIn = {
+ .count = 1,};
+
+ TPMS_PCR_SELECTION tpms_pcr_selection = {
+ .hash = TPM2_ALG_SHA1,
+ .sizeofSelect = PCR_SELECT_MAX,};
+
+ UINT32 pcrUpdateCounter;
+ TPML_PCR_SELECTION pcrSelectionOut;
+ TPML_DIGEST pcrValues;
+ TPM2B_DIGEST tpm2b_digest;
+
+ tpms_pcr_selection.pcrSelect[PCR_SELECT_NUM(index)] = PCR_SELECT_VALUE(index);
+ memcpy(&pcrSelectionIn.pcrSelections[0], &tpms_pcr_selection,
+ sizeof(TPMS_PCR_SELECTION));
+
+ TPMTRYRETURN(TPM2_PCR_Read(pcrSelectionIn, &pcrUpdateCounter,
+ &pcrSelectionOut, &pcrValues));
+
+ if (pcrValues.count < 1)
+ goto egress;
+
+ unpack_TPM2B_DIGEST((uint8_t *) &pcrValues, &tpm2b_digest);
+ memcpy(buf, tpm2b_digest.buffer, SHA1_DIGEST_SIZE);
+
+abort_egress:
+egress:
+ return status;
+}
diff --git a/stubdom/vtpmmgr/tpm2_types.h b/stubdom/vtpmmgr/tpm2_types.h
index 214335c..ac2830d 100644
--- a/stubdom/vtpmmgr/tpm2_types.h
+++ b/stubdom/vtpmmgr/tpm2_types.h
@@ -432,6 +432,8 @@ typedef struct {
#define IMPLEMENTATION_PCR 24
#define PLATFORM_PCR 24
#define PCR_SELECT_MAX ((IMPLEMENTATION_PCR+7)/8)
+#define PCR_SELECT_NUM(x) (uint8_t)(x/8)
+#define PCR_SELECT_VALUE(x) (uint8_t)(0x1)<<(x%8)
//Table 79 -- TPMS_PCR_SELECT Structure <I/O>
typedef struct {
diff --git a/stubdom/vtpmmgr/vtpmmgr.h b/stubdom/vtpmmgr/vtpmmgr.h
index c8cd073..46fd14f 100644
--- a/stubdom/vtpmmgr/vtpmmgr.h
+++ b/stubdom/vtpmmgr/vtpmmgr.h
@@ -107,6 +107,7 @@ inline TPM_RESULT vtpmmgr_rand(unsigned char* bytes, size_t num_bytes) {
/* TPM 2.0 */
TPM_RC tpm2_take_ownership(void);
+TPM_RC tpm2_pcr_read(int index, uint8_t *buf);
TPM_RESULT vtpmmgr2_create(void);
TPM_RESULT vtpmmgr2_init(int argc, char** argv);
int parse_cmdline_hw(int argc, char** argv);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 11/14] vTPM/TPM2: Support TPM 2.0 bind and unbind data
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (9 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 10/14] vTPM/TPM2: TPM 2.0 PCRs read Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 12/14] vTPM/TPM2: Bind group keys and sectors data on disk Quan Xu
` (4 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Bind data with TPM2_RSA_Encrypt, which performs RSA encryption using
the indicated padding scheme according to PKCS#1v2.1(PKCS#1). If the
scheme of keyHandle is TPM_ALG_NULL, then the caller may use inScheme
to specify the padding scheme.
Unbind data with TPM2_RSA_Decrypt, which performs RSA decryption using
the indicated padding scheme according to PKCS#1v2.1(PKCS#1).
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/disk_tpm.c | 42 ++++++++++++++++++++++++++++++++++++++++--
stubdom/vtpmmgr/disk_tpm.h | 4 ++++
2 files changed, 44 insertions(+), 2 deletions(-)
diff --git a/stubdom/vtpmmgr/disk_tpm.c b/stubdom/vtpmmgr/disk_tpm.c
index d650fbc..45a326a 100644
--- a/stubdom/vtpmmgr/disk_tpm.c
+++ b/stubdom/vtpmmgr/disk_tpm.c
@@ -12,17 +12,20 @@
#include <polarssl/sha1.h>
#include "tpm.h"
+#include "tpm2.h"
#include "tcg.h"
#include "vtpmmgr.h"
#include "vtpm_disk.h"
#include "disk_tpm.h"
+#include "log.h"
// Print out input/output of seal/unseal operations (includes keys)
#undef DEBUG_SEAL_OPS
#ifdef DEBUG_SEAL_OPS
#include "marshal.h"
+#include "tpm2_marshal.h"
#endif
struct pcr_list {
@@ -31,11 +34,16 @@ struct pcr_list {
static struct pcr_list hwtpm;
+/*Ignore PCR on TPM 2.0, read PCR values for TPM 1.x seal | unseal*/
void TPM_read_pcrs(void)
{
int i;
- for(i=0; i < 24; i++)
- TPM_PCR_Read(i, &hwtpm.pcrs[i]);
+ for (i=0; i < 24; i++) {
+ if (hw_is_tpm2())
+ tpm2_pcr_read(i, (uint8_t *)&hwtpm.pcrs[i]);
+ else
+ TPM_PCR_Read(i, &hwtpm.pcrs[i]);
+ }
}
struct pcr_composite_3 {
@@ -138,6 +146,36 @@ int TPM_disk_seal(struct disk_seal_entry *dst, const void* src, size_t size)
return rc;
}
+TPM_RC TPM2_disk_bind(struct disk_seal_entry *dst, void* src, unsigned int size)
+{
+ TPM_RESULT status = TPM_SUCCESS;
+
+ TPMTRYRETURN(TPM2_Bind(vtpm_globals.sk_handle,
+ src,
+ size,
+ dst->sealed_data));
+
+abort_egress:
+egress:
+ return status;
+}
+
+TPM_RC TPM2_disk_unbind(void *dst, unsigned int *size, const struct disk_seal_entry *src)
+{
+ TPM_RESULT status = TPM_SUCCESS;
+ unsigned char buf[RSA_CIPHER_SIZE];
+
+ memcpy(buf, src->sealed_data, RSA_CIPHER_SIZE);
+ TPMTRYRETURN(TPM2_UnBind(vtpm_globals.sk_handle,
+ RSA_CIPHER_SIZE,
+ buf,
+ size,
+ dst));
+abort_egress:
+egress:
+ return status;
+}
+
int TPM_disk_unseal(void *dst, size_t size, const struct disk_seal_entry *src)
{
uint32_t rc;
diff --git a/stubdom/vtpmmgr/disk_tpm.h b/stubdom/vtpmmgr/disk_tpm.h
index b235895..57ae2a6 100644
--- a/stubdom/vtpmmgr/disk_tpm.h
+++ b/stubdom/vtpmmgr/disk_tpm.h
@@ -10,6 +10,10 @@ void TPM_pcr_digest(struct hash160 *buf, le32_t selection);
int TPM_disk_seal(struct disk_seal_entry *dst, const void* src, size_t size);
int TPM_disk_unseal(void *dst, size_t size, const struct disk_seal_entry *src);
+/*TPM 2.0 Bind and Unbind */
+TPM_RC TPM2_disk_bind(struct disk_seal_entry *dst, void* src, unsigned int size);
+TPM_RC TPM2_disk_unbind(void *dst, unsigned int *size, const struct disk_seal_entry *src);
+
/* NVRAM to allow revocation of TM-KEY */
int TPM_disk_nvalloc(be32_t *nvram_slot, struct tpm_authdata auth);
int TPM_disk_nvread(void *buf, size_t bufsiz, be32_t nvram_slot, struct tpm_authdata auth);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 12/14] vTPM/TPM2: Bind group keys and sectors data on disk
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (10 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 11/14] vTPM/TPM2: Support TPM 2.0 bind and unbind data Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 13/14] vTPM/TPM2: Unind " Quan Xu
` (3 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/disk_write.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/stubdom/vtpmmgr/disk_write.c b/stubdom/vtpmmgr/disk_write.c
index 4c825c5..ab15a9a 100644
--- a/stubdom/vtpmmgr/disk_write.c
+++ b/stubdom/vtpmmgr/disk_write.c
@@ -88,7 +88,12 @@ static void generate_group_seals(struct mem_group *src, const struct mem_tpm_mgr
dst->pcr_selection = src->seals[i].pcr_selection;
memcpy(&dst->digest_release, &src->seals[i].digest_release, 20);
TPM_pcr_digest(&dst->digest_at_seal, dst->pcr_selection);
- TPM_disk_seal(dst, &sblob, sizeof(sblob));
+
+ /*TPM 2.0 bind | TPM 1.x seal*/
+ if (hw_is_tpm2())
+ TPM2_disk_bind(dst, &sblob, sizeof(sblob));
+ else
+ TPM_disk_seal(dst, &sblob, sizeof(sblob));
}
src->seal_bits.nr_cfgs = native_be32(src->nr_seals);
@@ -250,7 +255,11 @@ static void disk_write_seal_list(struct mem_tpm_mgr *mgr, struct mem_group *grou
memcpy(&dst->digest_release, &src->digest_release, 20);
TPM_pcr_digest(&dst->digest_at_seal, dst->pcr_selection);
- TPM_disk_seal(dst, &sblob, sizeof(sblob));
+ /*TPM 2.0 bind / TPM 1.x seal*/
+ if (hw_is_tpm2())
+ TPM2_disk_bind(dst, &sblob, sizeof(sblob));
+ else
+ TPM_disk_seal(dst, &sblob, sizeof(sblob));
}
memcpy(seal->hdr.magic, TPM_MGR_MAGIC, 12);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 13/14] vTPM/TPM2: Unind group keys and sectors data on disk
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (11 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 12/14] vTPM/TPM2: Bind group keys and sectors data on disk Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 9:21 ` [PATCH v4 14/14] vTPM/TPM2: Record some infomation in docs/misc/vtpmmgr.txt about Quan Xu
` (2 subsequent siblings)
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
stubdom/vtpmmgr/disk_read.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/stubdom/vtpmmgr/disk_read.c b/stubdom/vtpmmgr/disk_read.c
index 33aacdd..e9dc20f 100644
--- a/stubdom/vtpmmgr/disk_read.c
+++ b/stubdom/vtpmmgr/disk_read.c
@@ -67,6 +67,7 @@ static int find_group_key(struct mem_group *dst,
const struct mem_tpm_mgr *parent)
{
int i, rc, rv = 1;
+ unsigned int olen;
struct hash160 buf;
struct disk_group_sealed_data sealed;
@@ -88,7 +89,13 @@ static int find_group_key(struct mem_group *dst,
TPM_pcr_digest(&buf, cfg->pcr_selection);
if (memcmp(&buf, &cfg->digest_release, 20))
continue;
- rc = TPM_disk_unseal(&sealed, sizeof(sealed), cfg);
+
+ /*TPM 2.0 unbind | TPM 1.x unseal*/
+ if (hw_is_tpm2())
+ rc = TPM2_disk_unbind(&sealed, &olen, cfg);
+ else
+ rc = TPM_disk_unseal(&sealed, sizeof(sealed), cfg);
+
if (rc)
continue;
if (memcmp(&sealed.magic, DISK_GROUP_BOUND_MAGIC, 4))
@@ -112,9 +119,15 @@ static int find_group_key(struct mem_group *dst,
static int parse_root_key(struct mem_tpm_mgr *dst, struct disk_seal_entry *src)
{
int rc;
+ unsigned int olen;
struct disk_root_sealed_data sealed;
- rc = TPM_disk_unseal(&sealed, sizeof(sealed), src);
+ /*TPM 2.0 unbind | TPM 1.x unseal*/
+ if (hw_is_tpm2())
+ rc = TPM2_disk_unbind(&sealed, &olen, src);
+ else
+ rc = TPM_disk_unseal(&sealed, sizeof(sealed), src);
+
if (rc)
return rc;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v4 14/14] vTPM/TPM2: Record some infomation in docs/misc/vtpmmgr.txt about
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (12 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 13/14] vTPM/TPM2: Unind " Quan Xu
@ 2015-01-15 9:21 ` Quan Xu
2015-01-15 14:31 ` FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Xu, Quan
2015-01-20 22:27 ` Daniel De Graaf
15 siblings, 0 replies; 30+ messages in thread
From: Quan Xu @ 2015-01-15 9:21 UTC (permalink / raw)
To: xen-devel, dgdegra
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, Quan Xu, samuel.thibault
'vtpmmgr on TPM 2.0'
Signed-off-by: Quan Xu <quan.xu@intel.com>
---
docs/misc/vtpmmgr.txt | 155 +++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 154 insertions(+), 1 deletion(-)
diff --git a/docs/misc/vtpmmgr.txt b/docs/misc/vtpmmgr.txt
index 026c52b..d4f756c 100644
--- a/docs/misc/vtpmmgr.txt
+++ b/docs/misc/vtpmmgr.txt
@@ -1,4 +1,8 @@
-Author: Daniel De Graaf <dgdegra@tycho.nsa.gov>
+================================================================================
+Authors:
+ Daniel De Graaf <dgdegra@tycho.nsa.gov>
+ Quan Xu <quan.xu@intel.com>
+================================================================================
This document describes the operation and command line interface of
vtpmmgr-stubdom. See docs/misc/vtpm.txt for details on the vTPM subsystem as a
@@ -163,3 +167,152 @@ would look like the following:
This requires the migration domain to be added to the list of valid vTPM kernel
hashes. In the current version of the vtpmmgr domain, this is the hash of the
XSM label, not the kernel.
+
+================================================================================
+Appendix B: vtpmmgr on TPM 2.0
+================================================================================
+
+Manager disk image setup:
+-------------------------
+
+The vTPM Manager requires a disk image to store its encrypted data. The image
+does not require a filesystem and can live anywhere on the host disk. The image
+is not large; the Xen 4.5 vtpmmgr is limited to using the first 2MB of the image
+but can support more than 20,000 vTPMs.
+
+ dd if=/dev/zero of=/home/vtpm2/vmgr bs=16M count=1
+
+Manager config file:
+--------------------
+
+The vTPM Manager domain (vtpmmgr-stubdom) must be started like any other Xen
+virtual machine and requires a config file. The manager requires a disk image
+for storage and permission to access the hardware memory pages for the TPM. The
+disk must be presented as "hda", and the TPM memory pages are passed using the
+iomem configuration parameter. The TPM TIS uses 5 pages of IO memory (one per
+locality) that start at physical address 0xfed40000. By default, the TPM manager
+uses locality 0 (so only the page at 0xfed40 is needed).
+
+Add:
+..
+ extra="tpm2=1"
+..
+extra option to launch vtpmmgr-stubdom domain on TPM 2.0, and ignore it on TPM
+1.x. for example:
+
+ kernel="/usr/lib/xen/boot/vtpmmgr-stubdom.gz"
+ memory=128
+ disk=["file:/home/vtpm2/vmgr,hda,w"]
+ name="vtpmmgr"
+ iomem=["fed40,5"]
+ extra="tpm2=1"
+
+
+Key Hierarchy
+------------------------------
+
+ +------------------+
+ | vTPM's secrets | ...
+ +------------------+
+ | ^
+ | |(Bind / Unbind)
+- - - - - -v |- - - - - - - - TPM 2.0
+ +------------------+
+ | SK +
+ +------------------+
+ | ^
+ v |
+ +------------------+
+ | SRK |
+ +------------------+
+ | ^
+ v |
+ +------------------+
+ | TPM 2.0 Storage |
+ | Primary Seed |
+ +------------------+
+
+Now the secrets for the vTPMs are only being bound to the presence of thephysical
+TPM 2.0. Since using PCRs to seal the data can be an important security feature
+that users of the vtpmmgr rely on. I will replace TPM2_Bind/TPM2_Unbind with
+TPM2_Seal/TPM2_Unseal to provide as much security as it did for TPM 1.2 in later
+series of patch.
+
+DESIGN OVERVIEW
+------------------------------
+
+The architecture of vTPM subsystem on TPM 2.0 is described below:
+
++------------------+
+| Linux DomU | ...
+| | ^ |
+| v | |
+| xen-tpmfront |
++------------------+
+ | ^
+ v |
++------------------+
+| mini-os/tpmback |
+| | ^ |
+| v | |
+| vtpm-stubdom | ...
+| | ^ |
+| v | |
+| mini-os/tpmfront |
++------------------+
+ | ^
+ v |
++------------------+
+| mini-os/tpmback |
+| | ^ |
+| v | |
+| vtpmmgr-stubdom |
+| | ^ |
+| v | |
+| mini-os/tpm2_tis |
++------------------+
+ | ^
+ v |
++------------------+
+| Hardware TPM 2.0 |
++------------------+
+
+ * Linux DomU: The Linux based guest that wants to use a vTPM. There many be
+ more than one of these.
+
+ * xen-tpmfront.ko: Linux kernel virtual TPM frontend driver. This driver
+ provides vTPM access to a para-virtualized Linux based DomU.
+
+ * mini-os/tpmback: Mini-os TPM backend driver. The Linux frontend driver
+ connects to this backend driver to facilitate
+ communications between the Linux DomU and its vTPM. This
+ driver is also used by vtpmmgr-stubdom to communicate with
+ vtpm-stubdom.
+
+ * vtpm-stubdom: A mini-os stub domain that implements a vTPM. There is a
+ one to one mapping between running vtpm-stubdom instances and
+ logical vtpms on the system. The vTPM Platform Configuration
+ Registers (PCRs) are all initialized to zero.
+
+ * mini-os/tpmfront: Mini-os TPM frontend driver. The vTPM mini-os domain
+ vtpm-stubdom uses this driver to communicate with
+ vtpmmgr-stubdom. This driver could also be used separately to
+ implement a mini-os domain that wishes to use a vTPM of
+ its own.
+
+ * vtpmmgr-stubdom: A mini-os domain that implements the vTPM manager.
+ There is only one vTPM manager and it should be running during
+ the entire lifetime of the machine. This domain regulates
+ access to the physical TPM on the system and secures the
+ persistent state of each vTPM.
+
+ * mini-os/tpm2_tis: Mini-os TPM version 2.0 TPM Interface Specification (TIS)
+ driver. This driver used by vtpmmgr-stubdom to talk directly
+ to the hardware TPM 2.0. Communication is facilitated by mapping
+ hardware memory pages into vtpmmgr-stubdom.
+
+ * Hardware TPM 2.0: The physical TPM 2.0 that is soldered onto the motherboard.
+
+---------------------
+Noted:
+ functionality for a virtual guest operating system (a DomU) is still TPM 1.2.
--
1.8.3.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (13 preceding siblings ...)
2015-01-15 9:21 ` [PATCH v4 14/14] vTPM/TPM2: Record some infomation in docs/misc/vtpmmgr.txt about Quan Xu
@ 2015-01-15 14:31 ` Xu, Quan
2015-01-15 14:54 ` Wei Liu
2015-01-20 22:27 ` Daniel De Graaf
15 siblings, 1 reply; 30+ messages in thread
From: Xu, Quan @ 2015-01-15 14:31 UTC (permalink / raw)
To: wei.liu2; +Cc: xen-devel
Wei
Are this series of patch in one thread? Thanks.
-Quan
> -----Original Message-----
> From: Xu, Quan
> Sent: Thursday, January 15, 2015 5:22 PM
> To: xen-devel@lists.xen.org; dgdegra@tycho.nsa.gov
> Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com; jbeulich@suse.com;
> keir@xen.org; tim@xen.org; stefano.stabellini@eu.citrix.com;
> samuel.thibault@ens-lyon.org; Xu, Quan
> Subject: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
>
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-15 14:31 ` FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Xu, Quan
@ 2015-01-15 14:54 ` Wei Liu
2015-01-15 14:58 ` Xu, Quan
0 siblings, 1 reply; 30+ messages in thread
From: Wei Liu @ 2015-01-15 14:54 UTC (permalink / raw)
To: Xu, Quan; +Cc: wei.liu2, xen-devel
On Thu, Jan 15, 2015 at 02:31:01PM +0000, Xu, Quan wrote:
> Wei
>
> Are this series of patch in one thread? Thanks.
>
Yes.
> -Quan
>
> > -----Original Message-----
> > From: Xu, Quan
> > Sent: Thursday, January 15, 2015 5:22 PM
> > To: xen-devel@lists.xen.org; dgdegra@tycho.nsa.gov
> > Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com; jbeulich@suse.com;
> > keir@xen.org; tim@xen.org; stefano.stabellini@eu.citrix.com;
> > samuel.thibault@ens-lyon.org; Xu, Quan
> > Subject: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> >
>
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-15 14:54 ` Wei Liu
@ 2015-01-15 14:58 ` Xu, Quan
0 siblings, 0 replies; 30+ messages in thread
From: Xu, Quan @ 2015-01-15 14:58 UTC (permalink / raw)
To: Wei Liu; +Cc: xen-devel
> -----Original Message-----
> From: Wei Liu [mailto:wei.liu2@citrix.com]
> Sent: Thursday, January 15, 2015 10:54 PM
> To: Xu, Quan
> Cc: wei.liu2@citrix.com; xen-devel@lists.xen.org
> Subject: Re: FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
>
> On Thu, Jan 15, 2015 at 02:31:01PM +0000, Xu, Quan wrote:
> > Wei
> >
> > Are this series of patch in one thread? Thanks.
> >
>
> Yes.
>
Thanks for your help.:)
-Quan
> > -Quan
> >
> > > -----Original Message-----
> > > From: Xu, Quan
> > > Sent: Thursday, January 15, 2015 5:22 PM
> > > To: xen-devel@lists.xen.org; dgdegra@tycho.nsa.gov
> > > Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com;
> > > jbeulich@suse.com; keir@xen.org; tim@xen.org;
> > > stefano.stabellini@eu.citrix.com; samuel.thibault@ens-lyon.org; Xu,
> > > Quan
> > > Subject: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> > >
> >
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
` (14 preceding siblings ...)
2015-01-15 14:31 ` FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Xu, Quan
@ 2015-01-20 22:27 ` Daniel De Graaf
2015-01-21 1:26 ` Xu, Quan
2015-01-28 13:07 ` Ian Campbell
15 siblings, 2 replies; 30+ messages in thread
From: Daniel De Graaf @ 2015-01-20 22:27 UTC (permalink / raw)
To: Quan Xu, xen-devel
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, samuel.thibault
On 01/15/2015 04:21 AM, Quan Xu wrote:
> This series of patch enable the virtual Trusted Platform Module (vTPM)
> subsystem for Xen on TPM 2.0.
>
> Noted, functionality for a virtual guest operating system (a DomU) is still
> TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The challenge is that
> TPM 2.0 is not backward compatible with TPM 1.2.
>
Updates from v3 all look good, all patches in this series:
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
PS: If you need to re-post this in the future, you should add that line
below the signed-off-by on the unchanged patches, so that it is clear to
the other Xen maintainers that only the changed/new patches need my review.
--
Daniel De Graaf
National Security Agency
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-20 22:27 ` Daniel De Graaf
@ 2015-01-21 1:26 ` Xu, Quan
2015-01-21 10:36 ` Stefano Stabellini
2015-01-28 13:07 ` Ian Campbell
1 sibling, 1 reply; 30+ messages in thread
From: Xu, Quan @ 2015-01-21 1:26 UTC (permalink / raw)
To: Daniel De Graaf, xen-devel
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
jbeulich, samuel.thibault
> -----Original Message-----
> From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> Sent: Wednesday, January 21, 2015 6:28 AM
> To: Xu, Quan; xen-devel@lists.xen.org
> Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com; jbeulich@suse.com;
> keir@xen.org; tim@xen.org; stefano.stabellini@eu.citrix.com;
> samuel.thibault@ens-lyon.org
> Subject: Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
>
> On 01/15/2015 04:21 AM, Quan Xu wrote:
> > This series of patch enable the virtual Trusted Platform Module (vTPM)
> > subsystem for Xen on TPM 2.0.
> >
> > Noted, functionality for a virtual guest operating system (a DomU) is
> > still TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The
> > challenge is that TPM 2.0 is not backward compatible with TPM 1.2.
> >
>
> Updates from v3 all look good, all patches in this series:
>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> PS: If you need to re-post this in the future, you should add that line below the
> signed-off-by on the unchanged patches, so that it is clear to the other Xen
> maintainers that only the changed/new patches need my review.
>
> --
Many thanks.
For example:
Signed-off-by: Quan Xu <quan.xu@intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Right?
Intel
Quan Xu
> Daniel De Graaf
> National Security Agency
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-21 1:26 ` Xu, Quan
@ 2015-01-21 10:36 ` Stefano Stabellini
2015-01-22 1:57 ` Xu, Quan
0 siblings, 1 reply; 30+ messages in thread
From: Stefano Stabellini @ 2015-01-21 10:36 UTC (permalink / raw)
To: Xu, Quan
Cc: keir, ian.campbell, stefano.stabellini, tim, ian.jackson,
xen-devel, jbeulich, samuel.thibault, Daniel De Graaf
On Wed, 21 Jan 2015, Xu, Quan wrote:
> > -----Original Message-----
> > From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> > Sent: Wednesday, January 21, 2015 6:28 AM
> > To: Xu, Quan; xen-devel@lists.xen.org
> > Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com; jbeulich@suse.com;
> > keir@xen.org; tim@xen.org; stefano.stabellini@eu.citrix.com;
> > samuel.thibault@ens-lyon.org
> > Subject: Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> >
> > On 01/15/2015 04:21 AM, Quan Xu wrote:
> > > This series of patch enable the virtual Trusted Platform Module (vTPM)
> > > subsystem for Xen on TPM 2.0.
> > >
> > > Noted, functionality for a virtual guest operating system (a DomU) is
> > > still TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The
> > > challenge is that TPM 2.0 is not backward compatible with TPM 1.2.
> > >
> >
> > Updates from v3 all look good, all patches in this series:
> >
> > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> >
> > PS: If you need to re-post this in the future, you should add that line below the
> > signed-off-by on the unchanged patches, so that it is clear to the other Xen
> > maintainers that only the changed/new patches need my review.
> >
> > --
>
> Many thanks.
> For example:
> Signed-off-by: Quan Xu <quan.xu@intel.com>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Right?
That is correct.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-21 10:36 ` Stefano Stabellini
@ 2015-01-22 1:57 ` Xu, Quan
2015-01-27 15:48 ` Stefano Stabellini
0 siblings, 1 reply; 30+ messages in thread
From: Xu, Quan @ 2015-01-22 1:57 UTC (permalink / raw)
To: Stefano Stabellini
Cc: keir, ian.campbell, tim, ian.jackson, xen-devel, jbeulich,
samuel.thibault, Daniel De Graaf
> -----Original Message-----
> From: xen-devel-bounces@lists.xen.org
> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Stefano Stabellini
> Sent: Wednesday, January 21, 2015 6:37 PM
> To: Xu, Quan
> Cc: keir@xen.org; ian.campbell@citrix.com; stefano.stabellini@eu.citrix.com;
> tim@xen.org; ian.jackson@eu.citrix.com; xen-devel@lists.xen.org;
> jbeulich@suse.com; samuel.thibault@ens-lyon.org; Daniel De Graaf
> Subject: Re: [Xen-devel] [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
>
> On Wed, 21 Jan 2015, Xu, Quan wrote:
> > > -----Original Message-----
> > > From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> > > Sent: Wednesday, January 21, 2015 6:28 AM
> > > To: Xu, Quan; xen-devel@lists.xen.org
> > > Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com;
> > > jbeulich@suse.com; keir@xen.org; tim@xen.org;
> > > stefano.stabellini@eu.citrix.com; samuel.thibault@ens-lyon.org
> > > Subject: Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> > >
> > > On 01/15/2015 04:21 AM, Quan Xu wrote:
> > > > This series of patch enable the virtual Trusted Platform Module
> > > > (vTPM) subsystem for Xen on TPM 2.0.
> > > >
> > > > Noted, functionality for a virtual guest operating system (a DomU)
> > > > is still TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The
> > > > challenge is that TPM 2.0 is not backward compatible with TPM 1.2.
> > > >
> > >
> > > Updates from v3 all look good, all patches in this series:
> > >
> > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > >
> > > PS: If you need to re-post this in the future, you should add that
> > > line below the signed-off-by on the unchanged patches, so that it is
> > > clear to the other Xen maintainers that only the changed/new patches need
> my review.
> > >
> > > --
> >
> > Many thanks.
> > For example:
> > Signed-off-by: Quan Xu <quan.xu@intel.com>
> > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Right?
>
> That is correct.
Stefano, Thanks.
Now this series of patch were Acked-by Daniel De Graaf <dgdegra@tycho.nsa.gov>. could you also
Review them and give me some comments or feedback? Thanks.
-Quan
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-22 1:57 ` Xu, Quan
@ 2015-01-27 15:48 ` Stefano Stabellini
2015-01-28 1:44 ` Xu, Quan
0 siblings, 1 reply; 30+ messages in thread
From: Stefano Stabellini @ 2015-01-27 15:48 UTC (permalink / raw)
To: Xu, Quan
Cc: keir, ian.campbell, Stefano Stabellini, tim, ian.jackson,
xen-devel, jbeulich, samuel.thibault, Daniel De Graaf
On Thu, 22 Jan 2015, Xu, Quan wrote:
> > -----Original Message-----
> > From: xen-devel-bounces@lists.xen.org
> > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Stefano Stabellini
> > Sent: Wednesday, January 21, 2015 6:37 PM
> > To: Xu, Quan
> > Cc: keir@xen.org; ian.campbell@citrix.com; stefano.stabellini@eu.citrix.com;
> > tim@xen.org; ian.jackson@eu.citrix.com; xen-devel@lists.xen.org;
> > jbeulich@suse.com; samuel.thibault@ens-lyon.org; Daniel De Graaf
> > Subject: Re: [Xen-devel] [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> >
> > On Wed, 21 Jan 2015, Xu, Quan wrote:
> > > > -----Original Message-----
> > > > From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> > > > Sent: Wednesday, January 21, 2015 6:28 AM
> > > > To: Xu, Quan; xen-devel@lists.xen.org
> > > > Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com;
> > > > jbeulich@suse.com; keir@xen.org; tim@xen.org;
> > > > stefano.stabellini@eu.citrix.com; samuel.thibault@ens-lyon.org
> > > > Subject: Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> > > >
> > > > On 01/15/2015 04:21 AM, Quan Xu wrote:
> > > > > This series of patch enable the virtual Trusted Platform Module
> > > > > (vTPM) subsystem for Xen on TPM 2.0.
> > > > >
> > > > > Noted, functionality for a virtual guest operating system (a DomU)
> > > > > is still TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The
> > > > > challenge is that TPM 2.0 is not backward compatible with TPM 1.2.
> > > > >
> > > >
> > > > Updates from v3 all look good, all patches in this series:
> > > >
> > > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > > >
> > > > PS: If you need to re-post this in the future, you should add that
> > > > line below the signed-off-by on the unchanged patches, so that it is
> > > > clear to the other Xen maintainers that only the changed/new patches need
> > my review.
> > > >
> > > > --
> > >
> > > Many thanks.
> > > For example:
> > > Signed-off-by: Quan Xu <quan.xu@intel.com>
> > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Right?
> >
> > That is correct.
>
> Stefano, Thanks.
> Now this series of patch were Acked-by Daniel De Graaf <dgdegra@tycho.nsa.gov>. could you also
> Review them and give me some comments or feedback? Thanks.
I am not sure if I am really the right person to give you feedback on it.
But I do trust Daniel's opinion on it.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-27 15:48 ` Stefano Stabellini
@ 2015-01-28 1:44 ` Xu, Quan
2015-01-28 11:07 ` Wei Liu
2015-01-28 11:57 ` Stefano Stabellini
0 siblings, 2 replies; 30+ messages in thread
From: Xu, Quan @ 2015-01-28 1:44 UTC (permalink / raw)
To: Stefano Stabellini, Daniel De Graaf, Wei Liu
Cc: keir, ian.campbell, tim, ian.jackson, xen-devel, jbeulich,
samuel.thibault
> -----Original Message-----
> From: Stefano Stabellini [mailto:stefano.stabellini@eu.citrix.com]
> Sent: Tuesday, January 27, 2015 11:48 PM
> To: Xu, Quan
> Cc: Stefano Stabellini; keir@xen.org; ian.campbell@citrix.com; tim@xen.org;
> ian.jackson@eu.citrix.com; xen-devel@lists.xen.org; jbeulich@suse.com;
> samuel.thibault@ens-lyon.org; Daniel De Graaf
> Subject: RE: [Xen-devel] [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
>
> On Thu, 22 Jan 2015, Xu, Quan wrote:
> > > -----Original Message-----
> > > From: xen-devel-bounces@lists.xen.org
> > > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Stefano
> > > Stabellini
> > > Sent: Wednesday, January 21, 2015 6:37 PM
> > > To: Xu, Quan
> > > Cc: keir@xen.org; ian.campbell@citrix.com;
> > > stefano.stabellini@eu.citrix.com; tim@xen.org;
> > > ian.jackson@eu.citrix.com; xen-devel@lists.xen.org;
> > > jbeulich@suse.com; samuel.thibault@ens-lyon.org; Daniel De Graaf
> > > Subject: Re: [Xen-devel] [PATCH v4 00/14] Enable vTPM subsystem on
> > > TPM 2.0
> > >
> > > On Wed, 21 Jan 2015, Xu, Quan wrote:
> > > > > -----Original Message-----
> > > > > From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> > > > > Sent: Wednesday, January 21, 2015 6:28 AM
> > > > > To: Xu, Quan; xen-devel@lists.xen.org
> > > > > Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com;
> > > > > jbeulich@suse.com; keir@xen.org; tim@xen.org;
> > > > > stefano.stabellini@eu.citrix.com; samuel.thibault@ens-lyon.org
> > > > > Subject: Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> > > > >
> > > > > On 01/15/2015 04:21 AM, Quan Xu wrote:
> > > > > > This series of patch enable the virtual Trusted Platform
> > > > > > Module
> > > > > > (vTPM) subsystem for Xen on TPM 2.0.
> > > > > >
> > > > > > Noted, functionality for a virtual guest operating system (a
> > > > > > DomU) is still TPM 1.2. The main modifcation is on
> > > > > > vtpmmgr-stubdom. The challenge is that TPM 2.0 is not backward
> compatible with TPM 1.2.
> > > > > >
> > > > >
> > > > > Updates from v3 all look good, all patches in this series:
> > > > >
> > > > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > > > >
> > > > > PS: If you need to re-post this in the future, you should add
> > > > > that line below the signed-off-by on the unchanged patches, so
> > > > > that it is clear to the other Xen maintainers that only the
> > > > > changed/new patches need
> > > my review.
> > > > >
> > > > > --
> > > >
> > > > Many thanks.
> > > > For example:
> > > > Signed-off-by: Quan Xu <quan.xu@intel.com>
> > > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Right?
> > >
> > > That is correct.
> >
> > Stefano, Thanks.
> > Now this series of patch were Acked-by Daniel De Graaf
> > <dgdegra@tycho.nsa.gov>. could you also Review them and give me some
> comments or feedback? Thanks.
>
> I am not sure if I am really the right person to give you feedback on it.
> But I do trust Daniel's opinion on it.
Thanks Stefano.
Now Wei Liu is splitting off mini-os to a separate tree, could I send out v5 with
..
Signed-off-by: Quan Xu <quan.xu@intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
..
Then, Daniel can merge these serious of patch to * staging branch. Or try to send
out the patches against the new mini-os tree.
Correct me, If the process is wrong.
Thanks
Quan
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-28 1:44 ` Xu, Quan
@ 2015-01-28 11:07 ` Wei Liu
2015-01-28 11:57 ` Stefano Stabellini
1 sibling, 0 replies; 30+ messages in thread
From: Wei Liu @ 2015-01-28 11:07 UTC (permalink / raw)
To: Xu, Quan
Cc: keir, ian.campbell, Stefano Stabellini, ian.jackson, tim,
xen-devel, jbeulich, samuel.thibault, Wei Liu, Daniel De Graaf
On Wed, Jan 28, 2015 at 01:44:03AM +0000, Xu, Quan wrote:
[...]
> > > >
> > > > That is correct.
> > >
> > > Stefano, Thanks.
> > > Now this series of patch were Acked-by Daniel De Graaf
> > > <dgdegra@tycho.nsa.gov>. could you also Review them and give me some
> > comments or feedback? Thanks.
> >
> > I am not sure if I am really the right person to give you feedback on it.
> > But I do trust Daniel's opinion on it.
>
> Thanks Stefano.
> Now Wei Liu is splitting off mini-os to a separate tree, could I send out v5 with
> ..
> Signed-off-by: Quan Xu <quan.xu@intel.com>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ..
> Then, Daniel can merge these serious of patch to * staging branch. Or try to send
> out the patches against the new mini-os tree.
>
Are you patches all acked? I vaguely remember seeing so but I would like
to confirm.
Though I would like splitting off to happen as soon as possible but I
can say for sure when it's going to happen.
I think maintainers / committers will tell to rebase / resubmit if
necessary.
Wei.
> Correct me, If the process is wrong.
>
> Thanks
> Quan
>
>
>
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-28 1:44 ` Xu, Quan
2015-01-28 11:07 ` Wei Liu
@ 2015-01-28 11:57 ` Stefano Stabellini
2015-01-28 12:02 ` Ian Campbell
1 sibling, 1 reply; 30+ messages in thread
From: Stefano Stabellini @ 2015-01-28 11:57 UTC (permalink / raw)
To: Xu, Quan
Cc: keir, ian.campbell, Stefano Stabellini, ian.jackson, tim,
xen-devel, jbeulich, samuel.thibault, Wei Liu, Daniel De Graaf
On Wed, 28 Jan 2015, Xu, Quan wrote:
> > -----Original Message-----
> > From: Stefano Stabellini [mailto:stefano.stabellini@eu.citrix.com]
> > Sent: Tuesday, January 27, 2015 11:48 PM
> > To: Xu, Quan
> > Cc: Stefano Stabellini; keir@xen.org; ian.campbell@citrix.com; tim@xen.org;
> > ian.jackson@eu.citrix.com; xen-devel@lists.xen.org; jbeulich@suse.com;
> > samuel.thibault@ens-lyon.org; Daniel De Graaf
> > Subject: RE: [Xen-devel] [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> >
> > On Thu, 22 Jan 2015, Xu, Quan wrote:
> > > > -----Original Message-----
> > > > From: xen-devel-bounces@lists.xen.org
> > > > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Stefano
> > > > Stabellini
> > > > Sent: Wednesday, January 21, 2015 6:37 PM
> > > > To: Xu, Quan
> > > > Cc: keir@xen.org; ian.campbell@citrix.com;
> > > > stefano.stabellini@eu.citrix.com; tim@xen.org;
> > > > ian.jackson@eu.citrix.com; xen-devel@lists.xen.org;
> > > > jbeulich@suse.com; samuel.thibault@ens-lyon.org; Daniel De Graaf
> > > > Subject: Re: [Xen-devel] [PATCH v4 00/14] Enable vTPM subsystem on
> > > > TPM 2.0
> > > >
> > > > On Wed, 21 Jan 2015, Xu, Quan wrote:
> > > > > > -----Original Message-----
> > > > > > From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> > > > > > Sent: Wednesday, January 21, 2015 6:28 AM
> > > > > > To: Xu, Quan; xen-devel@lists.xen.org
> > > > > > Cc: ian.campbell@citrix.com; ian.jackson@eu.citrix.com;
> > > > > > jbeulich@suse.com; keir@xen.org; tim@xen.org;
> > > > > > stefano.stabellini@eu.citrix.com; samuel.thibault@ens-lyon.org
> > > > > > Subject: Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
> > > > > >
> > > > > > On 01/15/2015 04:21 AM, Quan Xu wrote:
> > > > > > > This series of patch enable the virtual Trusted Platform
> > > > > > > Module
> > > > > > > (vTPM) subsystem for Xen on TPM 2.0.
> > > > > > >
> > > > > > > Noted, functionality for a virtual guest operating system (a
> > > > > > > DomU) is still TPM 1.2. The main modifcation is on
> > > > > > > vtpmmgr-stubdom. The challenge is that TPM 2.0 is not backward
> > compatible with TPM 1.2.
> > > > > > >
> > > > > >
> > > > > > Updates from v3 all look good, all patches in this series:
> > > > > >
> > > > > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > > > > >
> > > > > > PS: If you need to re-post this in the future, you should add
> > > > > > that line below the signed-off-by on the unchanged patches, so
> > > > > > that it is clear to the other Xen maintainers that only the
> > > > > > changed/new patches need
> > > > my review.
> > > > > >
> > > > > > --
> > > > >
> > > > > Many thanks.
> > > > > For example:
> > > > > Signed-off-by: Quan Xu <quan.xu@intel.com>
> > > > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Right?
> > > >
> > > > That is correct.
> > >
> > > Stefano, Thanks.
> > > Now this series of patch were Acked-by Daniel De Graaf
> > > <dgdegra@tycho.nsa.gov>. could you also Review them and give me some
> > comments or feedback? Thanks.
> >
> > I am not sure if I am really the right person to give you feedback on it.
> > But I do trust Daniel's opinion on it.
>
> Thanks Stefano.
> Now Wei Liu is splitting off mini-os to a separate tree, could I send out v5 with
> ..
> Signed-off-by: Quan Xu <quan.xu@intel.com>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ..
> Then, Daniel can merge these serious of patch to * staging branch. Or try to send
> out the patches against the new mini-os tree.
>
> Correct me, If the process is wrong.
I don't think that Daniel has commit access to the tree. Also given that
all your patches have been acked, you might not have to wait for Wei to
finish off splitting mini-os.
Ian? Wei? How do you want to go about this?
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-28 11:57 ` Stefano Stabellini
@ 2015-01-28 12:02 ` Ian Campbell
2015-01-28 12:11 ` Wei Liu
0 siblings, 1 reply; 30+ messages in thread
From: Ian Campbell @ 2015-01-28 12:02 UTC (permalink / raw)
To: Stefano Stabellini
Cc: keir, jbeulich, tim, ian.jackson, xen-devel, Xu, Quan,
samuel.thibault, Wei Liu, Daniel De Graaf
On Wed, 2015-01-28 at 11:57 +0000, Stefano Stabellini wrote:
> I don't think that Daniel has commit access to the tree. Also given that
> all your patches have been acked, you might not have to wait for Wei to
> finish off splitting mini-os.
>
> Ian? Wei? How do you want to go about this?
I think at some point we should declare the mini-os split "happening
now", at which point no more commits to mini-os in the tree while Wei
reruns the conversion/extraction process and we commit the associated
patches to xen.git.
But, I think right now we are still sorting out the details of the split
so we haven't reached that point yet and should continue to commit to
extras/mini-os as usual for the time being (while being mindful of not
making Wei's life harder at reconversion time).
Ian.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-28 12:02 ` Ian Campbell
@ 2015-01-28 12:11 ` Wei Liu
0 siblings, 0 replies; 30+ messages in thread
From: Wei Liu @ 2015-01-28 12:11 UTC (permalink / raw)
To: Ian Campbell
Cc: keir, jbeulich, Stefano Stabellini, ian.jackson, tim, xen-devel,
Xu, Quan, samuel.thibault, Wei Liu, Daniel De Graaf
On Wed, Jan 28, 2015 at 12:02:38PM +0000, Ian Campbell wrote:
> On Wed, 2015-01-28 at 11:57 +0000, Stefano Stabellini wrote:
> > I don't think that Daniel has commit access to the tree. Also given that
> > all your patches have been acked, you might not have to wait for Wei to
> > finish off splitting mini-os.
> >
> > Ian? Wei? How do you want to go about this?
>
> I think at some point we should declare the mini-os split "happening
> now", at which point no more commits to mini-os in the tree while Wei
> reruns the conversion/extraction process and we commit the associated
> patches to xen.git.
>
> But, I think right now we are still sorting out the details of the split
> so we haven't reached that point yet and should continue to commit to
> extras/mini-os as usual for the time being (while being mindful of not
> making Wei's life harder at reconversion time).
>
I agree.
Wei.
> Ian.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-20 22:27 ` Daniel De Graaf
2015-01-21 1:26 ` Xu, Quan
@ 2015-01-28 13:07 ` Ian Campbell
2015-01-28 14:09 ` Xu, Quan
1 sibling, 1 reply; 30+ messages in thread
From: Ian Campbell @ 2015-01-28 13:07 UTC (permalink / raw)
To: Daniel De Graaf
Cc: keir, Quan Xu, stefano.stabellini, ian.jackson, tim, xen-devel,
jbeulich, samuel.thibault
On Tue, 2015-01-20 at 17:27 -0500, Daniel De Graaf wrote:
> On 01/15/2015 04:21 AM, Quan Xu wrote:
> > This series of patch enable the virtual Trusted Platform Module (vTPM)
> > subsystem for Xen on TPM 2.0.
> >
> > Noted, functionality for a virtual guest operating system (a DomU) is still
> > TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The challenge is that
> > TPM 2.0 is not backward compatible with TPM 1.2.
> >
>
> Updates from v3 all look good, all patches in this series:
>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
I've now applied the series with your ack.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
2015-01-28 13:07 ` Ian Campbell
@ 2015-01-28 14:09 ` Xu, Quan
0 siblings, 0 replies; 30+ messages in thread
From: Xu, Quan @ 2015-01-28 14:09 UTC (permalink / raw)
To: Ian Campbell, Daniel De Graaf, ian.jackson, jbeulich, keir, tim,
stefano.stabellini, samuel.thibault
Cc: xen-devel
> -----Original Message-----
> From: Ian Campbell [mailto:Ian.Campbell@citrix.com]
> Sent: Wednesday, January 28, 2015 9:07 PM
> To: Daniel De Graaf
> Cc: Xu, Quan; xen-devel@lists.xen.org; ian.jackson@eu.citrix.com;
> jbeulich@suse.com; keir@xen.org; tim@xen.org;
> stefano.stabellini@eu.citrix.com; samuel.thibault@ens-lyon.org
> Subject: Re: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0
>
> On Tue, 2015-01-20 at 17:27 -0500, Daniel De Graaf wrote:
> > On 01/15/2015 04:21 AM, Quan Xu wrote:
> > > This series of patch enable the virtual Trusted Platform Module
> > > (vTPM) subsystem for Xen on TPM 2.0.
> > >
> > > Noted, functionality for a virtual guest operating system (a DomU)
> > > is still TPM 1.2. The main modifcation is on vtpmmgr-stubdom. The
> > > challenge is that TPM 2.0 is not backward compatible with TPM 1.2.
> > >
> >
> > Updates from v3 all look good, all patches in this series:
> >
> > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> I've now applied the series with your ack.
>
Thank you very much..
Intel
Quan Xu
^ permalink raw reply [flat|nested] 30+ messages in thread
end of thread, other threads:[~2015-01-28 14:09 UTC | newest]
Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-15 9:21 [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Quan Xu
2015-01-15 9:21 ` [PATCH v4 01/14] vTPM/TPM2: Add TPM 2.0 data structures and commands definition Quan Xu
2015-01-15 9:21 ` [PATCH v4 02/14] vTPM/TPM2: TPM 2.0 data structures marshal Quan Xu
2015-01-15 9:21 ` [PATCH v4 03/14] vTPM/TPM2: Add global data in vtpm_globals{} Quan Xu
2015-01-15 9:21 ` [PATCH v4 04/14] vTPM/TPM2: Add TPM 2.0 Exposed APIs Quan Xu
2015-01-15 9:21 ` [PATCH v4 05/14] vTPM/TPM2: TPM 2.0 takes ownership and create SRK Quan Xu
2015-01-15 9:21 ` [PATCH v4 06/14] vTPM/TPM2: Create and load SK on TPM 2.0 Quan Xu
2015-01-15 9:21 ` [PATCH v4 07/14] vTPM/TPM2: TPM2.0 TIS initialization and self test Quan Xu
2015-01-15 9:21 ` [PATCH v4 08/14] vTPM/TPM2: Add main entrance vtpmmgr2_init() Quan Xu
2015-01-15 9:21 ` [PATCH v4 09/14] vTPM/TPM2: Support 'tpm2' extra command line Quan Xu
2015-01-15 9:21 ` [PATCH v4 10/14] vTPM/TPM2: TPM 2.0 PCRs read Quan Xu
2015-01-15 9:21 ` [PATCH v4 11/14] vTPM/TPM2: Support TPM 2.0 bind and unbind data Quan Xu
2015-01-15 9:21 ` [PATCH v4 12/14] vTPM/TPM2: Bind group keys and sectors data on disk Quan Xu
2015-01-15 9:21 ` [PATCH v4 13/14] vTPM/TPM2: Unind " Quan Xu
2015-01-15 9:21 ` [PATCH v4 14/14] vTPM/TPM2: Record some infomation in docs/misc/vtpmmgr.txt about Quan Xu
2015-01-15 14:31 ` FW: [PATCH v4 00/14] Enable vTPM subsystem on TPM 2.0 Xu, Quan
2015-01-15 14:54 ` Wei Liu
2015-01-15 14:58 ` Xu, Quan
2015-01-20 22:27 ` Daniel De Graaf
2015-01-21 1:26 ` Xu, Quan
2015-01-21 10:36 ` Stefano Stabellini
2015-01-22 1:57 ` Xu, Quan
2015-01-27 15:48 ` Stefano Stabellini
2015-01-28 1:44 ` Xu, Quan
2015-01-28 11:07 ` Wei Liu
2015-01-28 11:57 ` Stefano Stabellini
2015-01-28 12:02 ` Ian Campbell
2015-01-28 12:11 ` Wei Liu
2015-01-28 13:07 ` Ian Campbell
2015-01-28 14:09 ` Xu, Quan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.