OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 // Tpm - class for handling init TPM initialization for Chrome OS |
| 6 |
| 7 #include <base/lock.h> |
| 8 #include <base/logging.h> |
| 9 #include <base/scoped_ptr.h> |
| 10 #include <chromeos/utility.h> |
| 11 #include <trousers/tss.h> |
| 12 #include <trousers/trousers.h> |
| 13 |
| 14 #include "crypto.h" |
| 15 #include "secure_blob.h" |
| 16 |
| 17 #ifndef TPM_INIT_TPM_H_ |
| 18 #define TPM_INIT_TPM_H_ |
| 19 |
| 20 namespace tpm_init { |
| 21 |
| 22 class Tpm { |
| 23 public: |
| 24 |
| 25 // Default constructor |
| 26 Tpm(); |
| 27 |
| 28 virtual ~Tpm(); |
| 29 |
| 30 // Initializes the Tpm instance |
| 31 // |
| 32 // Parameters |
| 33 virtual bool Init(); |
| 34 |
| 35 // Tries to connect to the TPM |
| 36 virtual bool Connect(); |
| 37 |
| 38 // Returns true if this instance is connected to the TPM |
| 39 virtual bool IsConnected(); |
| 40 |
| 41 // Disconnects from the TPM |
| 42 virtual void Disconnect(); |
| 43 |
| 44 // Returns the number of simultaneously-loaded RSA keys that this TPM supports |
| 45 int GetMaxRsaKeyCount(); |
| 46 |
| 47 // Returns the owner password if this instance was used to take ownership. |
| 48 // This will only occur when the TPM is unowned, which will be on OOBE |
| 49 // |
| 50 // Parameters |
| 51 // owner_password (OUT) - The random owner password used |
| 52 bool GetOwnerPassword(chromeos::Blob* owner_password); |
| 53 |
| 54 // Returns whether or not the TPM is enabled. This method call returns a |
| 55 // cached result because querying the TPM directly will block if ownership is |
| 56 // currently being taken (such as on a separate thread). |
| 57 bool IsEnabled() const { return !is_disabled_; } |
| 58 |
| 59 // Returns whether or not the TPM is owned. This method call returns a cached |
| 60 // result because querying the TPM directly will block if ownership is |
| 61 // currently being taken (such as on a separate thread). |
| 62 bool IsOwned() const { return is_owned_; } |
| 63 |
| 64 // Runs the TPM initialization sequence. This may take a long time due to the |
| 65 // call to Tspi_TPM_TakeOwnership. |
| 66 bool InitializeTpm(); |
| 67 |
| 68 private: |
| 69 // Attempts to connect to tcsd |
| 70 // |
| 71 // Parameters |
| 72 // context_handle (OUT) - The context handle to the session on success |
| 73 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); |
| 74 |
| 75 // Returns the maximum simultaneously-loaded RSA key count for the TPM |
| 76 // specified by the context handle |
| 77 // |
| 78 // Parameters |
| 79 // context_handle - The context handle for the TPM session |
| 80 int GetMaxRsaKeyCountForContext(TSS_HCONTEXT context_handle); |
| 81 |
| 82 // Returns whether or not the TPM is disabled by checking a flag in the TPM's |
| 83 // entry in /sys/class/misc |
| 84 bool IsDisabledCheckViaSysfs(); |
| 85 |
| 86 // Returns whether or not the TPM is owned by checking a flag in the TPM's |
| 87 // entry in /sys/class/misc |
| 88 bool IsOwnedCheckViaSysfs(); |
| 89 |
| 90 // Returns whether or not the TPM is disabled using a call to |
| 91 // Tspi_TPM_GetCapability |
| 92 // |
| 93 // Parameters |
| 94 // context_handle - The context handle for the TPM session |
| 95 bool IsDisabledCheckViaContext(TSS_HCONTEXT context_handle); |
| 96 |
| 97 // Returns whether or not the TPM is owned using a call to |
| 98 // Tspi_TPM_GetCapability |
| 99 // |
| 100 // Parameters |
| 101 // context_handle - The context handle for the TPM session |
| 102 bool IsOwnedCheckViaContext(TSS_HCONTEXT context_handle); |
| 103 |
| 104 // Attempts to create the endorsement key in the TPM |
| 105 // |
| 106 // Parameters |
| 107 // context_handle - The context handle for the TPM session |
| 108 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); |
| 109 |
| 110 // Checks to see if the endorsement key is available by attempting to get its |
| 111 // public key |
| 112 // |
| 113 // Parameters |
| 114 // context_handle - The context handle for the TPM session |
| 115 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); |
| 116 |
| 117 // Creates a random owner password |
| 118 // |
| 119 // Parameters |
| 120 // password (OUT) - the generated password |
| 121 void CreateOwnerPassword(SecureBlob* password); |
| 122 |
| 123 // Attempts to take ownership of the TPM |
| 124 // |
| 125 // Parameters |
| 126 // context_handle - The context handle for the TPM session |
| 127 // max_timeout_tries - The maximum number of attempts to make if the call |
| 128 // times out, which it may occasionally do |
| 129 bool TakeOwnership(TSS_HCONTEXT context_handle, int max_timeout_tries); |
| 130 |
| 131 // Zeros the SRK password (sets it to an empty string) |
| 132 // |
| 133 // Parameters |
| 134 // context_handle - The context handle for the TPM session |
| 135 // owner_password - The owner password for the TPM |
| 136 bool ZeroSrkPassword(TSS_HCONTEXT context_handle, |
| 137 const SecureBlob& owner_password); |
| 138 |
| 139 // Removes usage restrictions on the SRK |
| 140 // |
| 141 // Parameters |
| 142 // context_handle - The context handle for the TPM session |
| 143 // owner_password - The owner password for the TPM |
| 144 bool UnrestrictSrk(TSS_HCONTEXT context_handle, |
| 145 const SecureBlob& owner_password); |
| 146 |
| 147 // Gets a handle to the TPM from the specified context |
| 148 // |
| 149 // Parameters |
| 150 // context_handle - The context handle for the TPM session |
| 151 // tpm_handle (OUT) - The handle for the TPM on success |
| 152 bool GetTpm(TSS_HCONTEXT context_handle, TSS_HTPM* tpm_handle); |
| 153 |
| 154 // Gets a handle to the TPM from the specified context with the given owner |
| 155 // password |
| 156 // |
| 157 // Parameters |
| 158 // context_handle - The context handle for the TPM session |
| 159 // owner_password - The owner password to use when getting the handle |
| 160 // tpm_handle (OUT) - The handle for the TPM on success |
| 161 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, |
| 162 const SecureBlob& owner_password, |
| 163 TSS_HTPM* tpm_handle); |
| 164 |
| 165 // The context handle for this TPM session |
| 166 TSS_HCONTEXT context_handle_; |
| 167 |
| 168 // The default Crypto instance to use (for generating the random owner |
| 169 // password) |
| 170 scoped_ptr<Crypto> default_crypto_; |
| 171 |
| 172 // The actual Crypto instance to use |
| 173 Crypto* crypto_; |
| 174 |
| 175 // If TPM ownership is taken, owner_password_ contains the password used |
| 176 SecureBlob owner_password_; |
| 177 |
| 178 // Used to provide thread-safe access to owner_password_, as it is set in the |
| 179 // initialization background thread. |
| 180 Lock password_sync_lock_; |
| 181 |
| 182 // Indicates if the TPM is disabled |
| 183 bool is_disabled_; |
| 184 |
| 185 // Indicates if the TPM is owned |
| 186 bool is_owned_; |
| 187 |
| 188 DISALLOW_COPY_AND_ASSIGN(Tpm); |
| 189 }; |
| 190 |
| 191 } // namespace tpm_init |
| 192 |
| 193 #endif // TPM_INIT_TPM_H_ |
OLD | NEW |