OLD | NEW |
1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // Tpm - class for handling init TPM initialization for Chrome OS | 5 // Tpm - class for handling init TPM initialization for Chrome OS |
6 | 6 |
7 #include <base/lock.h> | 7 #include <base/lock.h> |
8 #include <base/logging.h> | 8 #include <base/logging.h> |
9 #include <base/scoped_ptr.h> | 9 #include <base/scoped_ptr.h> |
10 #include <chromeos/utility.h> | 10 #include <chromeos/utility.h> |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
54 // Returns whether or not the TPM is enabled. This method call returns a | 54 // Returns whether or not the TPM is enabled. This method call returns a |
55 // cached result because querying the TPM directly will block if ownership is | 55 // cached result because querying the TPM directly will block if ownership is |
56 // currently being taken (such as on a separate thread). | 56 // currently being taken (such as on a separate thread). |
57 bool IsEnabled() const { return !is_disabled_; } | 57 bool IsEnabled() const { return !is_disabled_; } |
58 | 58 |
59 // Returns whether or not the TPM is owned. This method call returns a cached | 59 // Returns whether or not the TPM is owned. This method call returns a cached |
60 // result because querying the TPM directly will block if ownership is | 60 // result because querying the TPM directly will block if ownership is |
61 // currently being taken (such as on a separate thread). | 61 // currently being taken (such as on a separate thread). |
62 bool IsOwned() const { return is_owned_; } | 62 bool IsOwned() const { return is_owned_; } |
63 | 63 |
| 64 // Returns whether or not the SRK is available |
| 65 bool IsSrkAvailable() const { return is_srk_available_; } |
| 66 |
64 // Runs the TPM initialization sequence. This may take a long time due to the | 67 // Runs the TPM initialization sequence. This may take a long time due to the |
65 // call to Tspi_TPM_TakeOwnership. | 68 // call to Tspi_TPM_TakeOwnership. |
66 bool InitializeTpm(); | 69 bool InitializeTpm(); |
67 | 70 |
68 private: | 71 private: |
69 // Attempts to connect to tcsd | 72 // Attempts to connect to tcsd |
70 // | 73 // |
71 // Parameters | 74 // Parameters |
72 // context_handle (OUT) - The context handle to the session on success | 75 // context_handle (OUT) - The context handle to the session on success |
73 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); | 76 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); |
74 | 77 |
75 // Returns the maximum simultaneously-loaded RSA key count for the TPM | 78 // Returns the maximum simultaneously-loaded RSA key count for the TPM |
76 // specified by the context handle | 79 // specified by the context handle |
77 // | 80 // |
78 // Parameters | 81 // Parameters |
79 // context_handle - The context handle for the TPM session | 82 // context_handle - The context handle for the TPM session |
80 int GetMaxRsaKeyCountForContext(TSS_HCONTEXT context_handle); | 83 int GetMaxRsaKeyCountForContext(TSS_HCONTEXT context_handle); |
81 | 84 |
82 // Returns whether or not the TPM is disabled by checking a flag in the TPM's | 85 // Returns whether or not the TPM is disabled by checking a flag in the TPM's |
83 // entry in /sys/class/misc | 86 // entry in /sys/class/misc |
84 bool IsDisabledCheckViaSysfs(); | 87 bool IsDisabledCheckViaSysfs(); |
85 | 88 |
86 // Returns whether or not the TPM is owned by checking a flag in the TPM's | 89 // Returns whether or not the TPM is owned by checking a flag in the TPM's |
87 // entry in /sys/class/misc | 90 // entry in /sys/class/misc |
88 bool IsOwnedCheckViaSysfs(); | 91 bool IsOwnedCheckViaSysfs(); |
89 | 92 |
90 // Returns whether or not the TPM is disabled using a call to | 93 // Returns whether or not the TPM is enabled and owned using a call to |
91 // Tspi_TPM_GetCapability | 94 // Tspi_TPM_GetCapability |
92 // | 95 // |
93 // Parameters | 96 // Parameters |
94 // context_handle - The context handle for the TPM session | 97 // context_handle - The context handle for the TPM session |
95 bool IsDisabledCheckViaContext(TSS_HCONTEXT context_handle); | 98 // enabled (OUT) - Whether the TPM is enabled |
96 | 99 // owned (OUT) - Whether the TPM is owned |
97 // Returns whether or not the TPM is owned using a call to | 100 void IsEnabledOwnedCheckViaContext(TSS_HCONTEXT context_handle, |
98 // Tspi_TPM_GetCapability | 101 bool* enabled, bool* owned); |
99 // | |
100 // Parameters | |
101 // context_handle - The context handle for the TPM session | |
102 bool IsOwnedCheckViaContext(TSS_HCONTEXT context_handle); | |
103 | 102 |
104 // Attempts to create the endorsement key in the TPM | 103 // Attempts to create the endorsement key in the TPM |
105 // | 104 // |
106 // Parameters | 105 // Parameters |
107 // context_handle - The context handle for the TPM session | 106 // context_handle - The context handle for the TPM session |
108 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); | 107 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); |
109 | 108 |
110 // Checks to see if the endorsement key is available by attempting to get its | 109 // Checks to see if the endorsement key is available by attempting to get its |
111 // public key | 110 // public key |
112 // | 111 // |
113 // Parameters | 112 // Parameters |
114 // context_handle - The context handle for the TPM session | 113 // context_handle - The context handle for the TPM session |
115 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); | 114 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); |
116 | 115 |
117 // Creates a random owner password | 116 // Creates a random owner password |
118 // | 117 // |
119 // Parameters | 118 // Parameters |
120 // password (OUT) - the generated password | 119 // password (OUT) - the generated password |
121 void CreateOwnerPassword(SecureBlob* password); | 120 void CreateOwnerPassword(SecureBlob* password); |
122 | 121 |
123 // Attempts to take ownership of the TPM | 122 // Attempts to take ownership of the TPM |
124 // | 123 // |
125 // Parameters | 124 // Parameters |
126 // context_handle - The context handle for the TPM session | 125 // context_handle - The context handle for the TPM session |
127 // max_timeout_tries - The maximum number of attempts to make if the call | 126 // max_timeout_tries - The maximum number of attempts to make if the call |
128 // times out, which it may occasionally do | 127 // times out, which it may occasionally do |
129 bool TakeOwnership(TSS_HCONTEXT context_handle, int max_timeout_tries); | 128 bool TakeOwnership(TSS_HCONTEXT context_handle, int max_timeout_tries, |
| 129 const SecureBlob& owner_password); |
130 | 130 |
131 // Zeros the SRK password (sets it to an empty string) | 131 // Zeros the SRK password (sets it to an empty string) |
132 // | 132 // |
133 // Parameters | 133 // Parameters |
134 // context_handle - The context handle for the TPM session | 134 // context_handle - The context handle for the TPM session |
135 // owner_password - The owner password for the TPM | 135 // owner_password - The owner password for the TPM |
136 bool ZeroSrkPassword(TSS_HCONTEXT context_handle, | 136 bool ZeroSrkPassword(TSS_HCONTEXT context_handle, |
137 const SecureBlob& owner_password); | 137 const SecureBlob& owner_password); |
138 | 138 |
139 // Removes usage restrictions on the SRK | 139 // Removes usage restrictions on the SRK |
140 // | 140 // |
141 // Parameters | 141 // Parameters |
142 // context_handle - The context handle for the TPM session | 142 // context_handle - The context handle for the TPM session |
143 // owner_password - The owner password for the TPM | 143 // owner_password - The owner password for the TPM |
144 bool UnrestrictSrk(TSS_HCONTEXT context_handle, | 144 bool UnrestrictSrk(TSS_HCONTEXT context_handle, |
145 const SecureBlob& owner_password); | 145 const SecureBlob& owner_password); |
146 | 146 |
| 147 // Changes the owner password |
| 148 // |
| 149 // Parameters |
| 150 // context_handle - The context handle for the TPM session |
| 151 // previous_owner_password - The previous owner password for the TPM |
| 152 // owner_password - The owner password for the TPM |
| 153 bool ChangeOwnerPassword(TSS_HCONTEXT context_handle, |
| 154 const SecureBlob& previous_owner_password, |
| 155 const SecureBlob& owner_password); |
| 156 |
147 // Gets a handle to the TPM from the specified context | 157 // Gets a handle to the TPM from the specified context |
148 // | 158 // |
149 // Parameters | 159 // Parameters |
150 // context_handle - The context handle for the TPM session | 160 // context_handle - The context handle for the TPM session |
151 // tpm_handle (OUT) - The handle for the TPM on success | 161 // tpm_handle (OUT) - The handle for the TPM on success |
152 bool GetTpm(TSS_HCONTEXT context_handle, TSS_HTPM* tpm_handle); | 162 bool GetTpm(TSS_HCONTEXT context_handle, TSS_HTPM* tpm_handle); |
153 | 163 |
154 // Gets a handle to the TPM from the specified context with the given owner | 164 // Gets a handle to the TPM from the specified context with the given owner |
155 // password | 165 // password |
156 // | 166 // |
157 // Parameters | 167 // Parameters |
158 // context_handle - The context handle for the TPM session | 168 // context_handle - The context handle for the TPM session |
159 // owner_password - The owner password to use when getting the handle | 169 // owner_password - The owner password to use when getting the handle |
160 // tpm_handle (OUT) - The handle for the TPM on success | 170 // tpm_handle (OUT) - The handle for the TPM on success |
161 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, | 171 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, |
162 const SecureBlob& owner_password, | 172 const SecureBlob& owner_password, |
163 TSS_HTPM* tpm_handle); | 173 TSS_HTPM* tpm_handle); |
164 | 174 |
| 175 // Test the TPM auth by calling Tspi_TPM_GetStatus |
| 176 // |
| 177 // Parameters |
| 178 // tpm_handle = The TPM handle |
| 179 bool TestTpmAuth(TSS_HTPM tpm_handle); |
| 180 |
165 // The context handle for this TPM session | 181 // The context handle for this TPM session |
166 TSS_HCONTEXT context_handle_; | 182 TSS_HCONTEXT context_handle_; |
167 | 183 |
168 // The default Crypto instance to use (for generating the random owner | 184 // The default Crypto instance to use (for generating the random owner |
169 // password) | 185 // password) |
170 scoped_ptr<Crypto> default_crypto_; | 186 scoped_ptr<Crypto> default_crypto_; |
171 | 187 |
172 // The actual Crypto instance to use | 188 // The actual Crypto instance to use |
173 Crypto* crypto_; | 189 Crypto* crypto_; |
174 | 190 |
175 // If TPM ownership is taken, owner_password_ contains the password used | 191 // If TPM ownership is taken, owner_password_ contains the password used |
176 SecureBlob owner_password_; | 192 SecureBlob owner_password_; |
177 | 193 |
178 // Used to provide thread-safe access to owner_password_, as it is set in the | 194 // Used to provide thread-safe access to owner_password_, as it is set in the |
179 // initialization background thread. | 195 // initialization background thread. |
180 Lock password_sync_lock_; | 196 Lock password_sync_lock_; |
181 | 197 |
182 // Indicates if the TPM is disabled | 198 // Indicates if the TPM is disabled |
183 bool is_disabled_; | 199 bool is_disabled_; |
184 | 200 |
185 // Indicates if the TPM is owned | 201 // Indicates if the TPM is owned |
186 bool is_owned_; | 202 bool is_owned_; |
187 | 203 |
| 204 // Indicates if the SRK is available |
| 205 bool is_srk_available_; |
| 206 |
188 DISALLOW_COPY_AND_ASSIGN(Tpm); | 207 DISALLOW_COPY_AND_ASSIGN(Tpm); |
189 }; | 208 }; |
190 | 209 |
191 } // namespace tpm_init | 210 } // namespace tpm_init |
192 | 211 |
193 #endif // TPM_INIT_TPM_H_ | 212 #endif // TPM_INIT_TPM_H_ |
OLD | NEW |