| OLD | NEW |
|---|
| 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Tpm - class for handling init TPM initialization for Chrome OS | 5 // Tpm - class for handling init TPM initialization for Chrome OS |
| 6 | 6 |
| 7 #include <base/lock.h> | 7 #include <base/lock.h> |
| 8 #include <base/logging.h> | 8 #include <base/logging.h> |
| 9 #include <base/scoped_ptr.h> | 9 #include <base/scoped_ptr.h> |
| 10 #include <chromeos/utility.h> | 10 #include <chromeos/utility.h> |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 54 // Returns whether or not the TPM is enabled. This method call returns a | 54 // Returns whether or not the TPM is enabled. This method call returns a |
| 55 // cached result because querying the TPM directly will block if ownership is | 55 // cached result because querying the TPM directly will block if ownership is |
| 56 // currently being taken (such as on a separate thread). | 56 // currently being taken (such as on a separate thread). |
| 57 bool IsEnabled() const { return !is_disabled_; } | 57 bool IsEnabled() const { return !is_disabled_; } |
| 58 | 58 |
| 59 // Returns whether or not the TPM is owned. This method call returns a cached | 59 // Returns whether or not the TPM is owned. This method call returns a cached |
| 60 // result because querying the TPM directly will block if ownership is | 60 // result because querying the TPM directly will block if ownership is |
| 61 // currently being taken (such as on a separate thread). | 61 // currently being taken (such as on a separate thread). |
| 62 bool IsOwned() const { return is_owned_; } | 62 bool IsOwned() const { return is_owned_; } |
| 63 | 63 |
| 64 // Returns whether or not the SRK is available |
| 65 bool IsSrkAvailable() const { return is_srk_available_; } |
| 66 |
| 64 // Runs the TPM initialization sequence. This may take a long time due to the | 67 // Runs the TPM initialization sequence. This may take a long time due to the |
| 65 // call to Tspi_TPM_TakeOwnership. | 68 // call to Tspi_TPM_TakeOwnership. |
| 66 bool InitializeTpm(); | 69 bool InitializeTpm(); |
| 67 | 70 |
| 68 private: | 71 private: |
| 69 // Attempts to connect to tcsd | 72 // Attempts to connect to tcsd |
| 70 // | 73 // |
| 71 // Parameters | 74 // Parameters |
| 72 // context_handle (OUT) - The context handle to the session on success | 75 // context_handle (OUT) - The context handle to the session on success |
| 73 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); | 76 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); |
| 74 | 77 |
| 75 // Returns the maximum simultaneously-loaded RSA key count for the TPM | 78 // Returns the maximum simultaneously-loaded RSA key count for the TPM |
| 76 // specified by the context handle | 79 // specified by the context handle |
| 77 // | 80 // |
| 78 // Parameters | 81 // Parameters |
| 79 // context_handle - The context handle for the TPM session | 82 // context_handle - The context handle for the TPM session |
| 80 int GetMaxRsaKeyCountForContext(TSS_HCONTEXT context_handle); | 83 int GetMaxRsaKeyCountForContext(TSS_HCONTEXT context_handle); |
| 81 | 84 |
| 82 // Returns whether or not the TPM is disabled by checking a flag in the TPM's | 85 // Returns whether or not the TPM is disabled by checking a flag in the TPM's |
| 83 // entry in /sys/class/misc | 86 // entry in /sys/class/misc |
| 84 bool IsDisabledCheckViaSysfs(); | 87 bool IsDisabledCheckViaSysfs(); |
| 85 | 88 |
| 86 // Returns whether or not the TPM is owned by checking a flag in the TPM's | 89 // Returns whether or not the TPM is owned by checking a flag in the TPM's |
| 87 // entry in /sys/class/misc | 90 // entry in /sys/class/misc |
| 88 bool IsOwnedCheckViaSysfs(); | 91 bool IsOwnedCheckViaSysfs(); |
| 89 | 92 |
| 90 // Returns whether or not the TPM is disabled using a call to | 93 // Returns whether or not the TPM is enabled and owned using a call to |
| 91 // Tspi_TPM_GetCapability | 94 // Tspi_TPM_GetCapability |
| 92 // | 95 // |
| 93 // Parameters | 96 // Parameters |
| 94 // context_handle - The context handle for the TPM session | 97 // context_handle - The context handle for the TPM session |
| 95 bool IsDisabledCheckViaContext(TSS_HCONTEXT context_handle); | 98 // enabled (OUT) - Whether the TPM is enabled |
| 96 | 99 // owned (OUT) - Whether the TPM is owned |
| 97 // Returns whether or not the TPM is owned using a call to | 100 void IsEnabledOwnedCheckViaContext(TSS_HCONTEXT context_handle, |
| 98 // Tspi_TPM_GetCapability | 101 bool* enabled, bool* owned); |
| 99 // | |
| 100 // Parameters | |
| 101 // context_handle - The context handle for the TPM session | |
| 102 bool IsOwnedCheckViaContext(TSS_HCONTEXT context_handle); | |
| 103 | 102 |
| 104 // Attempts to create the endorsement key in the TPM | 103 // Attempts to create the endorsement key in the TPM |
| 105 // | 104 // |
| 106 // Parameters | 105 // Parameters |
| 107 // context_handle - The context handle for the TPM session | 106 // context_handle - The context handle for the TPM session |
| 108 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); | 107 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); |
| 109 | 108 |
| 110 // Checks to see if the endorsement key is available by attempting to get its | 109 // Checks to see if the endorsement key is available by attempting to get its |
| 111 // public key | 110 // public key |
| 112 // | 111 // |
| 113 // Parameters | 112 // Parameters |
| 114 // context_handle - The context handle for the TPM session | 113 // context_handle - The context handle for the TPM session |
| 115 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); | 114 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); |
| 116 | 115 |
| 117 // Creates a random owner password | 116 // Creates a random owner password |
| 118 // | 117 // |
| 119 // Parameters | 118 // Parameters |
| 120 // password (OUT) - the generated password | 119 // password (OUT) - the generated password |
| 121 void CreateOwnerPassword(SecureBlob* password); | 120 void CreateOwnerPassword(SecureBlob* password); |
| 122 | 121 |
| 123 // Attempts to take ownership of the TPM | 122 // Attempts to take ownership of the TPM |
| 124 // | 123 // |
| 125 // Parameters | 124 // Parameters |
| 126 // context_handle - The context handle for the TPM session | 125 // context_handle - The context handle for the TPM session |
| 127 // max_timeout_tries - The maximum number of attempts to make if the call | 126 // max_timeout_tries - The maximum number of attempts to make if the call |
| 128 // times out, which it may occasionally do | 127 // times out, which it may occasionally do |
| 129 bool TakeOwnership(TSS_HCONTEXT context_handle, int max_timeout_tries); | 128 bool TakeOwnership(TSS_HCONTEXT context_handle, int max_timeout_tries, |
| 129 const SecureBlob& owner_password); |
| 130 | 130 |
| 131 // Zeros the SRK password (sets it to an empty string) | 131 // Zeros the SRK password (sets it to an empty string) |
| 132 // | 132 // |
| 133 // Parameters | 133 // Parameters |
| 134 // context_handle - The context handle for the TPM session | 134 // context_handle - The context handle for the TPM session |
| 135 // owner_password - The owner password for the TPM | 135 // owner_password - The owner password for the TPM |
| 136 bool ZeroSrkPassword(TSS_HCONTEXT context_handle, | 136 bool ZeroSrkPassword(TSS_HCONTEXT context_handle, |
| 137 const SecureBlob& owner_password); | 137 const SecureBlob& owner_password); |
| 138 | 138 |
| 139 // Removes usage restrictions on the SRK | 139 // Removes usage restrictions on the SRK |
| 140 // | 140 // |
| 141 // Parameters | 141 // Parameters |
| 142 // context_handle - The context handle for the TPM session | 142 // context_handle - The context handle for the TPM session |
| 143 // owner_password - The owner password for the TPM | 143 // owner_password - The owner password for the TPM |
| 144 bool UnrestrictSrk(TSS_HCONTEXT context_handle, | 144 bool UnrestrictSrk(TSS_HCONTEXT context_handle, |
| 145 const SecureBlob& owner_password); | 145 const SecureBlob& owner_password); |
| 146 | 146 |
| 147 // Changes the owner password |
| 148 // |
| 149 // Parameters |
| 150 // context_handle - The context handle for the TPM session |
| 151 // previous_owner_password - The previous owner password for the TPM |
| 152 // owner_password - The owner password for the TPM |
| 153 bool ChangeOwnerPassword(TSS_HCONTEXT context_handle, |
| 154 const SecureBlob& previous_owner_password, |
| 155 const SecureBlob& owner_password); |
| 156 |
| 147 // Gets a handle to the TPM from the specified context | 157 // Gets a handle to the TPM from the specified context |
| 148 // | 158 // |
| 149 // Parameters | 159 // Parameters |
| 150 // context_handle - The context handle for the TPM session | 160 // context_handle - The context handle for the TPM session |
| 151 // tpm_handle (OUT) - The handle for the TPM on success | 161 // tpm_handle (OUT) - The handle for the TPM on success |
| 152 bool GetTpm(TSS_HCONTEXT context_handle, TSS_HTPM* tpm_handle); | 162 bool GetTpm(TSS_HCONTEXT context_handle, TSS_HTPM* tpm_handle); |
| 153 | 163 |
| 154 // Gets a handle to the TPM from the specified context with the given owner | 164 // Gets a handle to the TPM from the specified context with the given owner |
| 155 // password | 165 // password |
| 156 // | 166 // |
| 157 // Parameters | 167 // Parameters |
| 158 // context_handle - The context handle for the TPM session | 168 // context_handle - The context handle for the TPM session |
| 159 // owner_password - The owner password to use when getting the handle | 169 // owner_password - The owner password to use when getting the handle |
| 160 // tpm_handle (OUT) - The handle for the TPM on success | 170 // tpm_handle (OUT) - The handle for the TPM on success |
| 161 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, | 171 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, |
| 162 const SecureBlob& owner_password, | 172 const SecureBlob& owner_password, |
| 163 TSS_HTPM* tpm_handle); | 173 TSS_HTPM* tpm_handle); |
| 164 | 174 |
| 175 // Test the TPM auth by calling Tspi_TPM_GetStatus |
| 176 // |
| 177 // Parameters |
| 178 // tpm_handle = The TPM handle |
| 179 bool TestTpmAuth(TSS_HTPM tpm_handle); |
| 180 |
| 165 // The context handle for this TPM session | 181 // The context handle for this TPM session |
| 166 TSS_HCONTEXT context_handle_; | 182 TSS_HCONTEXT context_handle_; |
| 167 | 183 |
| 168 // The default Crypto instance to use (for generating the random owner | 184 // The default Crypto instance to use (for generating the random owner |
| 169 // password) | 185 // password) |
| 170 scoped_ptr<Crypto> default_crypto_; | 186 scoped_ptr<Crypto> default_crypto_; |
| 171 | 187 |
| 172 // The actual Crypto instance to use | 188 // The actual Crypto instance to use |
| 173 Crypto* crypto_; | 189 Crypto* crypto_; |
| 174 | 190 |
| 175 // If TPM ownership is taken, owner_password_ contains the password used | 191 // If TPM ownership is taken, owner_password_ contains the password used |
| 176 SecureBlob owner_password_; | 192 SecureBlob owner_password_; |
| 177 | 193 |
| 178 // Used to provide thread-safe access to owner_password_, as it is set in the | 194 // Used to provide thread-safe access to owner_password_, as it is set in the |
| 179 // initialization background thread. | 195 // initialization background thread. |
| 180 Lock password_sync_lock_; | 196 Lock password_sync_lock_; |
| 181 | 197 |
| 182 // Indicates if the TPM is disabled | 198 // Indicates if the TPM is disabled |
| 183 bool is_disabled_; | 199 bool is_disabled_; |
| 184 | 200 |
| 185 // Indicates if the TPM is owned | 201 // Indicates if the TPM is owned |
| 186 bool is_owned_; | 202 bool is_owned_; |
| 187 | 203 |
| 204 // Indicates if the SRK is available |
| 205 bool is_srk_available_; |
| 206 |
| 188 DISALLOW_COPY_AND_ASSIGN(Tpm); | 207 DISALLOW_COPY_AND_ASSIGN(Tpm); |
| 189 }; | 208 }; |
| 190 | 209 |
| 191 } // namespace tpm_init | 210 } // namespace tpm_init |
| 192 | 211 |
| 193 #endif // TPM_INIT_TPM_H_ | 212 #endif // TPM_INIT_TPM_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3118014:
Update TPM initialization to better handle errors. (Closed)
Base URL: http://src.chromium.org/git/tpm_init.git