OLD | NEW |
1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // Contains the implementation of class Tpm | 5 // Contains the implementation of class Tpm |
6 | 6 |
7 #include "tpm.h" | 7 #include "tpm.h" |
8 | 8 |
9 #include <base/file_util.h> | 9 #include <base/file_util.h> |
10 #include <base/platform_thread.h> | 10 #include <base/platform_thread.h> |
(...skipping 16 matching lines...) Expand all Loading... |
27 const char kTpmWellKnownPassword[] = TSS_WELL_KNOWN_SECRET; | 27 const char kTpmWellKnownPassword[] = TSS_WELL_KNOWN_SECRET; |
28 | 28 |
29 Tpm::Tpm() | 29 Tpm::Tpm() |
30 : context_handle_(0), | 30 : context_handle_(0), |
31 default_crypto_(new Crypto()), | 31 default_crypto_(new Crypto()), |
32 crypto_(default_crypto_.get()), | 32 crypto_(default_crypto_.get()), |
33 owner_password_(), | 33 owner_password_(), |
34 password_sync_lock_(), | 34 password_sync_lock_(), |
35 is_disabled_(true), | 35 is_disabled_(true), |
36 is_owned_(false), | 36 is_owned_(false), |
37 is_srk_available_(false) { | 37 is_srk_available_(false), |
| 38 is_being_owned_(false) { |
38 } | 39 } |
39 | 40 |
40 Tpm::~Tpm() { | 41 Tpm::~Tpm() { |
41 Disconnect(); | 42 Disconnect(); |
42 } | 43 } |
43 | 44 |
44 bool Tpm::Init() { | 45 bool Tpm::Init() { |
45 // Checking disabled and owned either via sysfs or via TSS calls will block if | 46 // Checking disabled and owned either via sysfs or via TSS calls will block if |
46 // ownership is being taken by another thread or process. So for this to work | 47 // ownership is being taken by another thread or process. So for this to work |
47 // well, Tpm::Init() needs to be called before InitializeTpm() is called. At | 48 // well, Tpm::Init() needs to be called before InitializeTpm() is called. At |
(...skipping 460 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
508 if (is_disabled_) { | 509 if (is_disabled_) { |
509 return false; | 510 return false; |
510 } | 511 } |
511 | 512 |
512 SecureBlob default_owner_password(sizeof(kTpmWellKnownPassword)); | 513 SecureBlob default_owner_password(sizeof(kTpmWellKnownPassword)); |
513 memcpy(default_owner_password.data(), kTpmWellKnownPassword, | 514 memcpy(default_owner_password.data(), kTpmWellKnownPassword, |
514 sizeof(kTpmWellKnownPassword)); | 515 sizeof(kTpmWellKnownPassword)); |
515 | 516 |
516 bool took_ownership = false; | 517 bool took_ownership = false; |
517 if (!is_owned_) { | 518 if (!is_owned_) { |
| 519 is_being_owned_ = true; |
518 file_util::Delete(FilePath(kOpenCryptokiPath), true); | 520 file_util::Delete(FilePath(kOpenCryptokiPath), true); |
519 file_util::Delete(FilePath(kTpmOwnedFile), false); | 521 file_util::Delete(FilePath(kTpmOwnedFile), false); |
520 | 522 |
521 if (!IsEndorsementKeyAvailable(context_handle_)) { | 523 if (!IsEndorsementKeyAvailable(context_handle_)) { |
522 if (!CreateEndorsementKey(context_handle_)) { | 524 if (!CreateEndorsementKey(context_handle_)) { |
523 LOG(ERROR) << "Failed to create endorsement key"; | 525 LOG(ERROR) << "Failed to create endorsement key"; |
| 526 is_being_owned_ = false; |
524 return false; | 527 return false; |
525 } | 528 } |
526 } | 529 } |
527 | 530 |
528 if (!IsEndorsementKeyAvailable(context_handle_)) { | 531 if (!IsEndorsementKeyAvailable(context_handle_)) { |
529 LOG(ERROR) << "Endorsement key is not available"; | 532 LOG(ERROR) << "Endorsement key is not available"; |
| 533 is_being_owned_ = false; |
530 return false; | 534 return false; |
531 } | 535 } |
532 | 536 |
533 if (!TakeOwnership(context_handle_, kMaxTimeoutRetries, | 537 if (!TakeOwnership(context_handle_, kMaxTimeoutRetries, |
534 default_owner_password)) { | 538 default_owner_password)) { |
535 LOG(ERROR) << "Take Ownership failed"; | 539 LOG(ERROR) << "Take Ownership failed"; |
| 540 is_being_owned_ = false; |
536 return false; | 541 return false; |
537 } | 542 } |
538 | 543 |
539 is_owned_ = true; | 544 is_owned_ = true; |
540 took_ownership = true; | 545 took_ownership = true; |
541 } | 546 } |
542 | 547 |
543 // Ensure the SRK is available | 548 // Ensure the SRK is available |
544 TSS_RESULT result; | 549 TSS_RESULT result; |
545 TSS_HKEY srk_handle; | 550 TSS_HKEY srk_handle; |
546 TSS_UUID SRK_UUID = TSS_UUID_SRK; | 551 TSS_UUID SRK_UUID = TSS_UUID_SRK; |
547 if ((result = Tspi_Context_LoadKeyByUUID(context_handle_, TSS_PS_TYPE_SYSTEM, | 552 if ((result = Tspi_Context_LoadKeyByUUID(context_handle_, TSS_PS_TYPE_SYSTEM, |
548 SRK_UUID, &srk_handle))) { | 553 SRK_UUID, &srk_handle))) { |
549 is_srk_available_ = false; | 554 is_srk_available_ = false; |
550 } else { | 555 } else { |
551 Tspi_Context_CloseObject(context_handle_, srk_handle); | 556 Tspi_Context_CloseObject(context_handle_, srk_handle); |
552 is_srk_available_ = true; | 557 is_srk_available_ = true; |
553 } | 558 } |
554 | 559 |
555 // If we can open the TPM with the default password, then we still need to | 560 // If we can open the TPM with the default password, then we still need to |
556 // zero the SRK password and unrestrict it, then change the owner password. | 561 // zero the SRK password and unrestrict it, then change the owner password. |
557 TSS_HTPM tpm_handle; | 562 TSS_HTPM tpm_handle; |
558 if (GetTpmWithAuth(context_handle_, default_owner_password, &tpm_handle) && | 563 if (GetTpmWithAuth(context_handle_, default_owner_password, &tpm_handle) && |
559 TestTpmAuth(tpm_handle)) { | 564 TestTpmAuth(tpm_handle)) { |
560 if (!ZeroSrkPassword(context_handle_, default_owner_password)) { | 565 if (!ZeroSrkPassword(context_handle_, default_owner_password)) { |
561 LOG(ERROR) << "Couldn't zero SRK password"; | 566 LOG(ERROR) << "Couldn't zero SRK password"; |
| 567 is_being_owned_ = false; |
562 return false; | 568 return false; |
563 } | 569 } |
564 | 570 |
565 if (!UnrestrictSrk(context_handle_, default_owner_password)) { | 571 if (!UnrestrictSrk(context_handle_, default_owner_password)) { |
566 LOG(ERROR) << "Couldn't unrestrict the SRK"; | 572 LOG(ERROR) << "Couldn't unrestrict the SRK"; |
| 573 is_being_owned_ = false; |
567 return false; | 574 return false; |
568 } | 575 } |
569 SecureBlob owner_password; | 576 SecureBlob owner_password; |
570 CreateOwnerPassword(&owner_password); | 577 CreateOwnerPassword(&owner_password); |
571 | 578 |
572 if (!ChangeOwnerPassword(context_handle_, default_owner_password, | 579 if (!ChangeOwnerPassword(context_handle_, default_owner_password, |
573 owner_password)) { | 580 owner_password)) { |
574 LOG(ERROR) << "Couldn't set the owner password"; | 581 LOG(ERROR) << "Couldn't set the owner password"; |
| 582 is_being_owned_ = false; |
575 return false; | 583 return false; |
576 } | 584 } |
577 | 585 |
578 password_sync_lock_.Acquire(); | 586 password_sync_lock_.Acquire(); |
579 owner_password_.assign(owner_password.begin(), owner_password.end()); | 587 owner_password_.assign(owner_password.begin(), owner_password.end()); |
580 password_sync_lock_.Release(); | 588 password_sync_lock_.Release(); |
581 | 589 |
582 file_util::WriteFile(FilePath(kTpmOwnedFile), NULL, 0); | 590 file_util::WriteFile(FilePath(kTpmOwnedFile), NULL, 0); |
583 } | 591 } |
584 | 592 |
585 return took_ownership; | 593 is_being_owned_ = false; |
| 594 |
| 595 return took_ownership; |
586 } | 596 } |
587 | 597 |
588 bool Tpm::GetRandomData(size_t length, chromeos::Blob* data) { | 598 bool Tpm::GetRandomData(size_t length, chromeos::Blob* data) { |
589 TSS_HCONTEXT context_handle; | 599 TSS_HCONTEXT context_handle; |
590 if (!OpenAndConnectTpm(&context_handle)) { | 600 if (!OpenAndConnectTpm(&context_handle)) { |
591 LOG(ERROR) << "Could not open the TPM"; | 601 LOG(ERROR) << "Could not open the TPM"; |
592 return false; | 602 return false; |
593 } | 603 } |
594 | 604 |
595 TSS_HTPM tpm_handle; | 605 TSS_HTPM tpm_handle; |
(...skipping 13 matching lines...) Expand all Loading... |
609 } | 619 } |
610 memcpy(random.data(), tpm_data, random.size()); | 620 memcpy(random.data(), tpm_data, random.size()); |
611 Tspi_Context_FreeMemory(context_handle, tpm_data); | 621 Tspi_Context_FreeMemory(context_handle, tpm_data); |
612 chromeos::SecureMemset(tpm_data, 0, random.size()); | 622 chromeos::SecureMemset(tpm_data, 0, random.size()); |
613 Tspi_Context_Close(context_handle); | 623 Tspi_Context_Close(context_handle); |
614 data->swap(random); | 624 data->swap(random); |
615 return true; | 625 return true; |
616 } | 626 } |
617 | 627 |
618 } // namespace tpm_init | 628 } // namespace tpm_init |
OLD | NEW |