OLD | NEW |
1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // Tpm - class for handling init TPM initialization for Chrome OS | 5 // Tpm - class for handling init TPM initialization for Chrome OS |
6 | 6 |
7 #include <base/lock.h> | 7 #include <base/lock.h> |
8 #include <base/logging.h> | 8 #include <base/logging.h> |
9 #include <base/scoped_ptr.h> | 9 #include <base/scoped_ptr.h> |
10 #include <chromeos/utility.h> | 10 #include <chromeos/utility.h> |
11 #include <trousers/tss.h> | 11 #include <trousers/tss.h> |
12 #include <trousers/trousers.h> | 12 #include <trousers/trousers.h> |
13 | 13 |
14 #include "crypto.h" | 14 #include "crypto.h" |
| 15 #include "platform.h" |
15 #include "secure_blob.h" | 16 #include "secure_blob.h" |
| 17 #include "tpm_status.pb.h" |
16 | 18 |
17 #ifndef TPM_INIT_TPM_H_ | 19 #ifndef TPM_INIT_TPM_H_ |
18 #define TPM_INIT_TPM_H_ | 20 #define TPM_INIT_TPM_H_ |
19 | 21 |
20 namespace tpm_init { | 22 namespace tpm_init { |
21 | 23 |
22 class Tpm { | 24 class Tpm { |
23 public: | 25 public: |
24 | 26 |
25 // Default constructor | 27 // Default constructor |
26 Tpm(); | 28 Tpm(); |
27 | 29 |
28 virtual ~Tpm(); | 30 virtual ~Tpm(); |
29 | 31 |
30 // Initializes the Tpm instance | 32 // Initializes the Tpm instance |
31 // | 33 // |
32 // Parameters | 34 // Parameters |
33 virtual bool Init(); | 35 virtual bool Init(); |
34 | 36 |
35 // Tries to connect to the TPM | |
36 virtual bool Connect(); | |
37 | |
38 // Returns true if this instance is connected to the TPM | |
39 virtual bool IsConnected(); | |
40 | |
41 // Disconnects from the TPM | |
42 virtual void Disconnect(); | |
43 | |
44 // Returns the number of simultaneously-loaded RSA keys that this TPM supports | 37 // Returns the number of simultaneously-loaded RSA keys that this TPM supports |
45 int GetMaxRsaKeyCount(); | 38 int GetMaxRsaKeyCount(); |
46 | 39 |
47 // Returns the owner password if this instance was used to take ownership. | 40 // Returns the owner password if this instance was used to take ownership. |
48 // This will only occur when the TPM is unowned, which will be on OOBE | 41 // This will only occur when the TPM is unowned, which will be on OOBE |
49 // | 42 // |
50 // Parameters | 43 // Parameters |
51 // owner_password (OUT) - The random owner password used | 44 // owner_password (OUT) - The random owner password used |
52 bool GetOwnerPassword(chromeos::Blob* owner_password); | 45 bool GetOwnerPassword(chromeos::Blob* owner_password); |
53 | 46 |
| 47 // Clears the owner password from storage |
| 48 void ClearStoredOwnerPassword(); |
| 49 |
54 // Returns whether or not the TPM is enabled. This method call returns a | 50 // Returns whether or not the TPM is enabled. This method call returns a |
55 // cached result because querying the TPM directly will block if ownership is | 51 // cached result because querying the TPM directly will block if ownership is |
56 // currently being taken (such as on a separate thread). | 52 // currently being taken (such as on a separate thread). |
57 bool IsEnabled() const { return !is_disabled_; } | 53 bool IsEnabled() const { return !is_disabled_; } |
58 | 54 |
59 // Returns whether or not the TPM is owned. This method call returns a cached | 55 // Returns whether or not the TPM is owned. This method call returns a cached |
60 // result because querying the TPM directly will block if ownership is | 56 // result because querying the TPM directly will block if ownership is |
61 // currently being taken (such as on a separate thread). | 57 // currently being taken (such as on a separate thread). |
62 bool IsOwned() const { return is_owned_; } | 58 bool IsOwned() const { return is_owned_; } |
63 | 59 |
64 // Returns whether or not the SRK is available | 60 // Returns whether or not the SRK is available |
65 bool IsSrkAvailable() const { return is_srk_available_; } | 61 bool IsSrkAvailable() const { return is_srk_available_; } |
66 | 62 |
67 // Returns whether or not the TPM is being owned | 63 // Returns whether or not the TPM is being owned |
68 bool IsBeingOwned() const { return is_being_owned_; } | 64 bool IsBeingOwned() const { return is_being_owned_; } |
69 | 65 |
70 // Runs the TPM initialization sequence. This may take a long time due to the | 66 // Runs the TPM initialization sequence. This may take a long time due to the |
71 // call to Tspi_TPM_TakeOwnership. | 67 // call to Tspi_TPM_TakeOwnership. |
72 bool InitializeTpm(bool* OUT_took_ownership); | 68 bool InitializeTpm(bool* OUT_took_ownership); |
73 | 69 |
74 // Gets random bytes from the TPM | 70 // Gets random bytes from the TPM |
75 // | 71 // |
76 // Parameters | 72 // Parameters |
77 // length - The number of bytes to get | 73 // length - The number of bytes to get |
78 // data (OUT) - The random data from the TPM | 74 // data (OUT) - The random data from the TPM |
79 bool GetRandomData(size_t length, chromeos::Blob* data); | 75 bool GetRandomData(size_t length, chromeos::Blob* data); |
80 | 76 |
81 private: | 77 private: |
| 78 // Tries to connect to the TPM |
| 79 virtual TSS_HCONTEXT Connect(); |
| 80 |
| 81 // Disconnects from the TPM |
| 82 virtual void Disconnect(TSS_HCONTEXT context_handle); |
| 83 |
| 84 // Gets a handle to the SRK |
| 85 bool LoadSrk(TSS_HCONTEXT context_handle, TSS_HKEY* srk_handle, |
| 86 TSS_RESULT* result); |
| 87 |
| 88 // Loads the contents of the file specified into a blob |
| 89 bool LoadFileBytes(const FilePath& path, chromeos::Blob* blob); |
| 90 |
| 91 // Stores the TPM owner password to the TpmStatus object |
| 92 bool StoreOwnerPassword(const chromeos::Blob& owner_password, |
| 93 TpmStatus* tpm_status); |
| 94 |
| 95 // Retrieves the TPM owner password |
| 96 bool LoadOwnerPassword(const TpmStatus& tpm_status, |
| 97 chromeos::Blob* owner_password); |
| 98 |
| 99 // Loads the TpmStatus object |
| 100 bool LoadTpmStatus(TpmStatus* serialized); |
| 101 |
| 102 // Saves the TpmStatus object |
| 103 bool StoreTpmStatus(const TpmStatus& serialized); |
| 104 |
82 // Attempts to connect to tcsd | 105 // Attempts to connect to tcsd |
83 // | 106 // |
84 // Parameters | 107 // Parameters |
85 // context_handle (OUT) - The context handle to the session on success | 108 // context_handle (OUT) - The context handle to the session on success |
86 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); | 109 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); |
87 | 110 |
88 // Returns the maximum simultaneously-loaded RSA key count for the TPM | 111 // Returns the maximum simultaneously-loaded RSA key count for the TPM |
89 // specified by the context handle | 112 // specified by the context handle |
90 // | 113 // |
91 // Parameters | 114 // Parameters |
(...skipping 17 matching lines...) Expand all Loading... |
109 // owned (OUT) - Whether the TPM is owned | 132 // owned (OUT) - Whether the TPM is owned |
110 void IsEnabledOwnedCheckViaContext(TSS_HCONTEXT context_handle, | 133 void IsEnabledOwnedCheckViaContext(TSS_HCONTEXT context_handle, |
111 bool* enabled, bool* owned); | 134 bool* enabled, bool* owned); |
112 | 135 |
113 // Attempts to create the endorsement key in the TPM | 136 // Attempts to create the endorsement key in the TPM |
114 // | 137 // |
115 // Parameters | 138 // Parameters |
116 // context_handle - The context handle for the TPM session | 139 // context_handle - The context handle for the TPM session |
117 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); | 140 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); |
118 | 141 |
| 142 // Delegates ownership authority |
| 143 // |
| 144 // Parameters |
| 145 // context_handle - The context handle for the TPM session |
| 146 bool DelegateTpmOwnership(TSS_HCONTEXT context_handle, TSS_HTPM tpm_handle, |
| 147 SecureBlob* delegation_blob); |
| 148 |
119 // Checks to see if the endorsement key is available by attempting to get its | 149 // Checks to see if the endorsement key is available by attempting to get its |
120 // public key | 150 // public key |
121 // | 151 // |
122 // Parameters | 152 // Parameters |
123 // context_handle - The context handle for the TPM session | 153 // context_handle - The context handle for the TPM session |
124 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); | 154 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); |
125 | 155 |
126 // Creates a random owner password | 156 // Creates a random owner password |
127 // | 157 // |
128 // Parameters | 158 // Parameters |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
181 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, | 211 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, |
182 const SecureBlob& owner_password, | 212 const SecureBlob& owner_password, |
183 TSS_HTPM* tpm_handle); | 213 TSS_HTPM* tpm_handle); |
184 | 214 |
185 // Test the TPM auth by calling Tspi_TPM_GetStatus | 215 // Test the TPM auth by calling Tspi_TPM_GetStatus |
186 // | 216 // |
187 // Parameters | 217 // Parameters |
188 // tpm_handle = The TPM handle | 218 // tpm_handle = The TPM handle |
189 bool TestTpmAuth(TSS_HTPM tpm_handle); | 219 bool TestTpmAuth(TSS_HTPM tpm_handle); |
190 | 220 |
191 // The context handle for this TPM session | |
192 TSS_HCONTEXT context_handle_; | |
193 | |
194 // The default Crypto instance to use (for generating the random owner | 221 // The default Crypto instance to use (for generating the random owner |
195 // password) | 222 // password) |
196 scoped_ptr<Crypto> default_crypto_; | 223 scoped_ptr<Crypto> default_crypto_; |
197 | 224 |
198 // The actual Crypto instance to use | 225 // The actual Crypto instance to use |
199 Crypto* crypto_; | 226 Crypto* crypto_; |
200 | 227 |
| 228 // The default Platform instance to use |
| 229 scoped_ptr<Platform> default_platform_; |
| 230 |
| 231 // The actual Platform instance to use |
| 232 Platform* platform_; |
| 233 |
201 // If TPM ownership is taken, owner_password_ contains the password used | 234 // If TPM ownership is taken, owner_password_ contains the password used |
202 SecureBlob owner_password_; | 235 SecureBlob owner_password_; |
203 | 236 |
204 // Used to provide thread-safe access to owner_password_, as it is set in the | 237 // Used to provide thread-safe access to owner_password_, as it is set in the |
205 // initialization background thread. | 238 // initialization background thread. |
206 Lock password_sync_lock_; | 239 Lock password_sync_lock_; |
207 | 240 |
208 // Indicates if the TPM is disabled | 241 // Indicates if the TPM is disabled |
209 bool is_disabled_; | 242 bool is_disabled_; |
210 | 243 |
211 // Indicates if the TPM is owned | 244 // Indicates if the TPM is owned |
212 bool is_owned_; | 245 bool is_owned_; |
213 | 246 |
214 // Indicates if the SRK is available | 247 // Indicates if the SRK is available |
215 bool is_srk_available_; | 248 bool is_srk_available_; |
216 | 249 |
217 // Indicates if the TPM is being owned | 250 // Indicates if the TPM is being owned |
218 bool is_being_owned_; | 251 bool is_being_owned_; |
219 | 252 |
220 DISALLOW_COPY_AND_ASSIGN(Tpm); | 253 DISALLOW_COPY_AND_ASSIGN(Tpm); |
221 }; | 254 }; |
222 | 255 |
223 } // namespace tpm_init | 256 } // namespace tpm_init |
224 | 257 |
225 #endif // TPM_INIT_TPM_H_ | 258 #endif // TPM_INIT_TPM_H_ |
OLD | NEW |