| OLD | NEW |
|---|
| 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Tpm - class for handling init TPM initialization for Chrome OS | 5 // Tpm - class for handling init TPM initialization for Chrome OS |
| 6 | 6 |
| 7 #include <base/lock.h> | 7 #include <base/lock.h> |
| 8 #include <base/logging.h> | 8 #include <base/logging.h> |
| 9 #include <base/scoped_ptr.h> | 9 #include <base/scoped_ptr.h> |
| 10 #include <chromeos/utility.h> | 10 #include <chromeos/utility.h> |
| 11 #include <trousers/tss.h> | 11 #include <trousers/tss.h> |
| 12 #include <trousers/trousers.h> | 12 #include <trousers/trousers.h> |
| 13 | 13 |
| 14 #include "crypto.h" | 14 #include "crypto.h" |
| 15 #include "platform.h" |
| 15 #include "secure_blob.h" | 16 #include "secure_blob.h" |
| 17 #include "tpm_status.pb.h" |
| 16 | 18 |
| 17 #ifndef TPM_INIT_TPM_H_ | 19 #ifndef TPM_INIT_TPM_H_ |
| 18 #define TPM_INIT_TPM_H_ | 20 #define TPM_INIT_TPM_H_ |
| 19 | 21 |
| 20 namespace tpm_init { | 22 namespace tpm_init { |
| 21 | 23 |
| 22 class Tpm { | 24 class Tpm { |
| 23 public: | 25 public: |
| 24 | 26 |
| 25 // Default constructor | 27 // Default constructor |
| 26 Tpm(); | 28 Tpm(); |
| 27 | 29 |
| 28 virtual ~Tpm(); | 30 virtual ~Tpm(); |
| 29 | 31 |
| 30 // Initializes the Tpm instance | 32 // Initializes the Tpm instance |
| 31 // | 33 // |
| 32 // Parameters | 34 // Parameters |
| 33 virtual bool Init(); | 35 virtual bool Init(); |
| 34 | 36 |
| 35 // Tries to connect to the TPM | |
| 36 virtual bool Connect(); | |
| 37 | |
| 38 // Returns true if this instance is connected to the TPM | |
| 39 virtual bool IsConnected(); | |
| 40 | |
| 41 // Disconnects from the TPM | |
| 42 virtual void Disconnect(); | |
| 43 | |
| 44 // Returns the number of simultaneously-loaded RSA keys that this TPM supports | 37 // Returns the number of simultaneously-loaded RSA keys that this TPM supports |
| 45 int GetMaxRsaKeyCount(); | 38 int GetMaxRsaKeyCount(); |
| 46 | 39 |
| 47 // Returns the owner password if this instance was used to take ownership. | 40 // Returns the owner password if this instance was used to take ownership. |
| 48 // This will only occur when the TPM is unowned, which will be on OOBE | 41 // This will only occur when the TPM is unowned, which will be on OOBE |
| 49 // | 42 // |
| 50 // Parameters | 43 // Parameters |
| 51 // owner_password (OUT) - The random owner password used | 44 // owner_password (OUT) - The random owner password used |
| 52 bool GetOwnerPassword(chromeos::Blob* owner_password); | 45 bool GetOwnerPassword(chromeos::Blob* owner_password); |
| 53 | 46 |
| 47 // Clears the owner password from storage |
| 48 void ClearStoredOwnerPassword(); |
| 49 |
| 54 // Returns whether or not the TPM is enabled. This method call returns a | 50 // Returns whether or not the TPM is enabled. This method call returns a |
| 55 // cached result because querying the TPM directly will block if ownership is | 51 // cached result because querying the TPM directly will block if ownership is |
| 56 // currently being taken (such as on a separate thread). | 52 // currently being taken (such as on a separate thread). |
| 57 bool IsEnabled() const { return !is_disabled_; } | 53 bool IsEnabled() const { return !is_disabled_; } |
| 58 | 54 |
| 59 // Returns whether or not the TPM is owned. This method call returns a cached | 55 // Returns whether or not the TPM is owned. This method call returns a cached |
| 60 // result because querying the TPM directly will block if ownership is | 56 // result because querying the TPM directly will block if ownership is |
| 61 // currently being taken (such as on a separate thread). | 57 // currently being taken (such as on a separate thread). |
| 62 bool IsOwned() const { return is_owned_; } | 58 bool IsOwned() const { return is_owned_; } |
| 63 | 59 |
| 64 // Returns whether or not the SRK is available | 60 // Returns whether or not the SRK is available |
| 65 bool IsSrkAvailable() const { return is_srk_available_; } | 61 bool IsSrkAvailable() const { return is_srk_available_; } |
| 66 | 62 |
| 67 // Returns whether or not the TPM is being owned | 63 // Returns whether or not the TPM is being owned |
| 68 bool IsBeingOwned() const { return is_being_owned_; } | 64 bool IsBeingOwned() const { return is_being_owned_; } |
| 69 | 65 |
| 70 // Runs the TPM initialization sequence. This may take a long time due to the | 66 // Runs the TPM initialization sequence. This may take a long time due to the |
| 71 // call to Tspi_TPM_TakeOwnership. | 67 // call to Tspi_TPM_TakeOwnership. |
| 72 bool InitializeTpm(bool* OUT_took_ownership); | 68 bool InitializeTpm(bool* OUT_took_ownership); |
| 73 | 69 |
| 74 // Gets random bytes from the TPM | 70 // Gets random bytes from the TPM |
| 75 // | 71 // |
| 76 // Parameters | 72 // Parameters |
| 77 // length - The number of bytes to get | 73 // length - The number of bytes to get |
| 78 // data (OUT) - The random data from the TPM | 74 // data (OUT) - The random data from the TPM |
| 79 bool GetRandomData(size_t length, chromeos::Blob* data); | 75 bool GetRandomData(size_t length, chromeos::Blob* data); |
| 80 | 76 |
| 81 private: | 77 private: |
| 78 // Tries to connect to the TPM |
| 79 virtual TSS_HCONTEXT Connect(); |
| 80 |
| 81 // Disconnects from the TPM |
| 82 virtual void Disconnect(TSS_HCONTEXT context_handle); |
| 83 |
| 84 // Gets a handle to the SRK |
| 85 bool LoadSrk(TSS_HCONTEXT context_handle, TSS_HKEY* srk_handle, |
| 86 TSS_RESULT* result); |
| 87 |
| 88 // Loads the contents of the file specified into a blob |
| 89 bool LoadFileBytes(const FilePath& path, chromeos::Blob* blob); |
| 90 |
| 91 // Stores the TPM owner password to the TpmStatus object |
| 92 bool StoreOwnerPassword(const chromeos::Blob& owner_password, |
| 93 TpmStatus* tpm_status); |
| 94 |
| 95 // Retrieves the TPM owner password |
| 96 bool LoadOwnerPassword(const TpmStatus& tpm_status, |
| 97 chromeos::Blob* owner_password); |
| 98 |
| 99 // Loads the TpmStatus object |
| 100 bool LoadTpmStatus(TpmStatus* serialized); |
| 101 |
| 102 // Saves the TpmStatus object |
| 103 bool StoreTpmStatus(const TpmStatus& serialized); |
| 104 |
| 82 // Attempts to connect to tcsd | 105 // Attempts to connect to tcsd |
| 83 // | 106 // |
| 84 // Parameters | 107 // Parameters |
| 85 // context_handle (OUT) - The context handle to the session on success | 108 // context_handle (OUT) - The context handle to the session on success |
| 86 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); | 109 bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle); |
| 87 | 110 |
| 88 // Returns the maximum simultaneously-loaded RSA key count for the TPM | 111 // Returns the maximum simultaneously-loaded RSA key count for the TPM |
| 89 // specified by the context handle | 112 // specified by the context handle |
| 90 // | 113 // |
| 91 // Parameters | 114 // Parameters |
| (...skipping 17 matching lines...) Expand all Loading... |
| 109 // owned (OUT) - Whether the TPM is owned | 132 // owned (OUT) - Whether the TPM is owned |
| 110 void IsEnabledOwnedCheckViaContext(TSS_HCONTEXT context_handle, | 133 void IsEnabledOwnedCheckViaContext(TSS_HCONTEXT context_handle, |
| 111 bool* enabled, bool* owned); | 134 bool* enabled, bool* owned); |
| 112 | 135 |
| 113 // Attempts to create the endorsement key in the TPM | 136 // Attempts to create the endorsement key in the TPM |
| 114 // | 137 // |
| 115 // Parameters | 138 // Parameters |
| 116 // context_handle - The context handle for the TPM session | 139 // context_handle - The context handle for the TPM session |
| 117 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); | 140 bool CreateEndorsementKey(TSS_HCONTEXT context_handle); |
| 118 | 141 |
| 142 // Delegates ownership authority |
| 143 // |
| 144 // Parameters |
| 145 // context_handle - The context handle for the TPM session |
| 146 bool DelegateTpmOwnership(TSS_HCONTEXT context_handle, TSS_HTPM tpm_handle, |
| 147 SecureBlob* delegation_blob); |
| 148 |
| 119 // Checks to see if the endorsement key is available by attempting to get its | 149 // Checks to see if the endorsement key is available by attempting to get its |
| 120 // public key | 150 // public key |
| 121 // | 151 // |
| 122 // Parameters | 152 // Parameters |
| 123 // context_handle - The context handle for the TPM session | 153 // context_handle - The context handle for the TPM session |
| 124 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); | 154 bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle); |
| 125 | 155 |
| 126 // Creates a random owner password | 156 // Creates a random owner password |
| 127 // | 157 // |
| 128 // Parameters | 158 // Parameters |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 181 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, | 211 bool GetTpmWithAuth(TSS_HCONTEXT context_handle, |
| 182 const SecureBlob& owner_password, | 212 const SecureBlob& owner_password, |
| 183 TSS_HTPM* tpm_handle); | 213 TSS_HTPM* tpm_handle); |
| 184 | 214 |
| 185 // Test the TPM auth by calling Tspi_TPM_GetStatus | 215 // Test the TPM auth by calling Tspi_TPM_GetStatus |
| 186 // | 216 // |
| 187 // Parameters | 217 // Parameters |
| 188 // tpm_handle = The TPM handle | 218 // tpm_handle = The TPM handle |
| 189 bool TestTpmAuth(TSS_HTPM tpm_handle); | 219 bool TestTpmAuth(TSS_HTPM tpm_handle); |
| 190 | 220 |
| 191 // The context handle for this TPM session | |
| 192 TSS_HCONTEXT context_handle_; | |
| 193 | |
| 194 // The default Crypto instance to use (for generating the random owner | 221 // The default Crypto instance to use (for generating the random owner |
| 195 // password) | 222 // password) |
| 196 scoped_ptr<Crypto> default_crypto_; | 223 scoped_ptr<Crypto> default_crypto_; |
| 197 | 224 |
| 198 // The actual Crypto instance to use | 225 // The actual Crypto instance to use |
| 199 Crypto* crypto_; | 226 Crypto* crypto_; |
| 200 | 227 |
| 228 // The default Platform instance to use |
| 229 scoped_ptr<Platform> default_platform_; |
| 230 |
| 231 // The actual Platform instance to use |
| 232 Platform* platform_; |
| 233 |
| 201 // If TPM ownership is taken, owner_password_ contains the password used | 234 // If TPM ownership is taken, owner_password_ contains the password used |
| 202 SecureBlob owner_password_; | 235 SecureBlob owner_password_; |
| 203 | 236 |
| 204 // Used to provide thread-safe access to owner_password_, as it is set in the | 237 // Used to provide thread-safe access to owner_password_, as it is set in the |
| 205 // initialization background thread. | 238 // initialization background thread. |
| 206 Lock password_sync_lock_; | 239 Lock password_sync_lock_; |
| 207 | 240 |
| 208 // Indicates if the TPM is disabled | 241 // Indicates if the TPM is disabled |
| 209 bool is_disabled_; | 242 bool is_disabled_; |
| 210 | 243 |
| 211 // Indicates if the TPM is owned | 244 // Indicates if the TPM is owned |
| 212 bool is_owned_; | 245 bool is_owned_; |
| 213 | 246 |
| 214 // Indicates if the SRK is available | 247 // Indicates if the SRK is available |
| 215 bool is_srk_available_; | 248 bool is_srk_available_; |
| 216 | 249 |
| 217 // Indicates if the TPM is being owned | 250 // Indicates if the TPM is being owned |
| 218 bool is_being_owned_; | 251 bool is_being_owned_; |
| 219 | 252 |
| 220 DISALLOW_COPY_AND_ASSIGN(Tpm); | 253 DISALLOW_COPY_AND_ASSIGN(Tpm); |
| 221 }; | 254 }; |
| 222 | 255 |
| 223 } // namespace tpm_init | 256 } // namespace tpm_init |
| 224 | 257 |
| 225 #endif // TPM_INIT_TPM_H_ | 258 #endif // TPM_INIT_TPM_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3475009:
Adds the necessary changes to tpm_init to allow triggered initialization. (Closed)
Base URL: http://git.chromium.org/git/tpm_init.git