| Index: mtm/mtm_verification.c
|
| diff --git a/mtm/mtm_verification.c b/mtm/mtm_verification.c
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..3d123ec99bde8a4bb967a8852d4a0c996fbe19ca
|
| --- /dev/null
|
| +++ b/mtm/mtm_verification.c
|
| @@ -0,0 +1,540 @@
|
| +/* Software-based Mobile Trusted Module (MTM) Emulator
|
| + * Copyright (C) 2004-2010 Mario Strasser <mast@gmx.net>
|
| + * Copyright (C) 2007 Jan-Erik Ekberg <jan-erik.ekberg@nokia.com>,
|
| + * Nokia Corporation and/or its subsidiary(-ies)
|
| + *
|
| + * This module is free software; you can redistribute it and/or modify
|
| + * it under the terms of the GNU General Public License as published
|
| + * by the Free Software Foundation; either version 2 of the License,
|
| + * or (at your option) any later version.
|
| + *
|
| + * This module is distributed in the hope that it will be useful,
|
| + * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
| + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
| + * GNU General Public License for more details.
|
| + *
|
| + * $Id$
|
| + */
|
| +
|
| +#include "mtm_structures.h"
|
| +#include "mtm_commands.h"
|
| +#include "tpm/tpm_commands.h"
|
| +#include "mtm_data.h"
|
| +#include "tpm/tpm_data.h"
|
| +#include "mtm_handles.h"
|
| +#include "mtm_marshalling.h"
|
| +#include "crypto/hmac.h"
|
| +#include "crypto/rsa.h"
|
| +#include "crypto/sha1.h"
|
| +
|
| +static int copy_TPM_RIM_CERTIFICATE(TPM_RIM_CERTIFICATE* src, TPM_RIM_CERTIFICATE* dst)
|
| +{
|
| + memcpy(dst, src, sizeof(TPM_RIM_CERTIFICATE));
|
| + if (dst->extensionDigestSize > 0) {
|
| + dst->extensionDigestData = tpm_malloc(dst->extensionDigestSize);
|
| + if (dst->extensionDigestData == NULL) return -1;
|
| + memcpy(dst->extensionDigestData, src->extensionDigestData,
|
| + dst->extensionDigestSize);
|
| + } else {
|
| + dst->extensionDigestData = NULL;
|
| + }
|
| + if (dst->integrityCheckSize > 0) {
|
| + dst->integrityCheckData = tpm_malloc(dst->integrityCheckSize);
|
| + if (dst->integrityCheckData == NULL) {
|
| + tpm_free(dst->extensionDigestData);
|
| + return -1;
|
| + }
|
| + memcpy(dst->integrityCheckData, src->integrityCheckData,
|
| + dst->integrityCheckSize);
|
| + } else {
|
| + dst->integrityCheckData = NULL;
|
| + }
|
| + return 0;
|
| +}
|
| +
|
| +static int compute_rim_certificate_digest(TPM_RIM_CERTIFICATE* rimCert, BYTE *digest)
|
| +{
|
| + tpm_sha1_ctx_t sha1_ctx;
|
| + BYTE *buf, *ptr;
|
| + UINT32 buf_len, len;
|
| + UINT32 integrityCheckSize;
|
| +
|
| + /* marshal certificate */
|
| + integrityCheckSize = rimCert->integrityCheckSize;
|
| + rimCert->integrityCheckSize = 0;
|
| + buf_len = len = sizeof_TPM_RIM_CERTIFICATE((*rimCert));
|
| + buf = ptr = tpm_malloc(buf_len);
|
| + if (buf == NULL || tpm_marshal_TPM_RIM_CERTIFICATE(&ptr, &len, rimCert)) {
|
| + rimCert->integrityCheckSize = integrityCheckSize;
|
| + tpm_free(buf);
|
| + return -1;
|
| + }
|
| + rimCert->integrityCheckSize = integrityCheckSize;
|
| + /* compute hmac */
|
| + tpm_sha1_init(&sha1_ctx);
|
| + tpm_sha1_update(&sha1_ctx, buf, buf_len);
|
| + tpm_sha1_final(&sha1_ctx, digest);
|
| + tpm_free(buf);
|
| + return 0;
|
| +}
|
| +
|
| +static int compute_rim_certificate_hmac(TPM_RIM_CERTIFICATE* rimCert, BYTE *digest)
|
| +{
|
| + tpm_hmac_ctx_t hmac_ctx;
|
| + BYTE *buf, *ptr;
|
| + UINT32 buf_len, len;
|
| + UINT32 integrityCheckSize;
|
| +
|
| + /* marshal certificate */
|
| + integrityCheckSize = rimCert->integrityCheckSize;
|
| + rimCert->integrityCheckSize = 0;
|
| + buf_len = len = sizeof_TPM_RIM_CERTIFICATE((*rimCert));
|
| + buf = ptr = tpm_malloc(buf_len);
|
| + if (buf == NULL || tpm_marshal_TPM_RIM_CERTIFICATE(&ptr, &len, rimCert)) {
|
| + rimCert->integrityCheckSize = integrityCheckSize;
|
| + tpm_free(buf);
|
| + return -1;
|
| + }
|
| + rimCert->integrityCheckSize = integrityCheckSize;
|
| + /* compute hmac */
|
| + tpm_hmac_init(&hmac_ctx, mtmData.permanent.data.internalVerificationKey,
|
| + sizeof(TPM_SECRET));
|
| + tpm_hmac_update(&hmac_ctx, buf, buf_len);
|
| + tpm_hmac_final(&hmac_ctx, digest);
|
| + tpm_free(buf);
|
| + return 0;
|
| +}
|
| +
|
| +static TPM_RESULT verify_rim_certificate(TPM_RIM_CERTIFICATE *rimCert)
|
| +{
|
| + /* check parrentID */
|
| + debug("parentId = %08x", rimCert->parentId);
|
| + if (rimCert->parentId == TPM_VERIFICATION_KEY_ID_NONE) return TPM_KEYNOTFOUND;
|
| + /* verify certificate with appropiate key */
|
| + if (rimCert->parentId == TPM_VERIFICATION_KEY_ID_INTERNAL) {
|
| + BYTE digest[SHA1_DIGEST_LENGTH];
|
| + debug("internal verification");
|
| + if (compute_rim_certificate_hmac(rimCert, digest) != 0) {
|
| + debug("compute_rim_certificate_hmac() failed");
|
| + return TPM_FAIL;
|
| + }
|
| + /* check hmac */
|
| + if (memcmp(digest, rimCert->integrityCheckData, SHA1_DIGEST_LENGTH) != 0) {
|
| + debug("verification failed");
|
| + return TPM_AUTHFAIL;
|
| + } else {
|
| + debug("verification succeeded");
|
| + return TPM_SUCCESS;
|
| + }
|
| + } else {
|
| + BYTE digest[SHA1_DIGEST_LENGTH];
|
| + /* get verification key */
|
| + MTM_KEY_DATA *key = mtm_get_key_by_id(rimCert->parentId);
|
| + if (key == NULL) {
|
| + return TPM_KEYNOTFOUND;
|
| + }
|
| + /* compute digest */
|
| + if (compute_rim_certificate_digest(rimCert, digest) != 0) {
|
| + debug("compute_rim_certificate_digest() failed");
|
| + return TPM_FAIL;
|
| + }
|
| + /* check key properties */
|
| + if (key->keyAlgorithm != TPM_ALG_RSA
|
| + || key->keyScheme != TPM_SS_RSASSAPKCS1v15_SHA1) {
|
| + debug("invalid signature scheme");
|
| + return TPM_BAD_SCHEME;
|
| + }
|
| + /* verify signature */
|
| + if (tpm_rsa_verify(&key->key, RSA_SSA_PKCS1_SHA1_RAW, digest, sizeof(digest),
|
| + rimCert->integrityCheckData) != 0) {
|
| + debug("verification failed");
|
| + return TPM_AUTHFAIL;
|
| + } else {
|
| + debug("verification succeeded");
|
| + return TPM_SUCCESS;
|
| + }
|
| + }
|
| +}
|
| +
|
| +static int compute_verification_key_digest(TPM_VERIFICATION_KEY *key, BYTE *digest)
|
| +{
|
| + tpm_sha1_ctx_t sha1_ctx;
|
| + BYTE *buf, *ptr;
|
| + UINT32 buf_len, len;
|
| + UINT32 integrityCheckSize;
|
| +
|
| + /* marshal certificate */
|
| + integrityCheckSize = key->integrityCheckSize;
|
| + key->integrityCheckSize = 0;
|
| + buf_len = len = sizeof_TPM_VERIFICATION_KEY((*key));
|
| + buf = ptr = tpm_malloc(buf_len);
|
| + if (buf == NULL || tpm_marshal_TPM_VERIFICATION_KEY(&ptr, &len, key)) {
|
| + key->integrityCheckSize = integrityCheckSize;
|
| + tpm_free(buf);
|
| + return -1;
|
| + }
|
| + key->integrityCheckSize = integrityCheckSize;
|
| + /* compute sha1 */
|
| + tpm_sha1_init(&sha1_ctx);
|
| + tpm_sha1_update(&sha1_ctx, buf, buf_len);
|
| + tpm_sha1_final(&sha1_ctx, digest);
|
| + tpm_free(buf);
|
| + return 0;
|
| +
|
| +}
|
| +
|
| +static TPM_RESULT verify_verification_key(TPM_VERIFICATION_KEY *key, MTM_KEY_DATA *parentKey)
|
| +{
|
| + BYTE digest[SHA1_DIGEST_LENGTH];
|
| +
|
| + /* compute digest */
|
| + if (compute_verification_key_digest(key, digest) != 0) {
|
| + debug("compute_verification_key_digest() failed");
|
| + return TPM_FAIL;
|
| + }
|
| + /* check key properties */
|
| + if (parentKey->keyAlgorithm != TPM_ALG_RSA
|
| + || parentKey->keyScheme != TPM_SS_RSASSAPKCS1v15_SHA1) {
|
| + debug("invalid signature scheme");
|
| + return TPM_BAD_SCHEME;
|
| + }
|
| + /* verify signature */
|
| + if (tpm_rsa_verify(&parentKey->key, RSA_SSA_PKCS1_SHA1_RAW, digest, sizeof(digest),
|
| + key->integrityCheckData) != 0) {
|
| + debug("verification failed");
|
| + return TPM_AUTHFAIL;
|
| + } else {
|
| + debug("verification succeeded");
|
| + return TPM_SUCCESS;
|
| + }
|
| +}
|
| +
|
| +static int store_verification_key(TPM_VERIFICATION_KEY *inKey, MTM_KEY_DATA *outKey)
|
| +{
|
| + outKey->usageFlags = inKey->usageFlags;
|
| + outKey->parentId = inKey->parentId;
|
| + outKey->myId = inKey->myId;
|
| + outKey->keyAlgorithm = inKey->keyAlgorithm;
|
| + outKey->keyScheme = inKey->keyScheme;
|
| + BYTE *ptr = inKey->keyData;
|
| + UINT32 len = inKey->keySize;
|
| + if (tpm_unmarshal_RSAPub(&ptr, &len, &outKey->key) != 0) return -1;
|
| + return 0;
|
| +}
|
| +
|
| +TPM_RESULT MTM_InstallRIM(TPM_RIM_CERTIFICATE *rimCertIn, TPM_AUTH *auth1,
|
| + TPM_RIM_CERTIFICATE *rimCertOut)
|
| +{
|
| + TPM_RESULT res;
|
| + TPM_ACTUAL_COUNT cntProtect;
|
| +
|
| + info("MTM_InstallRIM()");
|
| + /* 1 */
|
| + if (rimCertIn == NULL || rimCertIn->tag != TPM_TAG_RIM_CERTIFICATE)
|
| + return TPM_BAD_PARAMETER;
|
| + /* 2 */
|
| + res = tpm_verify_auth(auth1, tpmData.permanent.data.ownerAuth, auth1->authHandle);
|
| + if (res != TPM_SUCCESS) return res;
|
| + /* 3 */
|
| + cntProtect = tpmData.permanent.data.counters[MTM_COUNTER_SELECT_RIMPROTECT].counter;
|
| + /* 5 */
|
| + rimCertIn->integrityCheckSize = SHA1_DIGEST_LENGTH;
|
| + if (copy_TPM_RIM_CERTIFICATE(rimCertIn, rimCertOut) != 0) {
|
| + debug("copy_TPM_RIM_CERTIFICATE() failed");
|
| + return TPM_FAIL;
|
| + }
|
| + /* 6, 7 */
|
| + if (rimCertIn->referenceCounter.counterSelection != MTM_COUNTER_SELECT_NONE) {
|
| + rimCertOut->referenceCounter.counterValue = cntProtect + 1;
|
| + rimCertOut->referenceCounter.counterSelection = MTM_COUNTER_SELECT_RIMPROTECT;
|
| + } else {
|
| + rimCertOut->referenceCounter.counterValue = 0;
|
| + }
|
| + /* 8 */
|
| + rimCertOut->parentId = TPM_VERIFICATION_KEY_ID_INTERNAL;
|
| + /* 10, 11, 12 */
|
| + if (compute_rim_certificate_hmac(rimCertOut, rimCertOut->integrityCheckData) != 0) {
|
| + debug("compute_rim_certificate_hmac() failed");
|
| + free_TPM_RIM_CERTIFICATE((*rimCertOut));
|
| + return TPM_FAIL;
|
| + }
|
| + /* 13 */
|
| + return TPM_SUCCESS;
|
| +}
|
| +
|
| +static TPM_VERIFICATION_KEY_HANDLE mtm_get_free_key(void)
|
| +{
|
| + int i;
|
| + for (i = 0; i < TPM_MAX_KEYS; i++) {
|
| + if (!mtmData.permanent.data.keys[i].valid) {
|
| + mtmData.permanent.data.keys[i].valid = TRUE;
|
| + return INDEX_TO_KEY_HANDLE(i);
|
| + }
|
| + }
|
| + return TPM_INVALID_HANDLE;
|
| +}
|
| +
|
| +
|
| +TPM_RESULT MTM_LoadVerificationKey(TPM_VERIFICATION_KEY_HANDLE parentKeyHandle,
|
| + TPM_VERIFICATION_KEY *verificationKey, TPM_AUTH *auth1,
|
| + TPM_VERIFICATION_KEY_HANDLE *verificationKeyHandle,
|
| + BYTE *loadMethod)
|
| +{
|
| + TPM_RESULT res;
|
| + MTM_KEY_DATA *key;
|
| +
|
| + /* 1 */
|
| + if (verificationKey == NULL || verificationKey->tag != TPM_TAG_VERIFICATION_KEY)
|
| + return TPM_BAD_PARAMETER;
|
| + /* 2 */
|
| + *verificationKeyHandle = mtm_get_free_key();
|
| + key = mtm_get_key(*verificationKeyHandle);
|
| + if (key == NULL) {
|
| + debug("no free key slot available");
|
| + return TPM_NOSPACE;
|
| + }
|
| + *loadMethod = 0;
|
| + /* 3 */
|
| + if (mtmData.stany.flags.loadVerificationRootKeyEnabled) {
|
| + debug("TPM_VERIFICATION_KEY_ROOT_LOAD");
|
| + /* set integrityCheckRootData */
|
| + if (!mtmData.permanent.data.integrityCheckRootValid) {
|
| + if (compute_verification_key_digest(verificationKey,
|
| + mtmData.permanent.data.integrityCheckRootData) != 0) {
|
| + debug("compute_verification_key_digest() failed");
|
| + memset(key, 0, sizeof(*key));
|
| + return TPM_FAIL;
|
| + }
|
| + mtmData.permanent.data.integrityCheckRootValid = TRUE;
|
| + }
|
| + *loadMethod = TPM_VERIFICATION_KEY_ROOT_LOAD;
|
| + }
|
| + /* 4 */
|
| + if (*loadMethod == 0
|
| + && mtmData.permanent.data.integrityCheckRootValid) {
|
| + BYTE digest[SHA1_DIGEST_LENGTH];
|
| + if (compute_verification_key_digest(verificationKey, digest) != 0) {
|
| + debug("compute_verification_key_digest() failed");
|
| + memset(key, 0, sizeof(*key));
|
| + return TPM_FAIL;
|
| + }
|
| + if (memcmp(mtmData.permanent.data.integrityCheckRootData,
|
| + digest, SHA1_DIGEST_LENGTH) == 0) {
|
| + debug("TPM_VERIFICATION_KEY_INTEGRITY_CHECK_ROOT_DATA_LOAD");
|
| + *loadMethod = TPM_VERIFICATION_KEY_INTEGRITY_CHECK_ROOT_DATA_LOAD;
|
| + }
|
| + }
|
| + /* 5 */
|
| + if (*loadMethod == 0
|
| + && tpmData.permanent.flags.owned && auth1->authHandle != TPM_INVALID_HANDLE) {
|
| + TPM_RESULT res = tpm_verify_auth(auth1, tpmData.permanent.data.ownerAuth, TPM_KH_OWNER);
|
| + if (res != TPM_SUCCESS) {
|
| + memset(key, 0, sizeof(*key));
|
| + return res;
|
| + }
|
| + debug("TPM_VERIFICATION_KEY_OWNER_AUTHORIZED_LOAD");
|
| + *loadMethod = TPM_VERIFICATION_KEY_OWNER_AUTHORIZED_LOAD;
|
| + }
|
| + /* 6 */
|
| + if (*loadMethod == 0) {
|
| + MTM_KEY_DATA *parentKey = mtm_get_key(parentKeyHandle);
|
| + if (parentKey == NULL) {
|
| + debug("invalid parent key handle %08x", parentKeyHandle);
|
| + memset(key, 0, sizeof(*key));
|
| + return TPM_KEYNOTFOUND;
|
| + }
|
| + /* 7a-c */
|
| + if (!(parentKey->usageFlags & TPM_VERIFICATION_KEY_USAGE_SIGN_RIMAUTH)) {
|
| + memset(key, 0, sizeof(*key));
|
| + return TPM_INVALID_KEYUSAGE;
|
| + }
|
| + if ((verificationKey->usageFlags & TPM_VERIFICATION_KEY_USAGE_INCREMENT_BOOTSTRAP)
|
| + && !(parentKey->usageFlags & TPM_VERIFICATION_KEY_USAGE_INCREMENT_BOOTSTRAP)) {
|
| + memset(key, 0, sizeof(*key));
|
| + return TPM_INVALID_KEYUSAGE;
|
| + }
|
| + if (key->parentId != parentKey->myId) {
|
| + debug("id mismatch: parentId = %08x keyId = %08x", key->parentId, parentKey->myId);
|
| + memset(key, 0, sizeof(*key));
|
| + return TPM_AUTHFAIL;
|
| + }
|
| + /* 7d */
|
| + res = verify_verification_key(verificationKey, parentKey);
|
| + if (res != TPM_SUCCESS) {
|
| + memset(key, 0, sizeof(*key));
|
| + return res;
|
| + }
|
| + /* 7e-g */
|
| + if (verificationKey->referenceCounter.counterSelection > MTM_COUNTER_SELECT_MAX)
|
| + return TPM_BAD_COUNTER;
|
| + if (verificationKey->referenceCounter.counterSelection == MTM_COUNTER_SELECT_BOOTSTRAP) {
|
| + if (verificationKey->referenceCounter.counterValue
|
| + < tpmData.permanent.data.counters[MTM_COUNTER_SELECT_BOOTSTRAP].counter)
|
| + return TPM_BAD_COUNTER;
|
| + }
|
| + if (verificationKey->referenceCounter.counterSelection == MTM_COUNTER_SELECT_RIMPROTECT) {
|
| + if (verificationKey->referenceCounter.counterValue
|
| + < tpmData.permanent.data.counters[MTM_COUNTER_SELECT_RIMPROTECT].counter)
|
| + return TPM_BAD_COUNTER;
|
| + }
|
| + /* 7j */
|
| + debug("TPM_VERIFICATION_KEY_CHAIN_AUTHORIZED_LOAD");
|
| + *loadMethod = TPM_VERIFICATION_KEY_CHAIN_AUTHORIZED_LOAD;
|
| + }
|
| + /* store verification key */
|
| + if (store_verification_key(verificationKey, key) != 0) {
|
| + debug("store_verification_key() failed");
|
| + memset(key, 0, sizeof(*key));
|
| + return TPM_FAIL;
|
| + }
|
| + return TPM_SUCCESS;
|
| +}
|
| +
|
| +TPM_RESULT MTM_LoadVerificationRootKeyDisable()
|
| +{
|
| + info("MTM_LoadVerificationRootKeyDisable()");
|
| + mtmData.stany.flags.loadVerificationRootKeyEnabled = FALSE;
|
| + mtmData.permanent.data.loadVerificationKeyMethods |= TPM_VERIFICATION_KEY_ROOT_LOAD;
|
| + return TPM_SUCCESS;
|
| +}
|
| +
|
| +TPM_RESULT MTM_VerifyRIMCert(TPM_RIM_CERTIFICATE* rimCert,
|
| + TPM_VERIFICATION_KEY_HANDLE rimKeyHandle)
|
| +{
|
| + TPM_RESULT res;
|
| +
|
| + info("MTM_VerifyRIMCert()");
|
| + debug("key handle = %08x", rimKeyHandle);
|
| + /* 1 */
|
| + if (rimCert == NULL || rimCert->tag != TPM_TAG_RIM_CERTIFICATE)
|
| + return TPM_BAD_PARAMETER;
|
| + /* 2 */
|
| + if (rimCert->parentId == TPM_VERIFICATION_KEY_ID_NONE)
|
| + return TPM_AUTHFAIL;
|
| + /* 3 */
|
| + if (rimCert->parentId == TPM_VERIFICATION_KEY_ID_INTERNAL) {
|
| + return verify_rim_certificate(rimCert);
|
| + } else {
|
| + /* 4 */
|
| + MTM_KEY_DATA *rimKey = mtm_get_key(rimKeyHandle);
|
| + if (rimKey == NULL) return TPM_KEYNOTFOUND;
|
| + if ((rimKey->usageFlags & TPM_VERIFICATION_KEY_USAGE_SIGN_RIMCERT) == 0)
|
| + return TPM_INVALID_KEYUSAGE;
|
| + if (rimCert->parentId != rimKey->myId) {
|
| + debug("id mismatch: parentId = %08x keyId = %08x", rimCert->parentId, rimKey->myId);
|
| + return TPM_AUTHFAIL;
|
| + }
|
| + res = verify_rim_certificate(rimCert);
|
| + if (res != TPM_SUCCESS) return res;
|
| + }
|
| + /* 5 */
|
| + if (rimCert->referenceCounter.counterSelection > MTM_COUNTER_SELECT_MAX)
|
| + return TPM_BAD_COUNTER;
|
| + /* 6 */
|
| + if (rimCert->referenceCounter.counterSelection == MTM_COUNTER_SELECT_BOOTSTRAP) {
|
| + if (rimCert->referenceCounter.counterValue
|
| + < tpmData.permanent.data.counters[MTM_COUNTER_SELECT_BOOTSTRAP].counter)
|
| + return TPM_BAD_COUNTER;
|
| + }
|
| + /* 7 */
|
| + if (rimCert->referenceCounter.counterSelection == MTM_COUNTER_SELECT_RIMPROTECT) {
|
| + if (rimCert->referenceCounter.counterValue
|
| + < tpmData.permanent.data.counters[MTM_COUNTER_SELECT_RIMPROTECT].counter)
|
| + return TPM_BAD_COUNTER;
|
| + }
|
| + return TPM_SUCCESS;
|
| +}
|
| +
|
| +TPM_RESULT MTM_VerifyRIMCertAndExtend(TPM_RIM_CERTIFICATE *rimCert,
|
| + TPM_VERIFICATION_KEY_HANDLE rimKey,
|
| + TPM_PCRVALUE *outDigest)
|
| +{
|
| + int i;
|
| + TPM_RESULT res;
|
| +
|
| + info("MTM_VerifyRIMCertAndExtend()");
|
| + /* 1-7 */
|
| + res = MTM_VerifyRIMCert(rimCert, rimKey);
|
| + if (res != TPM_SUCCESS) return res;
|
| + /* 8 */
|
| + for (i = 0; i < TPM_NUM_PCR / 8; i++) {
|
| + if (rimCert->state.pcrSelection.pcrSelect[i] != 0) break;
|
| + }
|
| + if (i < TPM_NUM_PCR / 8) {
|
| + TPM_COMPOSITE_HASH digest;
|
| + if (tpm_compute_pcr_digest(&rimCert->state.pcrSelection, &digest, NULL) != TPM_SUCCESS) {
|
| + debug("tpm_compute_pcr_digest() failed");
|
| + return TPM_FAIL;
|
| + }
|
| + if (memcmp(&digest, &rimCert->state.digestAtRelease, sizeof(TPM_COMPOSITE_HASH)) != 0)
|
| + return TPM_WRONGPCRVAL;
|
| + }
|
| + /* 9, 10 */
|
| + return TPM_Extend(rimCert->measurementPcrIndex, &rimCert->measurementValue, outDigest);
|
| +}
|
| +
|
| +TPM_RESULT MTM_IncrementBootstrapCounter(TPM_RIM_CERTIFICATE *rimCert,
|
| + TPM_VERIFICATION_KEY_HANDLE rimKeyHandle)
|
| +{
|
| + TPM_RESULT res;
|
| + MTM_KEY_DATA* rimKey;
|
| +
|
| + info("MTM_IncrementBootstrapCounter()");
|
| + /* 1 */
|
| + if (rimCert == NULL || rimCert->tag != TPM_TAG_RIM_CERTIFICATE)
|
| + return TPM_BAD_PARAMETER;
|
| + /* 2 */
|
| + debug("rimKeyHandle = %08x", rimKeyHandle);
|
| + rimKey = mtm_get_key(rimKeyHandle);
|
| + if (rimKey == NULL) return TPM_KEYNOTFOUND;
|
| + /* 3 */
|
| + if ((rimKey->usageFlags & TPM_VERIFICATION_KEY_USAGE_SIGN_RIMCERT) == 0
|
| + ||(rimKey->usageFlags & TPM_VERIFICATION_KEY_USAGE_INCREMENT_BOOTSTRAP) == 0)
|
| + return TPM_INVALID_KEYUSAGE;
|
| + /* 4 */
|
| + if (rimCert->parentId != rimKey->myId) return TPM_AUTHFAIL;
|
| + /* 5 */
|
| + res = verify_rim_certificate(rimCert);
|
| + if (res != TPM_SUCCESS) return res;
|
| + /* 6 */
|
| + if (rimCert->referenceCounter.counterSelection > MTM_COUNTER_SELECT_MAX)
|
| + return TPM_BAD_COUNTER;
|
| + /* 7 */
|
| + if (rimCert->referenceCounter.counterSelection == MTM_COUNTER_SELECT_BOOTSTRAP) {
|
| + if (rimCert->referenceCounter.counterValue
|
| + < tpmData.permanent.data.counters[MTM_COUNTER_SELECT_BOOTSTRAP].counter)
|
| + return TPM_BAD_COUNTER;
|
| + tpmData.permanent.data.counters[MTM_COUNTER_SELECT_BOOTSTRAP].counter
|
| + = rimCert->referenceCounter.counterValue;
|
| + }
|
| + return TPM_SUCCESS;
|
| +}
|
| +
|
| +TPM_RESULT MTM_SetVerifiedPCRSelection(TPM_PCR_SELECTION *verifiedSelection,
|
| + TPM_AUTH *auth1)
|
| +{
|
| + int i;
|
| + TPM_RESULT res;
|
| +
|
| + info("MTM_SetVerifiedPCRSelection()");
|
| + /* verify permission */
|
| + if (tpmData.permanent.flags.owned) {
|
| + res = tpm_verify_auth(auth1, tpmData.permanent.data.ownerAuth, TPM_KH_OWNER);
|
| + } else {
|
| + res = FALSE;
|
| + }
|
| + if (!res && !mtmData.stany.flags.loadVerificationRootKeyEnabled) {
|
| + return TPM_FAIL;
|
| + }
|
| + /* echeck if a localityModifier is set */
|
| + for (i = 0; i < TPM_NUM_PCR; i++) {
|
| + if (verifiedSelection->pcrSelect[i >> 3] & (1 << (i & 7))) {
|
| + if (tpmData.permanent.data.pcrAttrib[i].pcrResetLocal) return TPM_FAIL;
|
| + }
|
| + }
|
| + /* copy selection */
|
| + memcpy(&mtmData.permanent.data.verifiedPCRs,
|
| + verifiedSelection, sizeof(TPM_PCR_SELECTION));
|
| + return TPM_SUCCESS;
|
| +}
|
| +
|
|
|
Chromium Code Reviews
Issue 660204:
Upgrade to tpm-emulator version 0.7. (Closed)
