Merge pull request #304 from jpbland1/preseal-compiled

add ability to compile preseal with no filesystem

docs/PubkeySealing.md

@@ -40,4 +40,12 @@ Lastly, the pubkey needs to be sealed to the TPM. Note that the previous command
 tools/preseal/preseal public-key.raw policy-public-key.raw policySigned.raw test-app/image_v1_digest.bin 25166336 25166337 16
 ```
 
+If you need to seal a pubkey to a system with no filesystem or command line you can compile preseal with the following environment variables and run it without arguments
+
+```
+NO_FILESYSTEM=1 PUBKEY="c46f95fab07b0ad2412f4b18ba14c37314feb058f106a0c21728985cd1636db9f5b73a477da4f552c1470f8c83769981f33e23ec772a2582f82ea765b221d417" POLICY_PUBKEY="925a8a35dbe4bd419a35fbf9bd30ce1440380f6d3bcd9bc5558c1fa8adb88d92c88b797dfca39af80ca9729c61508813df8254575cef48674071cf75c30e6aa8" POLICY_SIGNED="4BDAC51C517C0F3D8EDBB632B514262C256E289565A2F1CD8605A4F775302C0CD7BBFE0242CAA536A30C87A37756C390DB9A2B06037B15476A509CA06B857B6D" IMAGE_DIGEST="5b09b05afaf98e43fd59c0dc286fca8337604ec0815caad09fc0784c8a5e692b" SEAL_NV_INDEX=25166336 POLICY_DIGEST_NV_INDEX=25166337 PCR_INDEX=16 make
+# Then on the target system running the resulting binary
+./preseal
+```
+
 ## NOTE: the PolicySigned key is used in place of the real signing key and acts as an intermediate key to unseal the actual signing key form the TPM

src/image.c

@@ -142,15 +142,21 @@ static void wolfBoot_verify_signature(uint8_t key_slot,
         return;
 #ifdef WOLFTPM_KEYSTORE
     ret = wolfBoot_unseal_pubkey(pubkey, &tpmKey);
-    if (ret < 0)
+    if (ret < 0) {
+        wolfTPM2_UnloadHandle(&wolftpm_dev, &tpmKey.handle);
+
         return;
+    }
 #endif
     ret = wolfTPM2_VerifyHashScheme(&wolftpm_dev, &tpmKey, sig,
             IMAGE_SIGNATURE_SIZE, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE,
             TPM_ALG_ECDSA, TPM_ALG_SHA256);
+
+    /* unload handlre regardless of result */
+    wolfTPM2_UnloadHandle(&wolftpm_dev, &tpmKey.handle);
+
     if (ret != TPM_RC_SUCCESS)
         return;
-    wolfTPM2_UnloadHandle(&wolftpm_dev, &tpmKey.handle);
     if (ret == 0) {
         verify_res = 1; /* TPM does hash verify compare */
     }

tools/preseal/Makefile

@@ -1,12 +1,25 @@
 CC = gcc
+CFLAGS:=
+
+ifneq ($(NO_FILESYSTEM),)
+CFLAGS+= \
+	-DNO_FILESYSTEM \
+	-DPUBKEY=\"$(PUBKEY)\" \
+	-DPOLICY_PUBKEY=\"$(POLICY_PUBKEY)\" \
+	-DPOLICY_SIGNED=\"$(POLICY_SIGNED)\" \
+	-DIMAGE_DIGEST=\"$(IMAGE_DIGEST)\" \
+	-DSEAL_NV_INDEX=$(SEAL_NV_INDEX) \
+	-DPOLICY_DIGEST_NV_INDEX=$(POLICY_DIGEST_NV_INDEX) \
+	-DPCR_INDEX=$(PCR_INDEX) \
+endif
 
 all: preseal
 
 preseal:
-	$(Q)$(CC) -o $@ $@.c -lwolftpm
+	$(Q)$(CC) $(CFLAGS) -o $@ $@.c -lwolftpm
 
 debug:
-	$(Q)$(CC) -o preseal preseal.c -g -lwolftpm -lwolfssl
+	$(Q)$(CC) $(CFLAGS) -o preseal preseal.c -g -lwolftpm -lwolfssl
 
 clean:
 	rm -f preseal

tools/preseal/preseal.c

@@ -66,9 +66,39 @@ static int readFile(char* name, uint8_t* buf, uint32_t* bufSz)
     return ret;
 }
 
+static signed char HexCharToByte(signed char ch)
+{
+    signed char ret = (signed char)ch;
+    if (ret >= '0' && ret <= '9')
+        ret -= '0';
+    else if (ret >= 'A' && ret <= 'F')
+        ret -= 'A' - 10;
+    else if (ret >= 'a' && ret <= 'f')
+        ret -= 'a' - 10;
+    else
+        ret = -1; /* error case - return code must be signed */
+    return ret;
+}
+
+static int HexToByte(const char *hex, unsigned char *output, unsigned long sz)
+{
+    word32 i;
+    for (i = 0; i < sz; i++) {
+        signed char ch1, ch2;
+        ch1 = HexCharToByte(hex[i * 2]);
+        ch2 = HexCharToByte(hex[i * 2 + 1]);
+        if ((ch1 < 0) || (ch2 < 0)) {
+            return -1;
+        }
+        output[i] = (unsigned char)((ch1 << 4) + ch2);
+    }
+    return (int)sz;
+}
+
 static void usage()
 {
-    printf("preseal pubkey policypubkey policysignature imagedigest sealNVindex digestNVindex [pcrindex]\n");
+    printf("NOTE currently policy sealing only supports ecc256 keys");
+    printf("Expected usage: ./preseal pubkey policypubkey policysignature imagedigest sealNVindex digestNVindex [pcrindex]\n");
     printf("pubkey: the verification key to seal into the tpm\n");
     printf("policypubkey: the pubkey used sign the policy expiration date\n");
     printf("policysignature: the signature of the policy expiration date\n");
@@ -104,16 +134,17 @@ int main(int argc, char** argv)
     wolfSSL_Debugging_ON();
 #endif
 
-    if (argc < 7) {
-        usage();
-        return 0;
-    }
-
     XMEMSET(&dev, 0, sizeof(WOLFTPM2_DEV));
     XMEMSET(&tpmSession, 0, sizeof(WOLFTPM2_SESSION));
     XMEMSET(&authKey, 0, sizeof(WOLFTPM2_KEY));
     XMEMSET(&pcrReset, 0, sizeof(PCR_Reset_In));
 
+#ifndef NO_FILESYSTEM
+    if (argc < 7) {
+        usage();
+        return 0;
+    }
+
     rc = readFile(argv[1], pubkey, &pubkeySz);
     if (rc != 0) {
         printf("Failed to read pubkey\n");
@@ -146,6 +177,44 @@ int main(int argc, char** argv)
         pcrArray[0] = atoi(argv[7]);
     else
         pcrArray[0] = DEFAULT_PCR_INDEX;
+#else
+    rc = HexToByte(PUBKEY, pubkey, strlen(PUBKEY) / 2);
+    if (rc < 0) {
+        printf("Failed to read pubkey\n");
+        return 1;
+    }
+    pubkeySz = strlen(PUBKEY) / 2;
+
+    rc = HexToByte(POLICY_PUBKEY, policyPubkey, strlen(POLICY_PUBKEY) / 2);
+    if (rc < 0) {
+        printf("Failed to read pubkey\n");
+        return 1;
+    }
+    policyPubkeySz = strlen(POLICY_PUBKEY) / 2;
+
+    rc = HexToByte(POLICY_SIGNED, policySigned, strlen(POLICY_SIGNED) / 2);
+    if (rc < 0) {
+        printf("Failed to read pubkey\n");
+        return 1;
+    }
+    policySignedSz = strlen(POLICY_SIGNED) / 2;
+
+    rc = HexToByte(IMAGE_DIGEST, imageDigest, strlen(IMAGE_DIGEST) / 2);
+    if (rc < 0) {
+        printf("Failed to read pubkey\n");
+        return 1;
+    }
+    imageDigestSz = strlen(IMAGE_DIGEST) / 2;
+
+    sealNvIndex = SEAL_NV_INDEX;
+    policyDigestNvIndex = POLICY_DIGEST_NV_INDEX;
+
+    #ifdef PCR_INDEX
+        pcrArray[0] = PCR_INDEX;
+    #else
+        pcrArray[0] = DEFAULT_PCR_INDEX;
+    #endif
+#endif
 
     rc = wolfTPM2_Init(&dev, NULL, NULL);
     if (rc != TPM_RC_SUCCESS) {