-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wolfTPM pubkey storage with policy based access restriction #296
Conversation
this update uses the tpm to retreive the public key used to validate the image that will boot and restricts access to that key by tpm policy. when the image is updated it's signature is used to extend the PCR and when the image is loaded it's signature must match what was sealed in order to get the public key from the tpm. enabling this option is done by setting WOLFBOOT_TPM_KEYSTORE in .config
8dc3887
to
3fbc99d
Compare
src/image.c
Outdated
|
||
#ifdef WOLFBOOT_TPM_KEYSTORE | ||
static WOLFTPM2_SESSION wolftpm_session; | ||
static uint32_t wolftpmPcrArray[1] = {16}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be an array of uint8_t?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Array of uint8_t?
src/image.c
Outdated
#ifdef WOLFBOOT_TPM_KEYSTORE | ||
static WOLFTPM2_SESSION wolftpm_session; | ||
static uint32_t wolftpmPcrArray[1] = {16}; | ||
static const uint32_t wolftpmKeystoreIndex = 0x01800200; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you make all of these overridable build-time macros?
src/image.c
Outdated
/* start a policy session with parameter encryption */ | ||
rc = wolfTPM2_StartSession(&wolftpm_dev, &wolftpm_session, NULL, NULL, | ||
TPM_SE_POLICY, TPM_ALG_CFB); | ||
if (rc != 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe use TPM_RC_SUCCESS
?
src/image.c
Outdated
/* set the auth session for the device */ | ||
rc = wolfTPM2_SetAuthSession(&wolftpm_dev, 0, &wolftpm_session, | ||
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); | ||
if (rc != 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe use TPM_RC_SUCCESS
?
src/image.c
Outdated
/* clear out the policy digest */ | ||
ret = wolfTPM2_PolicyRestart(wolftpm_session.handle.hndl); | ||
if (ret != TPM_RC_SUCCESS) | ||
return -1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe just convert the TPM codes to negative?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Convert TPM codes to negative?
src/image.c
Outdated
if (ret != TPM_RC_SUCCESS) | ||
return -1; | ||
|
||
/* unload the intermidate key */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
intermediate
de2420a
to
7dd97be
Compare
src/image.c
Outdated
|
||
#ifdef WOLFBOOT_TPM_KEYSTORE | ||
static WOLFTPM2_SESSION wolftpm_session; | ||
static uint32_t wolftpmPcrArray[1] = {16}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Array of uint8_t?
src/image.c
Outdated
/* clear out the policy digest */ | ||
ret = wolfTPM2_PolicyRestart(wolftpm_session.handle.hndl); | ||
if (ret != TPM_RC_SUCCESS) | ||
return -1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Convert TPM codes to negative?
src/image.c
Outdated
|
||
#ifdef WOLFBOOT_TPM_KEYSTORE | ||
static WOLFTPM2_SESSION wolftpm_session; | ||
static uint8_t wolftpmPcrArray[1] = {16}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR index should be a build-time overridable value.
src/image.c
Outdated
ret = wolfTPM2_ExtendPCR(&wolftpm_dev, wolftpmPcrArray[0], TPM_ALG_SHA256, | ||
imageSignature, imageSignatureSz); | ||
if (ret != TPM_RC_SUCCESS) | ||
return -1 * ret; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use -ret
please.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. @billphipps is going to test on customer HW.
arguments and reset out the PCR values so they're not impacted by previous calls
@jpbland1 please add some documentation in docs/Target.md. Create a new section e.g. under the STM32F407 target (based on a new config |
00e682b
to
371ff3b
Compare
make the config/examples/stm32f4-tpm-keystore.config config use ecc256
move pcr reset and extend outside of session the tpm uses policy checking for modifying PCR's so we need to reset and extend the PCR's with the image hash before the session begins, currently tested unseal, having trouble getting the simulator to run update in order to test reseal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR looks good. I'd like to git this into repo soon to start leveraging. Followup with new PR's for issues.
Merging this now. Only boot with unseal tested, not an update scenario. Also needs instructions on how to preseal, since it requires doing manual signing and the extra key. That will come in future PR. |
this update uses the tpm to retreive the public key used to validate the image that will boot and restricts access to that key by tpm policy. when the image is updated it's signature is used to extend the PCR and when the image is loaded it's signature must match what was sealed in order to get the public key from the tpm. enabling this option is done by setting WOLFBOOT_TPM_KEYSTORE in .config