Menu
▾
▴
Re: [TrouSerS-tech] patches about tpm_nvinfo and tpm_nvdefine commands
|
From: Kent Y. <shp...@gm...> - 2013-02-05 23:25:53
|
Hi Xiaokai,
On Mon, Jan 21, 2013 at 1:57 AM, Wang, Xiaokai <xia...@in...> wrote:
> Hi all,
>
>
>
> I make two patches about tpm-tools enhancement,one is info.patch that adds
> a
>
> function displaying TPM_PERMANT_FLAGS requiring permissions(ownerpassword).
>
> After applying info.patch and recompiling sourcecode,you can use “tpm_nvinfo
> –f
>
> ownerpssword” showing that.
For info.patch, the output looks good, but instead of "-f
<ownerpassword>" we should match the other commands. Please leave -f
as the command arg (maybe add "--flags" as the long version), but then
add a separate argument for the owner's password, as is done in
tpm_nvdefine, for example.
> Another one,define.patch,adds two optional arguments “-W localityselection
> –R
>
For define.patch, lets spell out the possible locality numbers in
the help text, such as:
TPM_LOC_ZERO=1
TPM_LOC_ONE=2
...
Also, please patch the man pages to update them with the new options.
Thanks,
Kent
> localityselection “ meaning when defining index you can select ‘read/write
> locality’
>
>
>
> The pathes are below and attach file,please review.
>
> If you think they are no problem, I hope you can apply them.
>
>
>
>
>
> /*************************info.patch below******************************/
>
>
>
> Add function that displays TPM_PERMANENT_FLAGS requiring
> permission(ownerpassword)
>
>
>
> Signed-off-by:Xiaokai Wang <xia...@in...>
>
>
>
> diff --git a/src/tpm_mgmt/tpm_nvinfo.c b/src/tpm_mgmt/tpm_nvinfo.c
>
> index 8964681..ee3e7d4 100644
>
> --- a/src/tpm_mgmt/tpm_nvinfo.c
>
> +++ b/src/tpm_mgmt/tpm_nvinfo.c
>
> @@ -26,9 +26,12 @@
>
> #include "tpm_utils.h"
>
> #include "tpm_nvcommon.h"
>
> +#define BUFFER_SIZE 1024
>
> static BOOL nvindex_set;
>
> static unsigned int nvindex;
>
> +static const char *ownerpassword;
>
> +static int perm_flags;
>
> static BOOL list_only;
>
> TSS_HCONTEXT hContext = 0;
>
> @@ -51,6 +54,11 @@ static int parse(const int aOpt, const char *aArg)
>
> nvindex_set = FALSE;
>
> break;
>
> + case 'f':
>
> + ownerpassword = aArg;
>
> + perm_flags = 1;
>
> + break;
>
> +
>
> default:
>
> return -1;
>
> }
>
> @@ -64,6 +72,9 @@ static void help(const char* aCmd)
>
> logNVIndexCmdOption();
>
> logCmdOption("-n, --list-only",
>
> _("Only list the defined NVRAM areas' indices."));
>
> +
>
> + logCmdOption("-f, --ownerpassword",
>
> + _("displays TPM_PERMANENT_FLAGS"));
>
> }
>
>
>
> @@ -142,10 +153,155 @@ static void nvindexDisplay(TSS_HTPM hTpm, UINT32
> nvindex)
>
> return;
>
> }
>
> +const char *bool_to_str(int b)
>
> +{
>
> + return b ? "TRUE" : "FALSE";
>
> +}
>
> +
>
> +void Decode_copy_UINT32(uint32_t *out,unsigned char **blob)
>
> +{
>
> + *out = Decode_UINT32((BYTE *)*blob);
>
> + *blob += sizeof(*out);
>
> +}
>
> +
>
> +typedef struct {
>
> + uint32_t disable : 1;
>
> + uint32_t ownership : 1;
>
> + uint32_t deactivated : 1;
>
> + uint32_t readPubek : 1;
>
> + uint32_t disableOwnerClear : 1;
>
> + uint32_t allowMaintenance : 1;
>
> + uint32_t physicalPresenceLifetimeLock : 1;
>
> + uint32_t physicalPresenceHWEnable : 1;
>
> + uint32_t physicalPresenceCMDEnable : 1;
>
> + uint32_t CEKPUsed : 1;
>
> + uint32_t TPMpost : 1;
>
> + uint32_t TPMpostLock : 1;
>
> + uint32_t FIPS : 1;
>
> + uint32_t Operator : 1;
>
> + uint32_t enableRevokeEK : 1;
>
> + uint32_t nvLocked : 1;
>
> + uint32_t readSRKPub : 1;
>
> + uint32_t tpmEstablished : 1;
>
> + uint32_t maintenanceDone : 1;
>
> +} tpm_perm_flags_t;
>
> +
>
> +typedef struct {
>
> + uint32_t deactivated : 1;
>
> + uint32_t disableForceClear : 1;
>
> + uint32_t physicalPresence : 1;
>
> + uint32_t physicalPresenceLock : 1;
>
> + uint32_t bGlobalLock : 1;
>
> +} tpm_stclear_flags_t;
>
> +
>
> +TSS_RESULT
>
> +display_flags(void)
>
> +{
>
> + TSS_HPOLICY htpmpolicy = 0;
>
> + TSS_HCONTEXT hcontext = 0;
>
> + TSS_HTPM htpm = 0;
>
> +
>
> + uint32_t i;
>
> + uint32_t subcap = 0;
>
> + uint32_t datasize = 0;
>
> + unsigned char *pbuf;
>
> + int opswd_len = -1;
>
> + tpm_perm_flags_t perm_flags;
>
> + tpm_stclear_flags_t stclear_flags;
>
> +
>
> + if (contextCreate(&hcontext) != TSS_SUCCESS)
>
> + goto out_close;
>
> +
>
> + if (contextConnect(hcontext) != TSS_SUCCESS)
>
> + goto out_close;
>
> +
>
> + if (contextGetTpm(hcontext, &htpm) != TSS_SUCCESS)
>
> + goto out_close;
>
> +
>
> + if (policyGet(htpm, &htpmpolicy) != TSS_SUCCESS)
>
> + goto out_close;
>
> + if (opswd_len < 0)
>
> + opswd_len = strlen(ownerpassword);
>
> + if (policySetSecret(htpmpolicy, opswd_len,
>
> + (BYTE *)ownerpassword) != TSS_SUCCESS)
>
> + goto out_close;
>
> +
>
> + if (getCapability(htpm, TSS_TPMCAP_FLAG, 4, (unsigned char
> *)&subcap,
>
> + &datasize, &pbuf) != TSS_SUCCESS) {
>
> + logMsg(_("error getting TPM_PERMANENT_FLAGS.\n"));
>
> + goto out_close;
>
> + }
>
> +
>
> + if (datasize != 2*sizeof(uint32_t)) {
>
> + logMsg(_("error getting TPM_PERMANENT_FLAGS.\n"));
>
> + goto out_close;
>
> + }
>
> +
>
> + if (pbuf == NULL) {
>
> + logMsg(_("error getting TPM_PERMANENT_FLAGS.\n"));
>
> + goto out_close;
>
> + }
>
> +
>
> + logMsg("The response data is:\n");
>
> + for (i = 0; i < datasize; i++) {
>
> + logMsg("%02x ", pbuf[i]);
>
> +
>
> + if (i%16 == 15)
>
> + logMsg("\n");
>
> + }
>
> + logMsg("\n");
>
> +
>
> + Decode_copy_UINT32((uint32_t *)&perm_flags, &pbuf);
>
> + Decode_copy_UINT32((uint32_t *)&stclear_flags, &pbuf);
>
> +
>
> + logMsg("TPM_PERMANENT_FLAGS:\n");
>
> + logMsg("\t disable: %s\n", bool_to_str(perm_flags.disable));
>
> + logMsg("\t ownership: %s\n", bool_to_str(perm_flags.ownership));
>
> + logMsg("\t deactivated: %s\n", bool_to_str(perm_flags.deactivated));
>
> + logMsg("\t readPubek: %s\n", bool_to_str(perm_flags.readPubek));
>
> + logMsg("\t disableOwnerClear: %s\n",
>
> + bool_to_str(perm_flags.disableOwnerClear));
>
> + logMsg("\t allowMaintenance: %s\n",
>
> + bool_to_str(perm_flags.allowMaintenance));
>
> + logMsg("\t physicalPresenceLifetimeLock: %s\n",
>
> + bool_to_str(perm_flags.physicalPresenceLifetimeLock));
>
> + logMsg("\t physicalPresenceHWEnable: %s\n",
>
> + bool_to_str(perm_flags.physicalPresenceHWEnable));
>
> + logMsg("\t physicalPresenceCMDEnable: %s\n",
>
> + bool_to_str(perm_flags.physicalPresenceCMDEnable));
>
> + logMsg("\t CEKPUsed: %s\n", bool_to_str(perm_flags.CEKPUsed));
>
> + logMsg("\t TPMpost: %s\n", bool_to_str(perm_flags.TPMpost));
>
> + logMsg("\t TPMpostLock: %s\n", bool_to_str(perm_flags.TPMpostLock));
>
> + logMsg("\t FIPS: %s\n", bool_to_str(perm_flags.FIPS));
>
> + logMsg("\t Operator: %s\n", bool_to_str(perm_flags.Operator));
>
> + logMsg("\t enableRevokeEK: %s\n",
>
> + bool_to_str(perm_flags.enableRevokeEK));
>
> + logMsg("\t nvLocked: %s\n", bool_to_str(perm_flags.nvLocked));
>
> + logMsg("\t readSRKPub: %s\n", bool_to_str(perm_flags.readSRKPub));
>
> + logMsg("\t tpmEstablished: %s\n",
>
> + bool_to_str(perm_flags.tpmEstablished));
>
> + logMsg("\t maintenanceDone: %s\n",
>
> + bool_to_str(perm_flags.maintenanceDone));
>
> +
>
> + logMsg("\nTPM_STCLEAR_FLAGS:\n");
>
> + logMsg("\t deactivated: %s\n",
> bool_to_str(stclear_flags.deactivated));
>
> + logMsg("\t disableForceClear: %s\n",
>
> + bool_to_str(stclear_flags.disableForceClear));
>
> + logMsg("\t physicalPresence: %s\n",
>
> + bool_to_str(stclear_flags.physicalPresence));
>
> + logMsg("\t physicalPresenceLock: %s\n",
>
> + bool_to_str(stclear_flags.physicalPresenceLock));
>
> + logMsg("\t bGlobalLock: %s\n",
> bool_to_str(stclear_flags.bGlobalLock));
>
> +
>
> + out_close:
>
> + contextClose(hcontext);
>
> +
>
> + return TSS_SUCCESS;
>
> +}
>
> int main(int argc, char **argv)
>
> {
>
> - TSS_HTPM hTpm;
>
> + TSS_HTPM hTpm = 0;
>
> UINT32 ulResultLen;
>
> BYTE *pResult = NULL;
>
> int iRc = -1;
>
> @@ -153,16 +309,29 @@ int main(int argc, char **argv)
>
> struct option hOpts[] = {
>
> {"index" , required_argument, NULL, 'i'},
>
> {"list-only", no_argument, NULL, 'n'},
>
> + {"ownpasswd", required_argument, NULL, 'f'},
>
> {NULL , no_argument, NULL, 0},
>
> };
>
> initIntlSys();
>
> if (genericOptHandler
>
> - (argc, argv, "i:o:n", hOpts,
>
> + (argc, argv, "i:o:f:n", hOpts,
>
> sizeof(hOpts) / sizeof(struct option), parse, help) !=
> 0)
>
> goto out;
>
> + if (perm_flags) {
>
> + if (ownerpassword == NULL) {
>
> + logMsg(_("no passwd input!need ownerpassword to
> display flags.\n"));
>
> + return iRc;
>
> + } else if (display_flags() != TSS_SUCCESS)
>
> + return iRc;
>
> +
>
> + iRc = 0;
>
> +
>
> + return iRc;
>
> + }
>
> +
>
> if (contextCreate(&hContext) != TSS_SUCCESS)
>
> goto out;
>
>
>
> /*************************define.patch below******************************/
>
>
>
> Add choice that read/write locality selection when defining nv index.
>
>
>
> Signed-off-by:Xiaokai Wang <xia...@in...>
>
>
>
> diff --git a/src/tpm_mgmt/tpm_nvdefine.c b/src/tpm_mgmt/tpm_nvdefine.c
>
> index e2c748f..d5a89ef 100644
>
> --- a/src/tpm_mgmt/tpm_nvdefine.c
>
> +++ b/src/tpm_mgmt/tpm_nvdefine.c
>
> @@ -27,6 +27,10 @@
>
> #include "tpm_utils.h"
>
> #include "tpm_nvcommon.h"
>
> +static unsigned int r_loc_arg = 0;
>
> +static unsigned int w_loc_arg = 0;
>
> +static unsigned int r_loc_flag = 0;
>
> +static unsigned int w_loc_flag = 0;
>
> static unsigned int nvindex;
>
> static BOOL nvindex_set;
>
> static unsigned int nvperm;
>
> @@ -122,6 +126,20 @@ static int parse(const int aOpt, const char *aArg)
>
> return -1;
>
> break;
>
> + case 'R':
>
> + if (parseHexOrDecimal(aArg, &r_loc_arg, 0, UINT_MAX,
>
> + "read localityValue") != 0)
>
> + return -1;
>
> + r_loc_flag = 1;
>
> + break;
>
> +
>
> + case 'W':
>
> + if (parseHexOrDecimal(aArg, &w_loc_arg, 0, UINT_MAX,
>
> + "write localityValue") != 0)
>
> + return -1;
>
> + w_loc_flag = 1;
>
> + break;
>
> +
>
> case 'f':
>
> filename = aArg;
>
> break;
>
> @@ -152,6 +170,11 @@ static void help(const char* aCmd)
>
> _("PCRs to seal the NVRAM area to for reading (use
> multiple times)"));
>
> logCmdOption("-w, --wpcrs",
>
> _("PCRs to seal the NVRAM area to for writing (use
> multiple times)"));
>
> + logCmdOption("-R, --rlv",
>
> + _("read locality value:uint8.there are 5
> localities:0~4.\n"
>
> + "\t\tfor example,locality value is 0x18 if
> locality 3 or 4."));
>
> + logCmdOption("-W, --wlv",
>
> + _("write locality value:uint8.the same as read locality
> value."));
>
> logCmdOption("-f, --filename",
>
> _("File containing PCR info for the NVRAM area"));
>
> @@ -252,6 +275,8 @@ int main(int argc, char **argv)
>
> {"rpcrs" , required_argument, NULL, 'r'},
>
> {"wpcrs" , required_argument, NULL, 'w'},
>
> {"filename" , required_argument, NULL, 'f'},
>
> + {"rlv" , optional_argument, NULL, 'R'},
>
> + {"wlv" , optional_argument, NULL, 'W'},
>
> {"pwdo" , optional_argument, NULL, 'o'},
>
> {"pwda" , optional_argument, NULL, 'a'},
>
> {"use-unicode" , no_argument, NULL, 'u'},
>
> @@ -266,7 +291,7 @@ int main(int argc, char **argv)
>
> initIntlSys();
>
> if (genericOptHandler
>
> - (argc, argv, "i:s:p:o:a:r:w:f:yzu", hOpts,
>
> + (argc, argv, "i:s:p:o:a:r:w:R:W:f:yzu", hOpts,
>
> sizeof(hOpts) / sizeof(struct option), parse, help) !=
> 0)
>
> goto out;
>
> @@ -451,13 +476,39 @@ int main(int argc, char **argv)
>
> goto out_close_obj;
>
> }
>
> - if (hPcrsRead)
>
> + if (r_loc_arg > 0x1f) {
>
> + logMsg(_("wrong read locality number!\n"));
>
> + goto out_close;
>
> + }
>
> +
>
> + if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
>
> + &hPcrsRead) != TSS_SUCCESS)
>
> + goto out_close;
>
> +
>
> + if (r_loc_flag == 1) {
>
> + if (pcrcompositeSetPcrLocality(hPcrsRead, r_loc_arg) !=
> TSS_SUCCESS)
>
> + goto out_close;
>
> + } else {
>
> if (pcrcompositeSetPcrLocality(hPcrsRead, localityValue) !=
> TSS_SUCCESS)
>
> goto out_close;
>
> + }
>
> +
>
> + if (w_loc_arg > 0x1f) {
>
> + logMsg(_("wrong write locality number!\n"));
>
> + goto out_close;
>
> + }
>
> +
>
> + if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
>
> + &hPcrsWrite) != TSS_SUCCESS)
>
> + goto out_close;
>
> - if (hPcrsWrite)
>
> + if (w_loc_flag == 1) {
>
> + if (pcrcompositeSetPcrLocality(hPcrsWrite, w_loc_arg) !=
> TSS_SUCCESS)
>
> + goto out_close;
>
> + } else {
>
> if (pcrcompositeSetPcrLocality(hPcrsWrite, localityValue) !=
> TSS_SUCCESS)
>
> goto out_close;
>
> + }
>
> if (NVDefineSpace(nvObject, hPcrsRead, hPcrsWrite) != TSS_SUCCESS)
>
> goto out_close;
>
>
>
> Regards
>
> Xiaokai
>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122412
> _______________________________________________
> TrouSerS-tech mailing list
> Tro...@li...
> https://lists.sourceforge.net/lists/listinfo/trousers-tech
>
|