diff options
| author | David Woodhouse <dwmw2@infradead.org> | 2018-10-12 01:01:16 +0100 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-10-31 22:14:38 -0700 |
| commit | 3ca572e399f8fafe4213fd19d3aa95adb7e50809 (patch) | |
| tree | 11f122cf0950c24e2a656af452a7ae82f914db65 | |
| parent | f0f2c060b404889cf06ff16207e28c5ea46b1e31 (diff) | |
| download | openssl_tpm2_engine-3ca572e399f8fafe4213fd19d3aa95adb7e50809.tar.gz | |
Allow changing objectAttributes for primary key generation
We have agreed that these should have the FIXEDPARENT and FIXEDTPM
flags. Firstly, add a flag which indicates that the new flags
should be used.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
| -rw-r--r-- | create_tpm2_key.c | 2 | ||||
| -rw-r--r-- | e_tpm2.c | 2 | ||||
| -rw-r--r-- | e_tpm2.h | 1 | ||||
| -rw-r--r-- | tpm2-common.c | 7 | ||||
| -rw-r--r-- | tpm2-common.h | 2 |
5 files changed, 10 insertions, 4 deletions
diff --git a/create_tpm2_key.c b/create_tpm2_key.c index 0be8e43..6328d08 100644 --- a/create_tpm2_key.c +++ b/create_tpm2_key.c @@ -751,7 +751,7 @@ int main(int argc, char **argv) } if ((parent & 0xff000000) == 0x40000000) { - rc = tpm2_load_srk(tssContext, &phandle, parent_auth, NULL, parent); + rc = tpm2_load_srk(tssContext, &phandle, parent_auth, NULL, parent, 0); if (rc) { reason = "tpm2_load_srk"; goto out_delete; @@ -541,7 +541,7 @@ TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data) if ((app_data->parent & 0xff000000) == 0x81000000) { in.parentHandle = app_data->parent; } else { - rc = tpm2_load_srk(tssContext, &in.parentHandle, srk_auth, NULL, app_data->parent); + rc = tpm2_load_srk(tssContext, &in.parentHandle, srk_auth, NULL, app_data->parent, app_data->version); if (rc) goto out; } @@ -8,6 +8,7 @@ /* structure pointed to by the RSA object's app_data pointer */ struct app_data { + int version; TPM_HANDLE parent; /* if key is in NV memory */ TPM_HANDLE key; diff --git a/tpm2-common.c b/tpm2-common.c index a39c90b..6aef4e3 100644 --- a/tpm2-common.c +++ b/tpm2-common.c @@ -230,7 +230,7 @@ void tpm2_error(TPM_RC rc, const char *reason) } -TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth,TPM2B_PUBLIC *pub, TPM_HANDLE hierarchy) +TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth,TPM2B_PUBLIC *pub, TPM_HANDLE hierarchy, int version) { TPM_RC rc; CreatePrimary_In in; @@ -262,6 +262,11 @@ TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth,TP TPMA_OBJECT_USERWITHAUTH | TPMA_OBJECT_DECRYPT | TPMA_OBJECT_RESTRICTED; + if (version) + in.inPublic.publicArea.objectAttributes.val |= + TPMA_OBJECT_FIXEDPARENT | + TPMA_OBJECT_FIXEDTPM; + in.inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; in.inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; in.inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; diff --git a/tpm2-common.h b/tpm2-common.h index 1eed54b..f442c94 100644 --- a/tpm2-common.h +++ b/tpm2-common.h @@ -11,7 +11,7 @@ struct policy_command { }; void tpm2_error(TPM_RC rc, const char *reason); -TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth, TPM2B_PUBLIC *pub, TPM_HANDLE handle); +TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth, TPM2B_PUBLIC *pub, TPM_HANDLE handle, int version); void tpm2_flush_handle(TSS_CONTEXT *tssContext, TPM_HANDLE h); EVP_PKEY *tpm2_to_openssl_public(TPMT_PUBLIC *pub); void tpm2_flush_srk(TSS_CONTEXT *tssContext, TPM_HANDLE hSRK); |