diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-12-05 12:22:33 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-01-11 10:00:21 -0500 |
commit | 68595d4683dffc34513d00b3e3995d92659666bf (patch) | |
tree | c105c63de2ced424a9c83f8641fca84071ba56b7 | |
parent | ddb49ded9d3098c945f3ed6cc0cde18596c27b0c (diff) | |
download | openssl_tpm2_engine-68595d4683dffc34513d00b3e3995d92659666bf.tar.gz |
create_tpm2_key, seal_tpm2_data: add option to create signed policy
Add a --signed-policy option to both which takes a public key and then
uses tpm2_add_signed_policy() to create a key policy which requires
additional signed policies.
Note that keys/blobs so created cannot be used until at least one
signed policy is added.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | create_tpm2_key.1.in | 10 | ||||
-rw-r--r-- | create_tpm2_key.c | 23 | ||||
-rw-r--r-- | seal_tpm2_data.1.in | 11 | ||||
-rw-r--r-- | seal_tpm2_data.c | 19 |
4 files changed, 59 insertions, 4 deletions
diff --git a/create_tpm2_key.1.in b/create_tpm2_key.1.in index d7ff3ec..848afdc 100644 --- a/create_tpm2_key.1.in +++ b/create_tpm2_key.1.in @@ -45,6 +45,16 @@ well as comma separated ranges. So sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank +[Signed Policies] + +When the option --signed-policy <key> is used, it creates a key whose +policy can be extended by anyone possessing the private part of <key>. +The <key> presented must be a public key (so the owner of the private +key doesn't have to be the owner of the created tpm key). + +Note that keys created with --signed-policy cannot be used until at +least one signed policy is added. + [examples] Create a self-signed cert using the TPM engine: diff --git a/create_tpm2_key.c b/create_tpm2_key.c index fc710b6..edb8668 100644 --- a/create_tpm2_key.c +++ b/create_tpm2_key.c @@ -28,6 +28,7 @@ #define OPT_DEPRECATED 0x1ff #define OPT_RESTRICTED 0x1fe +#define OPT_SIGNED_POLICY 0x1fd static struct option long_options[] = { {"auth", 0, 0, 'a'}, @@ -37,6 +38,7 @@ static struct option long_options[] = { {"name-scheme", 1, 0, 'n'}, {"parent-handle", 1, 0, 'p'}, {"pcr-lock", 1, 0, 'x'}, + {"signed-policy", 1, 0, OPT_SIGNED_POLICY }, {"wrap", 1, 0, 'w'}, {"version", 0, 0, 'v'}, {"password", 1, 0, 'k'}, @@ -46,7 +48,7 @@ static struct option long_options[] = { {"da", 0, 0, 'd'}, {"key-policy", 1, 0, 'c'}, {"import", 1, 0, 'i'}, - {"restricted", 0, 0, OPT_RESTRICTED}, + {"restricted", 0, 0, OPT_RESTRICTED }, /* * The option --deprecated allows us to create old format keys * for the purposes of testing. It should never be used in @@ -96,6 +98,9 @@ usage(char *argv0) "\t-x, --pcr-lock <pcrs> Lock the created key to the specified PCRs\n" " By current value. See PCR VALUES for\n" " details about formatting\n" + "\t--signed-policy <key> Add a signed policy directive that allows\n" + "\t policies signed by the specified public <key>\n" + "\t to authorize use of the key\n" "\n" "Report bugs to " PACKAGE_BUGREPORT "\n", argv0); @@ -594,6 +599,7 @@ int main(int argc, char **argv) TPM2B_PUBLIC *pub; PRIVATE_2B *priv; char *key = NULL, *parent_auth = NULL, *import = NULL; + char *signed_policy = NULL; TPMI_ECC_CURVE ecc = TPM_ECC_NONE; int rsa = -1; uint32_t noda = TPMA_OBJECT_NODA; @@ -699,6 +705,9 @@ int main(int argc, char **argv) case OPT_RESTRICTED: restricted = 1; break; + case OPT_SIGNED_POLICY: + signed_policy = optarg; + break; default: printf("Unknown option '%c'\n", c); usage(argv[0]); @@ -738,6 +747,11 @@ int main(int argc, char **argv) exit(1); } + if (signed_policy && policyFilename) { + fprintf(stderr, "cannot specify both signed policy and policy file\n"); + exit(1); + } + if (pcr_lock.count !=0 && policyFilename) { fprintf(stderr, "cannot specify both policy file and pcr lock\n"); exit(1); @@ -748,7 +762,7 @@ int main(int argc, char **argv) exit(1); } - if (pcr_lock.count != 0 || policyFilename) + if (pcr_lock.count != 0 || policyFilename || signed_policy) has_policy = 1; digest.hashAlg = name_alg; @@ -768,6 +782,11 @@ int main(int argc, char **argv) reason = "parse_policy_file"; if (rc) goto out_free_policy; + } else if (signed_policy) { + rc = tpm2_add_signed_policy(sk, signed_policy, &digest); + reason = "add_signed_policy"; + if (rc) + goto out_free_policy; } } diff --git a/seal_tpm2_data.1.in b/seal_tpm2_data.1.in index 48c008e..621b011 100644 --- a/seal_tpm2_data.1.in +++ b/seal_tpm2_data.1.in @@ -21,6 +21,17 @@ well as comma separated ranges. So sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank +[Signed Policies] + +When the option --signed-policy <key> is used, it creates a sealed +blob whose policy can be extended by anyone possessing the private +part of <key>. The <key> presented must be a public key (so the owner +of the private key doesn't have to be the owner of the created tpm +sealed blob). + +Note that sealed blobs created with --signed-policy cannot be used +until at least one signed policy is added. + [examples] Create a sealed data blob to the storage parent (owner hierarchy) diff --git a/seal_tpm2_data.c b/seal_tpm2_data.c index cd74d1c..6432255 100644 --- a/seal_tpm2_data.c +++ b/seal_tpm2_data.c @@ -20,12 +20,15 @@ #include "tpm2-asn.h" #include "tpm2-common.h" +#define OPT_SIGNED_POLICY 0x1fd + static struct option long_options[] = { {"auth", 0, 0, 'a'}, {"auth-parent", 1, 0, 'b'}, {"help", 0, 0, 'h'}, {"parent-handle", 1, 0, 'p'}, {"pcr-lock", 1, 0, 'x'}, + {"signed-policy", 1, 0, OPT_SIGNED_POLICY }, {"version", 0, 0, 'v'}, {"password", 1, 0, 'k'}, {"da", 0, 0, 'd'}, @@ -67,12 +70,15 @@ usage(char *argv0) "\t respectively\n" "\t-v, --version print package version\n" "\t-k, --password <pwd> use this password instead of prompting\n" - "\t-m,--nomigrate Create a sealed data bundle that can be\n" + "\t-m, --nomigrate Create a sealed data bundle that can be\n" " migrated to other systems.\n" "\t-n, --name-scheme <scheme> name algorithm to use sha1 [sha256] sha384 sha512\n" "\t-x, --pcr-lock <pcrs> Lock the created key to the specified PCRs\n" " By current value. See PCR VALUES for\n" " details about formatting\n" + "\t--signed-policy <key> Add a signed policy directive that allows\n" + "\t policies signed by the specified public <key>\n" + "\t to authorize use of the key\n" "\n" "\n" "Report bugs to " PACKAGE_BUGREPORT "\n", @@ -111,6 +117,7 @@ int main(int argc, char **argv) char *parent_str = NULL; TPML_PCR_SELECTION pcr_lock; int has_policy = 0; + char *signed_policy = NULL; pcr_lock.count = 0; @@ -175,6 +182,9 @@ int main(int argc, char **argv) case 'x': tpm2_get_pcr_lock(&pcr_lock, optarg); break; + case OPT_SIGNED_POLICY: + signed_policy = optarg; + break; default: printf("Unknown option '%c'\n", c); usage(argv[0]); @@ -198,7 +208,7 @@ int main(int argc, char **argv) exit(1); } - if (pcr_lock.count != 0 || policyFilename) + if (pcr_lock.count != 0 || policyFilename || signed_policy) has_policy = 1; digest.hashAlg = name_alg; @@ -219,6 +229,11 @@ int main(int argc, char **argv) reason = "parse_policy_file"; goto out_free_policy; } + } else if (signed_policy) { + rc = tpm2_add_signed_policy(sk, signed_policy, &digest); + reason = "add_signed_policy"; + if (rc) + goto out_free_policy; } } |