while I am at it, I thought i'd also post changes I made to my local copy
of create_tpm_key. I have implemented a version of secure boot via trusted
grub, which extends into PCRs 1,2,3,4,5,6,7,11 by the time it gets to the
fully booted system. These changes apply to
openssl_tpm_engine-0.4.1.tar.gz<http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download>,
and if there is interest I can merge them to the latest release.
This change allows the created key to only be used if running trusted code.
The selected PCRs are specific to my system.
$ diff ./create_tpm_key.c
~/Downloads/openssl_tpm_engine-0.4.1/create_tpm_key.c
136,145d135
< int i;
< TSS_HTPM hTPM;
< BYTE *rgbPcrValue;
< UINT32 ulPcrLen;
< TSS_HPCRS hPcrComposite;
< UINT32 len;
< BYTE *value;
< TSS_HPOLICY TRMkeyUsagePolicy;
< int pcr[] = { 1, 2, 3, 4, 5, 6, 7, 11 };
< int pcrCount = 8;
384,403c374
< if (wrap)
< {
< //Create policy object for TRMkey
< result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE, &TRMkeyUsagePolicy);
< if (result != TSS_SUCCESS) {
< print_error("Tspi_Context_CreateObject", result);
< Tspi_Context_CloseObject(hContext, hKey);
< Tspi_Context_Close(hContext);
< exit(result);
< }
<
< //Assign policy to TRMkey
< result = Tspi_Policy_AssignToObject(TRMkeyUsagePolicy, hKey);
< if (result != TSS_SUCCESS) {
< print_error("Tspi_Policy_AssignToObject", result);
< Tspi_Context_CloseObject(hContext, hKey);
< Tspi_Context_Close(hContext);
< exit(result);
< }
<
---
> if (wrap) {
467,506c438,439
< } else
< {
< //Create pcr composite object to bind the TRMkey to
< result=Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS, 0,
&hPcrComposite);
< if (result != TSS_SUCCESS) {
< print_error("Tspi_Key_CreateKey", result);
< Tspi_Context_CloseObject(hContext, hKey);
< Tspi_Context_Close(hContext);
< exit(result);
< }
<
< //Get TPM handle, read pcr, set pcr value in pcr composite object
< result=Tspi_Context_GetTpmObject(hContext, &hTPM);
< if (result != TSS_SUCCESS) {
< print_error("Get TPM object error", result);
< Tspi_Context_CloseObject(hContext, hKey);
< Tspi_Context_Close(hContext);
< exit(result);
< }
<
< for(i = 0; i < pcrCount; i++)
< {
< printf("Using PCR: %d\n", pcr[i]);
< result=Tspi_TPM_PcrRead (hTPM, pcr[i], &ulPcrLen, &rgbPcrValue);
< if (result != TSS_SUCCESS) {
< print_error("Pcr read error", result);
< Tspi_Context_CloseObject(hContext, hKey);
< Tspi_Context_Close(hContext);
< exit(result);
< }
< result=Tspi_PcrComposite_SetPcrValue(hPcrComposite, pcr[i], ulPcrLen,
rgbPcrValue);
< if (result != TSS_SUCCESS) {
< print_error("Pcr composite error", result);
< Tspi_Context_CloseObject(hContext, hKey);
< Tspi_Context_Close(hContext);
< exit(result);
< }
< }
<
< if ((result = Tspi_Key_CreateKey(hKey, hSRK, hPcrComposite))) {
---
> } else {
> if ((result = Tspi_Key_CreateKey(hKey, hSRK, 0))) {
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech
