From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 21 May 2020 11:31:43 -0700
Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared
if policy specified
Fixes #2037
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
man/tpm2_create.1.md | 9 +++-
test/integration/tests/import_tpm.sh | 78 +++++++++++++++++-----------
tools/tpm2_create.c | 10 ++--
3 files changed, 60 insertions(+), 37 deletions(-)
diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md
index e8e5eaac49c3..9a7ba33e6017 100644
--- a/man/tpm2_create.1.md
+++ b/man/tpm2_create.1.md
@@ -13,7 +13,7 @@
**tpm2_create**(1) - Create a child object. The object can either be a key or
a sealing object. A sealing object allows to seal user data to the TPM, with a
maximum size of 256 bytes. Additionally it will load the created object if the
-**-o** is specified.
+**-c** is specified.
# OPTIONS
@@ -55,6 +55,13 @@ These options for creating the TPM entity:
and unsealing. I.e. one cannot use an object for sealing and cryptography
operations.
+ When **-L** is specified for adding policy based authorization information
+ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH`
+ is cleared unless an explicit choice is made by setting of the attribute
+ with **-a** option. This prevents creation of objects with inadvertant auth
+ model where in user intended to enforce a policy but inadvertantly created
+ an object with empty auth which can be used instead of policy authorization.
+
* **-i**, **\--sealing-input**=_FILE_ or _STDIN_:
The data file to be sealed, optional. If file is -, read from stdin.
diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh
index ff48185aba70..3d1e10820844 100755
--- a/test/integration/tests/import_tpm.sh
+++ b/test/integration/tests/import_tpm.sh
@@ -54,8 +54,13 @@ load_new_parent() {
create_load_duplicatee() {
# Create the key we want to duplicate
create_policy dpolicy.dat TPM2_CC_Duplicate
- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \
- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ if [ -z "$2" ];then
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ else
+ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \
+ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+ fi
# Load the key
tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
# Extract the public part for import later
@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do
done
done
-# Part 2 :
-# Create a rsa key (Kd)
-# Encrypt a message using Kd
-# Duplicate Kd
-# Import & Load Kd
-# Decrypt the message and verify
-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
-# New parent ...
-create_load_new_parent
-# Key to be duplicated
-create_load_duplicatee rsa
-# Encrypt a secret message
-echo "Mary had a little lamb ..." > plain.txt
-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
-# Duplicate the key
-do_duplication null
-# Remove, we're done with it
-rm new_parent.ctx
-# Load the full thing this time
-load_new_parent
-# Import & load the duplicate
-do_import_load null
-# Decrypt the secret message using duplicated key
-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt
-# Check we got it right ...
-diff recovered.txt plain.txt
-# Cleanup
-rm plain.txt recovered.txt cipher.txt
-cleanup "no-shut-down"
+test_key_usage() {
+ # Part 2 :
+ # Create a rsa key (Kd)
+ # Encrypt a message using Kd
+ # Duplicate Kd
+ # Import & Load Kd
+ # Decrypt the message and verify
+ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
+ # New parent ...
+ create_load_new_parent
+ # Key to be duplicated
+ create_load_duplicatee rsa "$1"
+ # Encrypt a secret message
+ echo "Mary had a little lamb ..." > plain.txt
+ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
+ # Duplicate the key
+ do_duplication null
+ # Remove, we're done with it
+ rm new_parent.ctx
+ # Load the full thing this time
+ load_new_parent
+ # Import & load the duplicate
+ do_import_load null
+ # Decrypt the secret message using duplicated key
+ if [ -z "$1" ];then
+ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt
+ else
+ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt
+ fi
+ # Check we got it right ...
+ diff recovered.txt plain.txt
+ # Cleanup
+ rm plain.txt recovered.txt cipher.txt
+ cleanup "no-shut-down"
+}
+
+#Test key with password
+test_key_usage foo
+#Test key without password
+test_key_usage
exit 0
diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
index 941b77655f55..8e92cc747e17 100644
--- a/tools/tpm2_create.c
+++ b/tools/tpm2_create.c
@@ -47,7 +47,7 @@ struct tpm_create_ctx {
TPML_PCR_SELECTION creation_pcr;
struct {
- UINT8 b :1;
+ UINT8 a :1;
UINT8 i :1;
UINT8 L :1;
UINT8 u :1;
@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) {
break;
case 'a':
ctx.object.attrs = value;
- ctx.flags.b = 1;
+ ctx.flags.a = 1;
break;
case 'i':
ctx.object.sealed_data = strcmp("-", value) ? value : NULL;
@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
ctx.object.alg = "keyedhash";
- if (!ctx.flags.b) {
+ if (!ctx.flags.a) {
attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT;
attrs &= ~TPMA_OBJECT_DECRYPT;
attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
}
- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) {
+ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) {
attrs &= ~TPMA_OBJECT_DECRYPT;
}
@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
return tool_rc_general_error;
}
- if (ctx.flags.L && !ctx.object.auth_str) {
+ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) {
ctx.object.public.publicArea.objectAttributes &=
~TPMA_OBJECT_USERWITHAUTH;
}
--
2.27.0