Blob Blame History Raw
From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 21 May 2020 11:31:43 -0700
Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared
 if policy specified

Fixes #2037

Signed-off-by: Imran Desai <imran.desai@intel.com>
---
 man/tpm2_create.1.md                 |  9 +++-
 test/integration/tests/import_tpm.sh | 78 +++++++++++++++++-----------
 tools/tpm2_create.c                  | 10 ++--
 3 files changed, 60 insertions(+), 37 deletions(-)

diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md
index e8e5eaac49c3..9a7ba33e6017 100644
--- a/man/tpm2_create.1.md
+++ b/man/tpm2_create.1.md
@@ -13,7 +13,7 @@
 **tpm2_create**(1) - Create a child object. The object can either be a key or
 a sealing object. A sealing object allows to seal user data to the TPM, with a
 maximum size of 256 bytes. Additionally it will load the created object if the
-**-o** is specified.
+**-c** is specified.
 
 # OPTIONS
 
@@ -55,6 +55,13 @@ These options for creating the TPM entity:
     and unsealing. I.e. one cannot use an object for sealing and cryptography
     operations.
 
+    When **-L** is specified for adding policy based authorization information
+    AND no string password is specified, the  attribute `TPMA_OBJECT_USERWITHAUTH`
+    is cleared unless an explicit choice is made by setting of the attribute
+    with **-a** option. This prevents creation of objects with inadvertant auth
+    model where in user intended to enforce a policy but inadvertantly created
+    an object with empty auth which can be used instead of policy authorization.
+
   * **-i**, **\--sealing-input**=_FILE_ or _STDIN_:
 
     The data file to be sealed, optional. If file is -, read from stdin.
diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh
index ff48185aba70..3d1e10820844 100755
--- a/test/integration/tests/import_tpm.sh
+++ b/test/integration/tests/import_tpm.sh
@@ -54,8 +54,13 @@ load_new_parent() {
 create_load_duplicatee() {
     # Create the key we want to duplicate
     create_policy dpolicy.dat TPM2_CC_Duplicate
-    tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \
-    -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+    if [ -z "$2" ];then
+        tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \
+        -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+    else
+        tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \
+        -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
+    fi
     # Load the key
     tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
     # Extract the public part for import later
@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do
     done
 done
 
-# Part 2 :
-# Create a rsa key (Kd)
-# Encrypt a message using Kd
-# Duplicate Kd
-# Import & Load Kd
-# Decrypt the message and verify
-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
-# New parent ...
-create_load_new_parent
-# Key to be duplicated
-create_load_duplicatee rsa
-# Encrypt a secret message
-echo "Mary had a little lamb ..." > plain.txt
-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
-# Duplicate the key
-do_duplication null
-# Remove, we're done with it
-rm new_parent.ctx
-# Load the full thing this time
-load_new_parent
-# Import & load the duplicate
-do_import_load null
-# Decrypt the secret message using duplicated key
-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt
-# Check we got it right ...
-diff recovered.txt plain.txt
-# Cleanup
-rm plain.txt recovered.txt cipher.txt
-cleanup "no-shut-down"
+test_key_usage() {
+    # Part 2 :
+    # Create a rsa key (Kd)
+    # Encrypt a message using Kd
+    # Duplicate Kd
+    # Import & Load Kd
+    # Decrypt the message and verify
+    tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
+    # New parent ...
+    create_load_new_parent
+    # Key to be duplicated
+    create_load_duplicatee rsa "$1"
+    # Encrypt a secret message
+    echo "Mary had a little lamb ..." > plain.txt
+    tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
+    # Duplicate the key
+    do_duplication null
+    # Remove, we're done with it
+    rm new_parent.ctx
+    # Load the full thing this time
+    load_new_parent
+    # Import & load the duplicate
+    do_import_load null
+    # Decrypt the secret message using duplicated key
+    if [ -z "$1" ];then
+        tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt
+    else
+        tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt
+    fi
+    # Check we got it right ...
+    diff recovered.txt plain.txt
+    # Cleanup
+    rm plain.txt recovered.txt cipher.txt
+    cleanup "no-shut-down"
+}
+
+#Test key with password
+test_key_usage foo
+#Test key without password
+test_key_usage
 
 exit 0
diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
index 941b77655f55..8e92cc747e17 100644
--- a/tools/tpm2_create.c
+++ b/tools/tpm2_create.c
@@ -47,7 +47,7 @@ struct tpm_create_ctx {
     TPML_PCR_SELECTION creation_pcr;
 
     struct {
-        UINT8 b :1;
+        UINT8 a :1;
         UINT8 i :1;
         UINT8 L :1;
         UINT8 u :1;
@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) {
         break;
     case 'a':
         ctx.object.attrs = value;
-        ctx.flags.b = 1;
+        ctx.flags.a = 1;
         break;
     case 'i':
         ctx.object.sealed_data = strcmp("-", value) ? value : NULL;
@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
         ctx.object.alg = "keyedhash";
 
-        if (!ctx.flags.b) {
+        if (!ctx.flags.a) {
             attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT;
             attrs &= ~TPMA_OBJECT_DECRYPT;
             attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
         }
-    } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) {
+    } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) {
         attrs &= ~TPMA_OBJECT_DECRYPT;
     }
 
@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
         return tool_rc_general_error;
     }
 
-    if (ctx.flags.L && !ctx.object.auth_str) {
+    if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) {
         ctx.object.public.publicArea.objectAttributes &=
                 ~TPMA_OBJECT_USERWITHAUTH;
     }
-- 
2.27.0