From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001 From: Imran Desai Date: Thu, 21 May 2020 11:31:43 -0700 Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified Fixes #2037 Signed-off-by: Imran Desai --- man/tpm2_create.1.md | 9 +++- test/integration/tests/import_tpm.sh | 78 +++++++++++++++++----------- tools/tpm2_create.c | 10 ++-- 3 files changed, 60 insertions(+), 37 deletions(-) diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md index e8e5eaac49c3..9a7ba33e6017 100644 --- a/man/tpm2_create.1.md +++ b/man/tpm2_create.1.md @@ -13,7 +13,7 @@ **tpm2_create**(1) - Create a child object. The object can either be a key or a sealing object. A sealing object allows to seal user data to the TPM, with a maximum size of 256 bytes. Additionally it will load the created object if the -**-o** is specified. +**-c** is specified. # OPTIONS @@ -55,6 +55,13 @@ These options for creating the TPM entity: and unsealing. I.e. one cannot use an object for sealing and cryptography operations. + When **-L** is specified for adding policy based authorization information + AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH` + is cleared unless an explicit choice is made by setting of the attribute + with **-a** option. This prevents creation of objects with inadvertant auth + model where in user intended to enforce a policy but inadvertantly created + an object with empty auth which can be used instead of policy authorization. + * **-i**, **\--sealing-input**=_FILE_ or _STDIN_: The data file to be sealed, optional. If file is -, read from stdin. diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh index ff48185aba70..3d1e10820844 100755 --- a/test/integration/tests/import_tpm.sh +++ b/test/integration/tests/import_tpm.sh @@ -54,8 +54,13 @@ load_new_parent() { create_load_duplicatee() { # Create the key we want to duplicate create_policy dpolicy.dat TPM2_CC_Duplicate - tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \ - -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" + if [ -z "$2" ];then + tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \ + -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" + else + tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \ + -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" + fi # Load the key tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx # Extract the public part for import later @@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do done done -# Part 2 : -# Create a rsa key (Kd) -# Encrypt a message using Kd -# Duplicate Kd -# Import & Load Kd -# Decrypt the message and verify -tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx -# New parent ... -create_load_new_parent -# Key to be duplicated -create_load_duplicatee rsa -# Encrypt a secret message -echo "Mary had a little lamb ..." > plain.txt -tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt -# Duplicate the key -do_duplication null -# Remove, we're done with it -rm new_parent.ctx -# Load the full thing this time -load_new_parent -# Import & load the duplicate -do_import_load null -# Decrypt the secret message using duplicated key -tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt -# Check we got it right ... -diff recovered.txt plain.txt -# Cleanup -rm plain.txt recovered.txt cipher.txt -cleanup "no-shut-down" +test_key_usage() { + # Part 2 : + # Create a rsa key (Kd) + # Encrypt a message using Kd + # Duplicate Kd + # Import & Load Kd + # Decrypt the message and verify + tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx + # New parent ... + create_load_new_parent + # Key to be duplicated + create_load_duplicatee rsa "$1" + # Encrypt a secret message + echo "Mary had a little lamb ..." > plain.txt + tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt + # Duplicate the key + do_duplication null + # Remove, we're done with it + rm new_parent.ctx + # Load the full thing this time + load_new_parent + # Import & load the duplicate + do_import_load null + # Decrypt the secret message using duplicated key + if [ -z "$1" ];then + tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt + else + tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt + fi + # Check we got it right ... + diff recovered.txt plain.txt + # Cleanup + rm plain.txt recovered.txt cipher.txt + cleanup "no-shut-down" +} + +#Test key with password +test_key_usage foo +#Test key without password +test_key_usage exit 0 diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c index 941b77655f55..8e92cc747e17 100644 --- a/tools/tpm2_create.c +++ b/tools/tpm2_create.c @@ -47,7 +47,7 @@ struct tpm_create_ctx { TPML_PCR_SELECTION creation_pcr; struct { - UINT8 b :1; + UINT8 a :1; UINT8 i :1; UINT8 L :1; UINT8 u :1; @@ -224,7 +224,7 @@ static bool on_option(char key, char *value) { break; case 'a': ctx.object.attrs = value; - ctx.flags.b = 1; + ctx.flags.a = 1; break; case 'i': ctx.object.sealed_data = strcmp("-", value) ? value : NULL; @@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { ctx.object.alg = "keyedhash"; - if (!ctx.flags.b) { + if (!ctx.flags.a) { attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT; attrs &= ~TPMA_OBJECT_DECRYPT; attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN; } - } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) { + } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) { attrs &= ~TPMA_OBJECT_DECRYPT; } @@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { return tool_rc_general_error; } - if (ctx.flags.L && !ctx.object.auth_str) { + if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) { ctx.object.public.publicArea.objectAttributes &= ~TPMA_OBJECT_USERWITHAUTH; } -- 2.27.0