github.com/andrewsun2898/u-root@v6.0.1-0.20200616011413-4b2895c1b815+incompatible/pkg/tss/keys.go (about) 1 // Copyright 2020 the u-root Authors. All rights reserved 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tss 6 7 import ( 8 "bytes" 9 "crypto/sha1" 10 "crypto/sha256" 11 "io" 12 13 "github.com/google/go-tpm-tools/proto" 14 "github.com/google/go-tpm-tools/tpm2tools" 15 "github.com/google/go-tpm/tpm" 16 "github.com/google/go-tpm/tpm2" 17 "github.com/google/go-tpm/tpmutil" 18 ) 19 20 func defaultSymScheme() *tpm2.SymScheme { 21 return &tpm2.SymScheme{ 22 Alg: tpm2.AlgAES, 23 KeyBits: 128, 24 Mode: tpm2.AlgCFB, 25 } 26 } 27 28 func defaultECCParams() *tpm2.ECCParams { 29 return &tpm2.ECCParams{ 30 Symmetric: defaultSymScheme(), 31 CurveID: tpm2.CurveNISTP256, 32 Point: tpm2.ECPoint{ 33 XRaw: make([]byte, 32), 34 YRaw: make([]byte, 32), 35 }, 36 } 37 } 38 39 func loadSRK20(rwc io.ReadWriteCloser, srkPW string) (*tpm2tools.Key, error) { 40 var srkAuth tpmutil.U16Bytes 41 var hash [32]byte 42 43 if srkPW != "" { 44 hash = sha256.Sum256([]byte(srkPW)) 45 } 46 47 srkPWBytes := bytes.NewBuffer(hash[:]) 48 err := srkAuth.TPMMarshal(srkPWBytes) 49 if err != nil { 50 return nil, err 51 } 52 srkTemplate := tpm2.Public{ 53 Type: tpm2.AlgECC, 54 NameAlg: tpm2.AlgSHA256, 55 Attributes: tpm2.FlagStorageDefault, 56 ECCParameters: defaultECCParams(), 57 AuthPolicy: srkAuth, 58 } 59 60 return tpm2tools.NewCachedKey(rwc, tpm2.HandleOwner, srkTemplate, tpm2tools.SRKECCReservedHandle) 61 } 62 63 func seal12(rwc io.ReadWriteCloser, srkPW string, pcrs []int, data []byte) ([]byte, error) { 64 var srkAuth [20]byte 65 66 if srkPW != "" { 67 srkAuth = sha1.Sum([]byte(srkPW)) 68 } 69 70 return tpm.Seal(rwc, tpm.Locality(1), pcrs, data, srkAuth[:]) 71 } 72 73 func reseal12(rwc io.ReadWriteCloser, srkPW string, pcrs map[uint32][]byte, data []byte) ([]byte, error) { 74 var srkAuth [20]byte 75 var pcrMap map[int][]byte 76 77 if srkPW != "" { 78 srkAuth = sha1.Sum([]byte(srkPW)) 79 } 80 for k, v := range pcrs { 81 pcrMap[int(k)] = v 82 } 83 84 return tpm.Reseal(rwc, tpm.Locality(1), pcrMap, data, srkAuth[:]) 85 } 86 87 func unseal12(rwc io.ReadWriteCloser, srkPW string, sealed []byte) ([]byte, error) { 88 var srkAuth [20]byte 89 90 if srkPW != "" { 91 srkAuth = sha1.Sum([]byte(srkPW)) 92 } 93 94 return tpm.Unseal(rwc, sealed, srkAuth[:]) 95 } 96 97 func seal20(rwc io.ReadWriteCloser, srkPW string, pcrs []int, data []byte) (*proto.SealedBytes, error) { 98 key, err := loadSRK20(rwc, srkPW) 99 if err != nil { 100 return nil, err 101 } 102 sOpt := tpm2tools.SealCurrent{ 103 PCRSelection: tpm2.PCRSelection{ 104 Hash: tpm2.AlgSHA256, 105 PCRs: pcrs, 106 }, 107 } 108 109 return key.Seal(data, sOpt) 110 } 111 112 func unseal20(rwc io.ReadWriteCloser, srkPW string, pcrs []int, sealed *proto.SealedBytes) ([]byte, error) { 113 key, err := loadSRK20(rwc, srkPW) 114 if err != nil { 115 return nil, err 116 } 117 cOpt := tpm2tools.CertifyCurrent{ 118 PCRSelection: tpm2.PCRSelection{ 119 Hash: tpm2.AlgSHA256, 120 PCRs: pcrs, 121 }, 122 } 123 124 return key.Unseal(sealed, cOpt) 125 } 126 127 func reseal20(rwc io.ReadWriteCloser, srkPW string, pcrs map[uint32][]byte, sealed *proto.SealedBytes) (*proto.SealedBytes, error) { 128 key, err := loadSRK20(rwc, srkPW) 129 if err != nil { 130 return nil, err 131 } 132 keys := make([]int, 0, len(pcrs)) 133 for k := range pcrs { 134 keys = append(keys, int(k)) 135 } 136 sel := tpm2.PCRSelection{ 137 Hash: tpm2.AlgSHA256, 138 PCRs: keys, 139 } 140 cOpt := tpm2tools.CertifyCurrent{ 141 PCRSelection: sel, 142 } 143 predictedPcrs := proto.Pcrs{ 144 Hash: proto.HashAlgo(sel.Hash), 145 Pcrs: pcrs, 146 } 147 sOpt := tpm2tools.SealTarget{ 148 Pcrs: &predictedPcrs, 149 } 150 151 return key.Reseal(sealed, cOpt, sOpt) 152 }